Solaris 10, secure nfs, permission denied

Will Fiveash William.Fiveash at sun.com
Fri May 16 17:37:14 EDT 2008 

On Thu, May 15, 2008 at 08:55:31PM -0400, Jeff Blaine wrote:
> Okay, well, according to the docs, I don't see that I am
> doing anything wrong.  Here's a load of info showing the
> situation and the resulting KDC info.

In general it looks like it should be working.  Can you do the

sudo share -F nfs -o sec=krb5,rw=crete:barnowl /usr
sudo mount -F nfs -o sec=krb5 barnowl:/usr /mnt

while on barnowl?  Note, make sure nothing is mounted on /mnt first of
course.  If that doesn't work can you try using an actually root session
and run the mount without sudo (which is not a native Solaris command).
If it works without sudo, try that on crete.

Also, what variant of krb are you using on crete?  I ask because the
klist output on that system shows krb v4 info which the native Solaris
krb knows nothing about.  While I don't think this is causing the
problem with the mount command one should be careful about mixing use of
krb variants on a system.

> PS: The catted example krb5.conf at
> http://docs.sun.com/app/docs/doc/816-4557/setup-148?a=view
> is missing a closing brace for gkadmin in appdefaults :)

Okay, thanks for the bug tip.

> ==== Basic NFS works ============================================
> 
> ~:barnowl> sudo share -F nfs -o rw=crete /var/sadm
> 
> ~:crete> sudo mount -F nfs barnowl:/var/sadm /mnt
> ~:crete> sudo umount /mnt
> 
> ~:barnowl> sudo unshare /var/sadm
> ~:barnowl>
> 
> ==== Basic krb5 auth works, FWIW ================================
> 
> ~:crete> /usr/bin/klist
> Ticket cache: FILE:/tmp/krb5cc_26560
> Default principal: jblaine at RCF.MITRE.ORG
> 
> Valid starting                Expires                Service principal
> 05/15/08 20:07:07  05/22/08 20:07:07  krbtgt/RCF.MITRE.ORG at RCF.MITRE.ORG
>          renew until 05/22/08 20:07:07
> ~:crete>
> 
> ==== The failing NFSv4 with krb5 ================================
> 
> SERVER
> ------
> 
> ~:barnowl> sudo klist -e -k /etc/krb5/krb5.keytab | grep barnowl
>    12 host/barnowl.mitre.org at RCF.MITRE.ORG (Triple DES cbc mode with
> HMAC/sha1)
>    12 host/barnowl.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32)
>     6 nfs/barnowl.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32)
> ~:barnowl>
> 
> ~:barnowl> grep krb5 /etc/nfssec.conf
> krb5            390003  kerberos_v5     default -               # RPCSEC_GSS
> krb5i           390004  kerberos_v5     default integrity       # RPCSEC_GSS
> krb5p           390005  kerberos_v5     default privacy         # RPCSEC_GSS
> ~:barnowl>
> 
> ~:barnowl> sudo svcadm restart network/rpc/gss
> ~:barnowl>
> 
> ~:barnowl> svcs -x nfs/server
> svc:/network/nfs/server:default (NFS server)
>   State: online since May 15, 2008  8:06:05 PM EDT
>     See: nfsd(1M)
>     See: /var/svc/log/network-nfs-server:default.log
> Impact: None.
> ~:barnowl>
> 
> ~:barnowl> sudo share
> -               /usr   sec=krb5,rw=crete   ""
> ~:barnowl>
> 
> CLIENT
> ------
> 
> ~:crete> sudo klist -e -k /etc/krb5/krb5.keytab | grep crete
>     5 nfs/crete.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32)
>     6 host/crete.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32)
> ~:crete>
> 
> ~:crete> grep krb5 /etc/nfssec.conf
> krb5            390003  kerberos_v5     default -               # RPCSEC_GSS
> krb5i           390004  kerberos_v5     default integrity       # RPCSEC_GSS
> krb5p           390005  kerberos_v5     default privacy         # RPCSEC_GSS
> ~:crete>
> 
> ~:crete> sudo svcadm restart network/rpc/gss
> ~:crete>
> 
> ~:crete> sudo kdestroy
> ~:crete> sudo mount -F nfs -o sec=krb5 barnowl:/usr /mnt
> nfs mount: mount: /mnt: Permission denied
> ~:crete> sudo klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: host/crete.mitre.org at RCF.MITRE.ORG
> 
> Valid starting     Expires            Service principal
> 05/15/08 20:49:34  05/16/08 06:49:34  krbtgt/RCF.MITRE.ORG at RCF.MITRE.ORG
> 05/15/08 20:49:34  05/16/08 06:49:34  nfs/barnowl.mitre.org at RCF.MITRE.ORG
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached

> ~:crete>
> 
> ON THE KDC WHEN THE MOUNT FAILS
> -------------------------------
> 
> May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): AS_REQ (5 
> etypes {17 16 23 3 1}) 128.29.72.73: CLIENT_NOT_FOUND: 
> root/crete.mitre.org at RCF.MITRE.ORG for 
> krbtgt/RCF.MITRE.ORG at RCF.MITRE.ORG, Client not found in Kerberos database
> May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): DISPATCH: 
> repeated (retransmitted?) request from 128.29.72.73, resending previous 
> response
> May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): AS_REQ (5 
> etypes {17 16 23 3 1}) 128.29.72.73: ISSUE: authtime 1210898974, etypes 
> {rep=3 tkt=16 ses=16}, host/crete.mitre.org at RCF.MITRE.ORG for 
> krbtgt/RCF.MITRE.ORG at RCF.MITRE.ORG
> May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): TGS_REQ (5 
> etypes {17 16 23 3 1}) 128.29.72.73: ISSUE: authtime 1210898974, etypes 
> {rep=16 tkt=1 ses=1}, host/crete.mitre.org at RCF.MITRE.ORG for 
> nfs/barnowl.mitre.org at RCF.MITRE.ORG
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/

More information about the Kerberos mailing list