Troubles with Kerberized NFS: Solaris8-client to Solaris8-server
Douglas E. Engert
deengert at anl.gov
Wed Dec 9 17:10:28 EST 2009
Mikhail T. wrote:
> Hello!
>
> I'm struggling to make kerberized NFS working here. My "guinea pigs" are
> the following three machines:
>
> 1. apdevl.example.com running Solaris 8 -- this is the NFS-server
> 2. ws-mt.example.com running Linux RHEL-5.4 -- this is a Linux NFS-client
> 3. apdevl3.example.com running Solaris 8 -- this is the NFS-client
>
> The mounts have already succeeded:
>
> Linux:
> apdevl:/krbexport on /mnt type nfs (rw,intr,sec=krb5,addr=xx.xx.223.40)
> Solaris:
> /mnt on apdevl:/krbexport
> remote/read/write/setuid/sec=krb5/intr/dev=4e8014b on Tue Dec 1
> 17:00:39 2009
>
> On Linux I can access the mounted tree with a valid ticket -- this
> works, and makes me think, the NFS-server is configured properly.
> However, whatever I do on the Solaris-client, I can not get to read
> access the share: permission denied.
>
> gssd, which is started on the Solaris client from inetd, reports the
> following to truss, whenever I try to `ls -d /mnt':
>
> open("/tmp/krb5cc_18039", O_RDONLY) = 5
> fcntl(5, F_SETLKW, 0xFFBEEE44) = 0
> read(5, "0504", 2) = 2
> read(5, "\0\f", 2) = 2
> read(5, "\001", 2) = 2
> read(5, "\0\b", 2) = 2
> read(5, "FFFFFFFC\0\0\0\0", 8) = 8
> lseek(5, 51, SEEK_SET) = 51
> read(5, "\0\0\001", 4) = 4
> read(5, "\0\0\001", 4) = 4
> read(5, "\0\0\0\v", 4) = 4
> read(5, " E X A M P L E . C O M", 11) = 11
> ...
> close(5) = 0
> fstat(3, 0xFFBEF5E8) = 0
> putpmsg(3, 0xFFBEF774, 0xFFBEF760, 0, 0x0004) = 0
> fstat(3, 0xFFBEF750) = 0
> getmsg(3, 0xFFBEF8FC, 0xFFBEF8EC, 0xFFBEF92C) Err#11 EAGAIN
Are you using MIT clients like kinit on the Solaris 8?
The gssd would be using the Solaris 8 Kerberos. I think Solairs 8
Kerberos only supports DES, and may not like the ticket cache version #4.
the second byte in the cache file.
Look at the krb5.conf ccache_type parameter.
Solairs 10 Kerberos can work with AES.
Why are you still using Solaris 8?
>
> So, after opening by ticket (18039 is my UID here) and reading it, it
> tries to send a message somewhere and fails with EAGAIN...
>
> Trying to snoop the network traffic:
>
> % snoop -r rpc nfs
>
> I don't get ANYTHING captured in response to my attempts to simply list
> the mounted share.
> So, it would seem, something is failing locally on the Solaris-client.
> What could it be? My ticket-cachenothing but a single, non-expired
> krbtgt/EXAMPLE.COM at EXAMPLE.COM
>
> The Solaris client's keytab reads:
>
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 5 host/apdevl3.example.com at EXAMPLE.COM (AES-256 CTS mode with
> 96-bit SHA-1 HMAC)
> 5 host/apdevl3.example.com at EXAMPLE.COM (AES-128 CTS mode with
> 96-bit SHA-1 HMAC)
> 5 host/apdevl3.example.com at EXAMPLE.COM (Triple DES cbc mode with
> HMAC/sha1)
> 5 host/apdevl3.example.com at EXAMPLE.COM (ArcFour with HMAC/md5)
> 5 host/apdevl3.example.com at EXAMPLE.COM (DES cbc mode with CRC-32)
> 5 root/apdevl3.example.com at EXAMPLE.COM (AES-256 CTS mode with
> 96-bit SHA-1 HMAC)
> 5 root/apdevl3.example.com at EXAMPLE.COM (AES-128 CTS mode with
> 96-bit SHA-1 HMAC)
> 5 root/apdevl3.example.com at EXAMPLE.COM (Triple DES cbc mode with
> HMAC/sha1)
> 5 root/apdevl3.example.com at EXAMPLE.COM (ArcFour with HMAC/md5)
> 5 root/apdevl3.example.com at EXAMPLE.COM (DES cbc mode with CRC-32)
>
> Thanks a lot for any advice. Yours,
>
> -mi
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list