Kerberised NFS

Douglas E. Engert deengert at anl.gov
Thu Feb 12 11:52:20 EST 2009



Edward Irvine wrote:
> Hi Folks,
> 
> Is there a ticket beween client and server that expires? If so, how  
> does it get renewed?
> 
> Kerberised NFS presumably requires authentication and (optionally)  
> encryption between client and server, so presumably the client needs  
> to get a ticket prior to contacting the server.

Are you talking NFSv4 or NFSv3?
> 
> I appear to be successfully using sharing out /export/home from a  
> server with kerberos security options, and successfully automounting  
> user's home directories on client machines when they log in. However,  
> first thing in the morning the home directories on client machines  
> are inaccessable (i.e. when I ssh in my home directory is  
> unavaliable). Restarting automountd fixes things for the rest of the  
> day.

First of all the sshd must get a kerberos ticket, either by
delegated gssapi credentials( i.e. forwarded kerberos ticket),
or by keyboard interactive. You will need to setup pam.conf for sshd-*


On Solairs the sshd has multiple entries in pam.conf depending on
which authentication method was used see the man page for sshd at the end
for sshd-gssapi and sshd-kbdint.

dtlogin can also call pam_krb5  see the man page on pam_krb5.

> 
> This is Solaris 10 u6 on client and server, and using the Solaris 10  
> u6 Kerberos server. There is no NIS or LDAP naming going on (yet) -  
> nsswitch is to files and DNS. The mapid domain name is set in /etc/ 
> defaults/nfs.

Solaris with NFSv4 will only use the default Kerberos ticket cache,
for a user: /tmp/krb5cc_<uid>  Even if you have KRB5CCNAME set.
(Personally, I consider this a step backwards and have expressed this
to Sun many times.)

Having said all the above, we do get tickets at login, sshd and screen
unlock, but use AFS (which uses Kerberos V5) for home directories,
not NFS. I would expect that if pam is setup to get the tickets,
the NFS code would use them for home directory access.


> 
> Any pointers greatly appreciated.
> 
> Eddie
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list