Kerberised NFS

Martin Simovic msimovic at concurrent-thinking.com
Thu Feb 12 05:59:23 EST 2009


Hi,

the client needs to get his ticket initially somehow. (yes, the ticket
expires). Ideally this happens during logon (here you have to play with
pam settings). On the other hand client can always run 'kinit' from
console to get his ticket (after that his mounted directory will became
accessible)

I can't tell you much about how to achieve this on solaris. However can
post the pam.conf for linux I use myself;
the result is that client (me) gets kerberos ticket during GDM logon -
no need to provide the credentials twice. After that, all the kerberized
services (NFS, IMAP, HTTP, autheticated SMTP, SSH) are available
immediately as all the tickets needed for given service are
automatically requested an granted on the basis that user (me) has
already TGT (ticket granting ticket)

M. 



On Thu, 2009-02-12 at 08:15 +1100, Edward Irvine wrote:
> Hi Folks,
> 
> Is there a ticket beween client and server that expires? If so, how  
> does it get renewed?
> 
> Kerberised NFS presumably requires authentication and (optionally)  
> encryption between client and server, so presumably the client needs  
> to get a ticket prior to contacting the server.
> 
> I appear to be successfully using sharing out /export/home from a  
> server with kerberos security options, and successfully automounting  
> user's home directories on client machines when they log in. However,  
> first thing in the morning the home directories on client machines  
> are inaccessable (i.e. when I ssh in my home directory is  
> unavaliable). Restarting automountd fixes things for the rest of the  
> day.
> 
> This is Solaris 10 u6 on client and server, and using the Solaris 10  
> u6 Kerberos server. There is no NIS or LDAP naming going on (yet) -  
> nsswitch is to files and DNS. The mapid domain name is set in /etc/ 
> defaults/nfs.
> 
> Any pointers greatly appreciated.
> 
> Eddie
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos



This e-mail message may contain confidential and/or privileged information. If you are not an addressee or otherwise authorized to receive this message, you should not use, copy, disclose or take any action based on this e-mail or any information contained in the message.
If you have received this material in error, please advise the sender immediately by reply e-mail and delete this message. Thank you.
Allinea Software and Streamline Computing are trading divisions of Concurrent Thinking Limited: Registered in England and Wales No: 03913912
Registered Address: The Innovation Centre, Warwick Technology Park, Gallows Hill, Warwick, CV34 6UW, United Kingdom



More information about the Kerberos mailing list