Accessing Kerberos NFS version 4 (not 2, 3) via /net automounter with kinit only (no /etc/krb5.conf access)
Will Fiveash
will.fiveash at oracle.com
Tue Apr 15 00:05:00 EDT 2014
On Sat, Apr 12, 2014 at 11:24:28AM +0200, Wang Shouhua wrote:
> Lets recap:
>
> 1. Requirements:
> - Linux or Solaris
> - NFS automounter set up at /net
> - Kerberos5 configured for realm EXAMPLE2.COM, rpc.gssd running
> - A NFS server (version 4 only) nfsserver.most.gov.cn exists in the
> realm MOST.GOV.CN, with a subdir of test3
>
> 2. Goal:
> A user provides his password to obtain a ticket for user2 at MOST.GOV.CN
> (optionally nfs at MOST.GOV.CN, if this is a requirement to do a mount),
> and is then able to cd into /net/nfsserver.most.gov.cn/test3, and do a
> successful ls -al there
>
> Is that possible?
I don't think so. If the NFS client is only configured for realm
EXAMPLE2.COM, how will a user get a nfs service ticket for the
MOST.GOV.CN realm? The NFS client will need to be configured for
crossrealm operation in order for a user to get that service ticket once
they user has their krb TGT credential for EXAMPLE2.COM.
Second, how is the NFS server in MOST.GOV.CN going to map a principal in
EXAMPLE2.COM to a local user ID? This will require some form of
'auth_to_local*' mapping configuration on the NFS server side in
/etc/krb5/krb5.conf.
You may want to ask for more info on this on the Oracle OTN discussion
forums, read the Solaris 10 online documentation or check with your
Oracle support person.
--
Will Fiveash
Oracle Solaris Software Engineer
More information about the Kerberos
mailing list