I don't know if it will help, but here is what I would do to try and get it going: I'll assume the server is nfs-alok.blr.novell.com and the client is dharma.blr.novell.com.
1 - Go to KDC and with kadmin - delete any principals you created before for this - create the following 2 principals nfs/[EMAIL PROTECTED] root/[EMAIL PROTECTED]
- then create the keytab file for the server with ktadd -e des-cbc-crc:normal -k <some_new_file_name> nfs/[EMAIL PROTECTED]
2 - go to the server (nfs-alok.blr.novell.com) and
- copy <some_new_file_name> to the keytab file name
- try the following command, to see if the keytab worked
# kinit -k nfs/nfs-alok.blr.novell.com
- if this works ok
- reboot the server (I don't know Solaris well enough to say if this
is necessary or not:-)
Definitely NOT necessary. If it doesn't work, check the KDC logfiles
to see if the correct tickets are being requested and created when the nfs share
is being accessed. Check system logs to see if the kernel is reporting any
errors from the NFS modules.
3 - go to the client (dharma.blr.novell.com) - get a credentials cache file for root # kinit root/[EMAIL PROTECTED] - and type the password you gave it when the principal was created in step 1 - now try the mount # mount -F nfs -o vers=3,sec=krb5 nfs-alok.blr.novell.com:/<exp-dir> /mnt # ls /mnt
If it still doesn't work, some things to look at:
- make sure that /<exp-dir> on nfs-alok.blr.novell.com has world access
- make des-cbc-crc the default encryption type for both client and server
(in krb5.conf)
- check that the fully qualified domain names are recognized on both client
and server and returned as the primary name by the DNS resolver. (One cheezy
way to ensure this is to put entries for both machines in /etc/hosts with
the fully qualified names first, then set file before bind for the resolver.
I'm not sure how this is done on Solaris? In nsswitch.conf or a line like
"lookup file bind" in resolv.conf or ???)
Solaris nsswitch.conf entry for host lookup:
hosts: files dns
-Wyllys
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
