Re: How to set up NFS client for Kerberized access in Solaris

Fri, 07 May 2004 15:02:47 -0700 

[EMAIL PROTECTED] (Alok Gore) wrote in message news:<[EMAIL PROTECTED]>...
> [EMAIL PROTECTED] (Mike Eisler) wrote in message 
> > The other thing is that you are showing the klist output on the
> > NFS server. We need to klist output for the client.
> > (nfs-alok.blr.novell.com).
> > kinit'ing to root/<client name> on the NFS server is of no use.
> 
> Looks like there has been a misunderstanding. I gave the setting both
> on client and server. I am having the keytab containing the
> nfs-serverice's principal *both* on client and server (I know that
> SEAM Docs do not mandate this keytab on the client machine, but there
> is harm either). I have done kinit on server for root/server-hostname

My understanding is that when an MIT or SEAM KDC extracts a key into
a keytab, the key is changed. So depending on how you are constructing
these keytabs, harm is quite possible. Since there's no benefit
to doing this, and a security risk to doing it, don't do it.
Similarly, there's no benefit to kiniting to the NFS client principal
from the NFS server's shell.

Suggestion: remove your keytabs, remove the nfs principal, re-create
it, and extract it into one and only one keytab onto the
NFS server.

> and have done kinit on client for root/client-hostname.
> 
> (All those lines that start with #client are the commands executed on
> the client machine and all those line starting with #server are
> commands on server)

Ok, I missed the part where you are kinit'ing on the client
to root/dharma. Apologies. You had:

client#klist
Ticket cache: /tmp/krb5cc_0
Default principal: root/[EMAIL PROTECTED]
Valid starting                       Expires                      
Service principal
Wed May 05 01:07:17 2004  Wed May 05 11:07:17 2004 
krbtgt/[EMAIL PROTECTED]
        renew until Wed May 12 01:07:17 2004

client#klist -k
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 nfs/[EMAIL PROTECTED]
   4 nfs/[EMAIL PROTECTED]

client#mount
/nfs on dharma:/alok/2 remote/read/write/setuid/sec=krb5/dev=2e40004
on Wed May  5 07:15:43 2004

client#cd /nfs
bash: cd: /nfs: Permission denied

------------------------------

So what does klist show after the "cd /nfs".

If there's a service ticket to the NFS server, then
this suggests a problem between the NFS client and the
NFS server. If there is no ticket, then something else
is going on ... try analyzing the traffic between the
NFS client and the KDC.
________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to