Solaris 10, secure nfs, permission denied
Jeff Blaine
jblaine at kickflop.net
Thu May 15 20:55:31 EDT 2008
Okay, well, according to the docs, I don't see that I am
doing anything wrong. Here's a load of info showing the
situation and the resulting KDC info.
PS: The catted example krb5.conf at
http://docs.sun.com/app/docs/doc/816-4557/setup-148?a=view
is missing a closing brace for gkadmin in appdefaults :)
==== Basic NFS works ============================================
~:barnowl> sudo share -F nfs -o rw=crete /var/sadm
~:crete> sudo mount -F nfs barnowl:/var/sadm /mnt
~:crete> sudo umount /mnt
~:barnowl> sudo unshare /var/sadm
~:barnowl>
==== Basic krb5 auth works, FWIW ================================
~:crete> /usr/bin/klist
Ticket cache: FILE:/tmp/krb5cc_26560
Default principal: jblaine at RCF.MITRE.ORG
Valid starting Expires Service principal
05/15/08 20:07:07 05/22/08 20:07:07 krbtgt/RCF.MITRE.ORG at RCF.MITRE.ORG
renew until 05/22/08 20:07:07
~:crete>
==== The failing NFSv4 with krb5 ================================
SERVER
------
~:barnowl> sudo klist -e -k /etc/krb5/krb5.keytab | grep barnowl
12 host/barnowl.mitre.org at RCF.MITRE.ORG (Triple DES cbc mode with
HMAC/sha1)
12 host/barnowl.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32)
6 nfs/barnowl.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32)
~:barnowl>
~:barnowl> grep krb5 /etc/nfssec.conf
krb5 390003 kerberos_v5 default - # RPCSEC_GSS
krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS
krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS
~:barnowl>
~:barnowl> sudo svcadm restart network/rpc/gss
~:barnowl>
~:barnowl> svcs -x nfs/server
svc:/network/nfs/server:default (NFS server)
State: online since May 15, 2008 8:06:05 PM EDT
See: nfsd(1M)
See: /var/svc/log/network-nfs-server:default.log
Impact: None.
~:barnowl>
~:barnowl> sudo share
- /usr sec=krb5,rw=crete ""
~:barnowl>
CLIENT
------
~:crete> sudo klist -e -k /etc/krb5/krb5.keytab | grep crete
5 nfs/crete.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32)
6 host/crete.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32)
~:crete>
~:crete> grep krb5 /etc/nfssec.conf
krb5 390003 kerberos_v5 default - # RPCSEC_GSS
krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS
krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS
~:crete>
~:crete> sudo svcadm restart network/rpc/gss
~:crete>
~:crete> sudo kdestroy
~:crete> sudo mount -F nfs -o sec=krb5 barnowl:/usr /mnt
nfs mount: mount: /mnt: Permission denied
~:crete> sudo klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/crete.mitre.org at RCF.MITRE.ORG
Valid starting Expires Service principal
05/15/08 20:49:34 05/16/08 06:49:34 krbtgt/RCF.MITRE.ORG at RCF.MITRE.ORG
05/15/08 20:49:34 05/16/08 06:49:34 nfs/barnowl.mitre.org at RCF.MITRE.ORG
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
~:crete>
ON THE KDC WHEN THE MOUNT FAILS
-------------------------------
May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): AS_REQ (5
etypes {17 16 23 3 1}) 128.29.72.73: CLIENT_NOT_FOUND:
root/crete.mitre.org at RCF.MITRE.ORG for
krbtgt/RCF.MITRE.ORG at RCF.MITRE.ORG, Client not found in Kerberos database
May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): DISPATCH:
repeated (retransmitted?) request from 128.29.72.73, resending previous
response
May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): AS_REQ (5
etypes {17 16 23 3 1}) 128.29.72.73: ISSUE: authtime 1210898974, etypes
{rep=3 tkt=16 ses=16}, host/crete.mitre.org at RCF.MITRE.ORG for
krbtgt/RCF.MITRE.ORG at RCF.MITRE.ORG
May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): TGS_REQ (5
etypes {17 16 23 3 1}) 128.29.72.73: ISSUE: authtime 1210898974, etypes
{rep=16 tkt=1 ses=1}, host/crete.mitre.org at RCF.MITRE.ORG for
nfs/barnowl.mitre.org at RCF.MITRE.ORG
More information about the Kerberos
mailing list