Thanks a lot for the response! :) You asked: >Are you using [EMAIL PROTECTED] or nfs/[EMAIL PROTECTED] >The latter is known to work. Ditto [EMAIL PROTECTED] versus >root/[EMAIL PROTECTED]
I am using nfs/[EMAIL PROTECTED] and root/[EMAIL PROTECTED] I have the keytab file containing the pricipal nfs/[EMAIL PROTECTED] copied on to the server and I have done kinit on the client. I can see the root/[EMAIL PROTECTED] principal when I do a klist on the client. But I have a confusion! By looking at the principals you can not distinguish between the pricipal for a service and a principal for a user. Does it matter ? Apologies for the naive questions - I'm new to Kerberos. I was looking at a thread which is abt using kerberos 4 for NFS client server communication on Solaris. (Reffer To: http://groups.google.com/groups?selm=rns.812460270%40deakin.edu.au&oe=UTF-8&output=gplain) I know that this discussion does not fully apply to me because I am using krb5 and RPCSEC_GSS mechanisms, but some things may be similar. Mainly I was able to see these *cookbook* tips for setting it up * must run "kerbd" process on both NFS client and NFS server * must be running a Kerberos *V4* server * export the filesystem with kerberos authentication enabled: * obtain "root.client" ticket-granting ticket on the client: client# kinit root.client * mount the filesystem on the client, with the kerberos option: client# mount -o rw,kerberos server:/export/xxx /mnt The above mount command will obtain an "nfs.server" service ticket from the kerberos server. You can very this with "klist". I am worried abt two things: 1) I don't have anything like the "kerbd" that is mentioned here. 2) I am not getting the nfs/server-hostname ticket after doing a mount. Can you help ? -Alok. [EMAIL PROTECTED] (Mike Eisler) wrote in message news:<[EMAIL PROTECTED]>... > [EMAIL PROTECTED] (Alok Gore) wrote in message news:<[EMAIL PROTECTED]>... > > Hi Group, > > > > This is Alok Gore from Bangalore India. > > I was trying to set up Kerberized NFS client-server environment in my > > LAN. > > I am using Solaris 8 machines as NFS client/server and Linux machine > > as the KDC (MIT KDC). > > > > I installed the SEAM packages needed for the Kerberized NFS Setup on > > the machine. > > I am able to export a path from NFS Server with Krb5 Security mode. > > > > #share > > - /alok/1 rw "" > > - /alok/2 sec=krb5 "" > > > > > > I am able to mount this path from the Client machine with Krb5 > > Security mode. > > > > #mount -o sec=krb5 nfs-alok:/alok/2 /nfs > > #mount > > /nfs on nfs-alok:/alok/2 remote/read/write/setuid/sec=krb5/dev=2e40006 > > on Mon May 3 09:02:27 2004 > > > > > > But I can't access/list the mounted directory. It says permission > > denied. > > > > #ls /nfs > > /nfs: Permission denied > > > > I have the [EMAIL PROTECTED] principal for the nfs server > > in KDC and I have the keytab file containing this principal on the > > server. The KDC also has a principal [EMAIL PROTECTED] > > for client. Am I missing something ? > > Are you using [EMAIL PROTECTED] or nfs/[EMAIL PROTECTED] > The latter is known to work. Ditto [EMAIL PROTECTED] versus > root/[EMAIL PROTECTED] > > Did you kinit to root/client-hostname? Or place it in the keytab on the > client? What does: > > # klist > > on the client display. > > > > I am not seeing any traffic on the wire when I get this permission > > denied message. (May be the client decides locally that it does not > > have enough rights to authenticate itself to NFS Server) > > Sounds like you haven't done a kinit or populated the > keytab with the root/client principal. If so, the lcient > is decided it doesnt have client credentials to ask the > ticket granting service (TGS) on the KDC for a ticket > to access the NFS server. > > > > > Is it because I am using MIT KDC ?? > > Probably not. Solaris/NFS/krb5 is known to work with > MIT and Active Directory in addition to the SEAM KDC. > > -mre ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
