Solaris 10, secure nfs, permission denied

Will Fiveash William.Fiveash at sun.com
Thu May 15 18:31:12 EDT 2008


On Thu, May 15, 2008 at 01:48:03PM -0400, Kevin Coffman wrote:

> BTW, there is no need to limit Solaris 10 hosts to DES-only keys.
> That is a current Linux limitation.  As long as your Solaris server
> has a DES key (along with keys for stronger enctypes), the Linux
> client should be able to negotiate the correct DES enctype.  Solaris
> 10 servers and clients can handle the stronger encryption types.

There is a known bug in the Solaris Kerberos implementations that causes
interop problems when NFS sec=krb5* is used with AES enctypes (as Kevin
knows).  The fix is currently in OpenSolaris and should be in Solaris 10
update 6.  Until all Solaris 10 systems involved in doing NFS are fixed
the workaround is to make sure no AES keys are found for the NFS service
principal.  This can be done like so (on the NFS server):

kadmin -k -p nfs/nfsserv.foo.com -q 'ktadd -e arcfour-hmac-md5:normal -e des3-cbc-sha1-kd:normal -e des-cbc-md5:normal nfs/nfsserv.foo.com'

When all systems are fixed use the following on the NFS server to get
all enctype keys for the server including AES (this is the default):

kadmin -k -p nfs/nfsserv.foo.com -q 'ktadd nfs/nfsserv.foo.com'

Note this issue does not affect Solaris systems < S10 since they do not
support the AES enctype.

-- 
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/



More information about the Kerberos mailing list