Solaris 10, secure nfs, permission denied

Kevin Coffman kwc at citi.umich.edu
Thu May 15 13:48:03 EDT 2008


On Thu, May 15, 2008 at 12:55 PM, Jeff Blaine <jblaine at kickflop.net> wrote:
> If anyone has any idea what I am doing wrong here, please
> chime in.
>
> ~:barnowl> uname -a
> SunOS barnowl.foo.com 5.10 Generic_127127-11 sun4u sparc
> SUNW,Sun-Fire-V240
> ~:barnowl> sudo klist -e -k /etc/krb5.keytab | grep nfs
>    3 nfs/barnowl.foo.com at RCF.FOO.COM (DES cbc mode with CRC-32)
>    4 nfs/crete.foo.com at RCF.FOO.COM (DES cbc mode with CRC-32)
> ~:barnowl> sudo share
> -               /usr   sec=krb5:krb5i:krb5p   ""
> ~:barnowl>
>
>
> ~:crete> uname -a
> SunOS crete.foo.com 5.10 Generic_118833-36 sun4v sparc SUNW,Sun-Fire-T200
> ~:crete> sudo klist -e -k /etc/krb5.keytab | grep nfs
>    3 nfs/crete.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32)
>    4 nfs/barnowl.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32)
> ~:crete> sudo mount -F nfs -o sec=krb5 barnowl:/usr /mnt/barnowl
> nfs mount: mount: /mnt/barnowl: Permission denied
> ~:crete>
>
> krb5kdc.log on the KDC shows absolutely nothing

It looks like maybe you tried to hide some details, but didn't get
them all?  Does your real DNS domain match your REALM name?  If not,
does your krb5.conf (/etc/krb5/krb5.conf) properly map the hosts'
domain(s) to your realm?

BTW, there is no need to limit Solaris 10 hosts to DES-only keys.
That is a current Linux limitation.  As long as your Solaris server
has a DES key (along with keys for stronger enctypes), the Linux
client should be able to negotiate the correct DES enctype.  Solaris
10 servers and clients can handle the stronger encryption types.

K.C.



More information about the Kerberos mailing list