Troubles with Kerberized NFS: Solaris8-client to Solaris8-server

Mikhail T. mi+thun at aldan.algebra.com
Wed Dec 9 16:13:41 EST 2009 

Hello!

I'm struggling to make kerberized NFS working here. My "guinea pigs" are
the following three machines:

   1. apdevl.example.com running Solaris 8 -- this is the NFS-server
   2. ws-mt.example.com running Linux RHEL-5.4 -- this is a Linux NFS-client
   3. apdevl3.example.com running Solaris 8 -- this is the NFS-client

The mounts have already succeeded:

    Linux:
    apdevl:/krbexport on /mnt type nfs (rw,intr,sec=krb5,addr=xx.xx.223.40)
    Solaris:
    /mnt on apdevl:/krbexport
    remote/read/write/setuid/sec=krb5/intr/dev=4e8014b on Tue Dec  1
    17:00:39 2009

On Linux I can access the mounted tree with a valid ticket -- this
works, and makes me think, the NFS-server is configured properly.
However, whatever I do on the Solaris-client, I can not get to read
access the share: permission denied.

gssd, which is started on the Solaris client from inetd, reports the
following to truss, whenever I try to `ls -d /mnt':

    open("/tmp/krb5cc_18039", O_RDONLY)             = 5
    fcntl(5, F_SETLKW, 0xFFBEEE44)                  = 0
    read(5, "0504", 2)                              = 2
    read(5, "\0\f", 2)                              = 2
    read(5, "\001", 2)                              = 2
    read(5, "\0\b", 2)                              = 2
    read(5, "FFFFFFFC\0\0\0\0", 8)                  = 8
    lseek(5, 51, SEEK_SET)                          = 51
    read(5, "\0\0\001", 4)                          = 4
    read(5, "\0\0\001", 4)                          = 4
    read(5, "\0\0\0\v", 4)                          = 4
    read(5, " E X A M P L E . C O M", 11)           = 11
    ...
    close(5)                                        = 0
    fstat(3, 0xFFBEF5E8)                            = 0
    putpmsg(3, 0xFFBEF774, 0xFFBEF760, 0, 0x0004)   = 0
    fstat(3, 0xFFBEF750)                            = 0
    getmsg(3, 0xFFBEF8FC, 0xFFBEF8EC, 0xFFBEF92C)   Err#11 EAGAIN

So, after opening by ticket (18039 is my UID here) and reading it, it
tries to send a message somewhere and fails with EAGAIN...

Trying to snoop the network traffic:

    % snoop -r rpc nfs

I don't get ANYTHING captured in response to my attempts to simply list
the mounted share.
So, it would seem, something is failing locally on the Solaris-client.
What could it be? My ticket-cachenothing but a single, non-expired
krbtgt/EXAMPLE.COM at EXAMPLE.COM

The Solaris client's keytab reads:

    Keytab name: WRFILE:/etc/krb5.keytab
    KVNO Principal
    ----
    --------------------------------------------------------------------------
       5 host/apdevl3.example.com at EXAMPLE.COM (AES-256 CTS mode with
    96-bit SHA-1 HMAC)
       5 host/apdevl3.example.com at EXAMPLE.COM (AES-128 CTS mode with
    96-bit SHA-1 HMAC)
       5 host/apdevl3.example.com at EXAMPLE.COM (Triple DES cbc mode with
    HMAC/sha1)
       5 host/apdevl3.example.com at EXAMPLE.COM (ArcFour with HMAC/md5)
       5 host/apdevl3.example.com at EXAMPLE.COM (DES cbc mode with CRC-32)
       5 root/apdevl3.example.com at EXAMPLE.COM (AES-256 CTS mode with
    96-bit SHA-1 HMAC)
       5 root/apdevl3.example.com at EXAMPLE.COM (AES-128 CTS mode with
    96-bit SHA-1 HMAC)
       5 root/apdevl3.example.com at EXAMPLE.COM (Triple DES cbc mode with
    HMAC/sha1)
       5 root/apdevl3.example.com at EXAMPLE.COM (ArcFour with HMAC/md5)
       5 root/apdevl3.example.com at EXAMPLE.COM (DES cbc mode with CRC-32)

Thanks a lot for any advice. Yours,

    -mi

More information about the Kerberos mailing list