> In general it looks like it should be working. Can you do the > > sudo share -F nfs -o sec=krb5,rw=crete:barnowl /usr > sudo mount -F nfs -o sec=krb5 barnowl:/usr /mnt
/:barnowl> sudo share -F nfs -o sec=krb5,rw=crete:barnowl /usr /:barnowl> sudo mount -F nfs -o sec=krb5 barnowl:/usr /mnt nfs mount: mount: /mnt: Permission denied /:barnowl> May 19 09:58:28 fookdc.mitre.org krb5kdc[11077](info): AS_REQ (5 etypes {17 16 23 3 1}) 129.83.10.149: CLIENT_NOT_FOUND: root/[EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED], Client not found in Kerberos database May 19 09:58:28 fookdc.mitre.org krb5kdc[11077](info): AS_REQ (5 etypes {17 16 23 3 1}) 129.83.10.149: ISSUE: authtime 1211205508, etypes {rep=16 tkt=16 ses=1 6}, host/[EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED] > while on barnowl? Note, make sure nothing is mounted on /mnt first of > course. If that doesn't work can you try using an actually root session > and run the mount without sudo (which is not a native Solaris command). > If it works without sudo, try that on crete. Nothing is mounted on /mnt barnowl# mount -F nfs -o sec=krb5 barnowl:/usr /mnt nfs mount: mount: /mnt: Permission denied barnowl# > Also, what variant of krb are you using on crete? I ask because the > klist output on that system shows krb v4 info which the native Solaris > krb knows nothing about. While I don't think this is causing the > problem with the mount command one should be careful about mixing use of > krb variants on a system. I don't think it's relevant either. I considered it last week while I was trying to solve this problem and disregarded it. To answer your specific question, MIT Kerberos 1.6.x is installed in /usr/rcf-krb5/bin and is favored PATH-wise. >> ==== Basic NFS works ============================================ >> >> ~:barnowl> sudo share -F nfs -o rw=crete /var/sadm >> >> ~:crete> sudo mount -F nfs barnowl:/var/sadm /mnt >> ~:crete> sudo umount /mnt >> >> ~:barnowl> sudo unshare /var/sadm >> ~:barnowl> >> >> ==== Basic krb5 auth works, FWIW ================================ >> >> ~:crete> /usr/bin/klist >> Ticket cache: FILE:/tmp/krb5cc_26560 >> Default principal: [EMAIL PROTECTED] >> >> Valid starting Expires Service principal >> 05/15/08 20:07:07 05/22/08 20:07:07 krbtgt/[EMAIL PROTECTED] >> renew until 05/22/08 20:07:07 >> ~:crete> >> >> ==== The failing NFSv4 with krb5 ================================ >> >> SERVER >> ------ >> >> ~:barnowl> sudo klist -e -k /etc/krb5/krb5.keytab | grep barnowl >> 12 host/[EMAIL PROTECTED] (Triple DES cbc mode with >> HMAC/sha1) >> 12 host/[EMAIL PROTECTED] (DES cbc mode with CRC-32) >> 6 nfs/[EMAIL PROTECTED] (DES cbc mode with CRC-32) >> ~:barnowl> >> >> ~:barnowl> grep krb5 /etc/nfssec.conf >> krb5 390003 kerberos_v5 default - # RPCSEC_GSS >> krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS >> krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS >> ~:barnowl> >> >> ~:barnowl> sudo svcadm restart network/rpc/gss >> ~:barnowl> >> >> ~:barnowl> svcs -x nfs/server >> svc:/network/nfs/server:default (NFS server) >> State: online since May 15, 2008 8:06:05 PM EDT >> See: nfsd(1M) >> See: /var/svc/log/network-nfs-server:default.log >> Impact: None. >> ~:barnowl> >> >> ~:barnowl> sudo share >> - /usr sec=krb5,rw=crete "" >> ~:barnowl> >> >> CLIENT >> ------ >> >> ~:crete> sudo klist -e -k /etc/krb5/krb5.keytab | grep crete >> 5 nfs/[EMAIL PROTECTED] (DES cbc mode with CRC-32) >> 6 host/[EMAIL PROTECTED] (DES cbc mode with CRC-32) >> ~:crete> >> >> ~:crete> grep krb5 /etc/nfssec.conf >> krb5 390003 kerberos_v5 default - # RPCSEC_GSS >> krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS >> krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS >> ~:crete> >> >> ~:crete> sudo svcadm restart network/rpc/gss >> ~:crete> >> >> ~:crete> sudo kdestroy >> ~:crete> sudo mount -F nfs -o sec=krb5 barnowl:/usr /mnt >> nfs mount: mount: /mnt: Permission denied >> ~:crete> sudo klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: host/[EMAIL PROTECTED] >> >> Valid starting Expires Service principal >> 05/15/08 20:49:34 05/16/08 06:49:34 krbtgt/[EMAIL PROTECTED] >> 05/15/08 20:49:34 05/16/08 06:49:34 nfs/[EMAIL PROTECTED] >> >> >> Kerberos 4 ticket cache: /tmp/tkt0 >> klist: You have no tickets cached > >> ~:crete> >> >> ON THE KDC WHEN THE MOUNT FAILS >> ------------------------------- >> >> May 15 20:49:34 fookdc.mitre.org krb5kdc[11077](info): AS_REQ (5 >> etypes {17 16 23 3 1}) 128.29.72.73: CLIENT_NOT_FOUND: >> root/[EMAIL PROTECTED] for >> krbtgt/[EMAIL PROTECTED], Client not found in Kerberos database >> May 15 20:49:34 fookdc.mitre.org krb5kdc[11077](info): DISPATCH: >> repeated (retransmitted?) request from 128.29.72.73, resending previous >> response >> May 15 20:49:34 fookdc.mitre.org krb5kdc[11077](info): AS_REQ (5 >> etypes {17 16 23 3 1}) 128.29.72.73: ISSUE: authtime 1210898974, etypes >> {rep=3 tkt=16 ses=16}, host/[EMAIL PROTECTED] for >> krbtgt/[EMAIL PROTECTED] >> May 15 20:49:34 fookdc.mitre.org krb5kdc[11077](info): TGS_REQ (5 >> etypes {17 16 23 3 1}) 128.29.72.73: ISSUE: authtime 1210898974, etypes >> {rep=16 tkt=1 ses=1}, host/[EMAIL PROTECTED] for >> nfs/[EMAIL PROTECTED] >> ________________________________________________ >> Kerberos mailing list Kerberos@mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos