Troubles with Kerberized NFS: Solaris8-client to Solaris8-server

Mikhail T. mi+thun at aldan.algebra.com
Wed Dec 9 19:31:04 EST 2009 

Douglas E. Engert wrote:
>> gssd, which is started on the Solaris client from inetd, reports the
>> following to truss, whenever I try to `ls -d /mnt':
>>
>>     open("/tmp/krb5cc_18039", O_RDONLY)             = 5
>>     fcntl(5, F_SETLKW, 0xFFBEEE44)                  = 0
>>     read(5, "0504", 2)                              = 2
>>     read(5, "\0\f", 2)                              = 2
>>     read(5, "\001", 2)                              = 2
>>     read(5, "\0\b", 2)                              = 2
>>     read(5, "FFFFFFFC\0\0\0\0", 8)                  = 8
>>     lseek(5, 51, SEEK_SET)                          = 51
>>     read(5, "\0\0\001", 4)                          = 4
>>     read(5, "\0\0\001", 4)                          = 4
>>     read(5, "\0\0\0\v", 4)                          = 4
>>     read(5, " E X A M P L E . C O M", 11)           = 11
>>     ...
>>     close(5)                                        = 0
>>     fstat(3, 0xFFBEF5E8)                            = 0
>>     putpmsg(3, 0xFFBEF774, 0xFFBEF760, 0, 0x0004)   = 0
>>     fstat(3, 0xFFBEF750)                            = 0
>>     getmsg(3, 0xFFBEF8FC, 0xFFBEF8EC, 0xFFBEF92C)   Err#11 EAGAIN
>
> Are you using MIT clients like kinit on the Solaris 8?
It is a good question, I am not sure. Seems like our kinit is from
Solaris' distribution:

    % what `which kinit`
    /usr/kerberos/bin/kinit:
            SunOS 5.8 Generic February 2000


> The gssd would be using the Solaris 8 Kerberos. I think Solaris 8
> Kerberos only supports DES, and may not like the ticket cache version #4.
> the second byte in the cache file.
>
> Look at the krb5.conf  ccache_type  parameter.
The parameter was not mentioned there at all. I added it with the value
of 2, performed kdestroy and kinit again, but that didn't change the
second byte of the cache. What's the right value?
> Solaris 10 Kerberos can work with AES.
> Why are you still using Solaris 8?

This is really beyond my power. For one thing, we have to support
certain applications, that "aren't certified" for Solaris 10. For
another, certain unfortunate design decisions made by the architects of
Solaris 10 have caused somewhat of a disdain here (I refer to various
config parameters being in unwieldy XML).


The hardware, that originally came with Solaris-8, is still chugging
along. If/when it is replaced in the future by newer boxes, those are
likely to run Linux...

Thanks a lot for your help, Douglas...

    -mi

More information about the Kerberos mailing list