Accessing Kerberos NFS via /net automounter with kinit only (no /etc/krb5.conf access)

[Wang Shouhua]

On 11 April 2014 22:14, Will Fiveash <will.fiveash at oracle.com> wrote:
> On Tue, Apr 01, 2014 at 06:00:45PM +0200, Wang Shouhua wrote:
>> I am on Solaris 10U4 - can I access a NFS filesystem with (mandatory)
>> krb5p authentication via the Solaris /net automounter with kinit only,
>> without having r/w access to /etc/krb5.conf access)?
>
> You'll need to have Solaris krb configured which stores its config in
> /etc/krb5 not /etc as is the MIT default.  You'll also need read access
> to /etc/krb5/krb5.conf and have the system properly configured to do NFS
> with krb in general (read the Solaris 10 online docs).
>
> Beyond that, whether a user kinit'ing is enough depends on which version
> of NFS you are using.  On the client side NFSv3 sec=krb5p shares will
> automount if the user triggering the mount has a krb cred in their
> ccache (klist will show that) and does not require any keys in the
> system keytab nor does it require root to have a krb cred in general.
>
> NFSv4 on the other hand does require that the root on the NFS client
> system have a krb cred in its ccache.  This can be done either by
> running kinit as root or having at least one set of keys for either the
> root/<host> or host/<host> service princ in the system keytab which will
> be automatically used to acquire a krb cred for root.
>
> On the client system "nfsstat -m" will show what version of NFS is being
> used.

We are talking about NFS version 4 (NFSv4) on Solaris only. Why does
NFSv4 have such extra requirements?

What we hoped is that if a machine has Kerberos5 enabled it can
connect to *any* other Keberos5 (krb5p/krb5i) filesystem, not only
those in the current Kerberos5 realm, if kinit can be provided with
the correct tickets. If it doesn't work then it looks like a bug to us
(speaking for MOST.GOV.CN).

How can we get this fixed?

Wang
-- 
Wang Shouhua - shouhuaw at gmail.com
ÖлªÈËÃñ¹²ºÍ¹ú¿Æѧ¼¼Êõ²¿ - HTTP://WWW.MOST.GOV.CN