On Thu, Oct 14, 2010 at 10:58:43AM -0700, Alexander Welter wrote: > Hi Will, > > it's faily simple - the CU once had a kerborized NFS server, and they have > been *really* happy on the day they finally shut the system down ;-) , so it > will be a challange to convince them to go for kerberos again ...
Using krb properly does require a good understanding of configuration (we've seen many problems there) however we are also aware that debugging config/interop problems is not as easy as it should be (the problem is that there are many layers of software involved with NFS using krb for security and error details can get lost between the layers). We are working on this issue and others to improve the robustness of NFS sec=krb* and I expect the next release of Solaris will include these improvements. Beyond that, just because a system is configured to do krb authentication does not mean that NFS must use it (just comment out the lines starting with krb5* in /etc/nfssec.conf). It can be selectively used by various services including SSH. In Solaris 10 on up sshd will try to do krb/gssapi auth if there is a host service key in the keytab on the system. Again, if one does not want sshd to support krb auth, just edit the /etc/ssh/sshd_config to disable it. -- Will Fiveash Oracle http://opensolaris.org/os/project/kerberos/ Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/> _______________________________________________ security-discuss mailing list [email protected]
