Re: How to set up NFS client for Kerberized access in Solaris

From: Alok Gore (alokgore_at_rediffmail.com)
Date: 05/05/04

Next message: Greg Menke: "Re: Printing to Jetdirect"
Previous message: talisman: "Gnome 2 Question"
In reply to: Mike Eisler: "Re: How to set up NFS client for Kerberized access in Solaris"
Next in thread: Mike Eisler: "Re: How to set up NFS client for Kerberized access in Solaris"
Reply: Mike Eisler: "Re: How to set up NFS client for Kerberized access in Solaris"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: 5 May 2004 03:55:49 -0700

This time I am sending the *complete* setup on client and server.

SERVER::
server#ps -eaf | grep gssd
root 295 154 0 06:32:01 ? 0:00 gssd

>>Are you using DNS? Do you have DNS running on your
>>NFS client and server? And on your KDC? Do your
>>root/ and nfs/ principals have fully qualified domain names
>>in them? E.g.

>>root/alok.rediffmail.

>>It might help if you use real names of clients and servers in your
>>examples.

server#klist
Ticket cache: /tmp/krb5cc_0
Default principal: root/nfs-alok.blr.novell.com@NFS-REALM

Valid starting Expires
Service principal
Wed May 05 01:07:34 2004 Wed May 05 11:07:34 2004
krbtgt/NFS-REALM@NFS-REALM
renew until Wed May 12 01:07:34 2004

server#klist -k
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 nfs/nfs-alok.blr.novell.com@NFS-REALM
4 nfs/nfs-alok.blr.novell.com@NFS-REALM

server#share
- /alok/1 rw ""
- /alok/2 sec=krb5 ""

>>But, it sounds like you have things set up ok. One other thing is
that, I
>>believe, root will still be mapped to nobody, so it may just be that
"nobody"
>>doesn't have access to the mount point. You might try opening up the
>>permissions on the mount point on the server or mapping root->root
and see
>>if that helps. (Or try a user other than root on the client.)

server#ls -ld / /alok /alok/2
drwxrwxrwx 32 nobody nobody 1024 May 5 06:32 /
drwxrwxrwx 4 nobody nobody 512 Apr 16 05:10 /alok
drwxrwxrwx 2 nobody nobody 512 Apr 16 06:08 /alok/2

CLIENT::
client#ps -eaf |grep gssd
root 527 1 0 06:46:45 ? 0:00 /usr/lib/gss/gssd
client#klist
Ticket cache: /tmp/krb5cc_0
Default principal: root/dharma.blr.novell.com@NFS-REALM
Valid starting Expires
Service principal
Wed May 05 01:07:17 2004 Wed May 05 11:07:17 2004
krbtgt/NFS-REALM@NFS-REALM
renew until Wed May 12 01:07:17 2004

client#klist -k
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 nfs/nfs-alok.blr.novell.com@NFS-REALM
4 nfs/nfs-alok.blr.novell.com@NFS-REALM

client#mount
/nfs on dharma:/alok/2 remote/read/write/setuid/sec=krb5/dev=2e40004
on Wed May 5 07:15:43 2004

client#cd /nfs
bash: cd: /nfs: Permission denied

>>Read the documentation on our web site. You will find detailed,
>>step-by-step
>>instructions for configuring Kerberized NFS.

Yes! In fact, that was the first source of my information.
I have done everthing including the set-up of gsscred table
only two things are not clear to me in the doc.
1) My KDC and the NFS Client server are not time-synchronized. But I
have set the time manually on those machines which is almost matching.
   But if that *can* create problems like this, I will do a set-up for
running NTP on those machines. Should I ?
2) Somewhere in the SEAM configuration Doc they say: Two KDCs are must
for SEAM to work,
    Even in my kerberos set-up (during installation) I was forced to
enter two KDC host names (I have kept both same)
        [realms]
        NFS-REALM = {
                kdc = nfstest5.blr.novell.com
                kdc = nfstest5.blr.novell.com
                admin_server = nfstest5.blr.novell.com
        }
   Does it matter ?

Thanks again for the support.

Next message: Greg Menke: "Re: Printing to Jetdirect"
Previous message: talisman: "Gnome 2 Question"
In reply to: Mike Eisler: "Re: How to set up NFS client for Kerberized access in Solaris"
Next in thread: Mike Eisler: "Re: How to set up NFS client for Kerberized access in Solaris"
Reply: Mike Eisler: "Re: How to set up NFS client for Kerberized access in Solaris"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

KDC error
... Testing server: Stockholm\DC01 ... The Security Account Manager failed a KDC ... Starting test: CrossRefValidation ...
(microsoft.public.windows.server.active_directory)
Re: KDC error
... Windows Server MVP - Directory Services ... The Security Account Manager failed a KDC ... Running partition tests on: DomainDnsZones ...
(microsoft.public.windows.server.active_directory)
Re: Errors on First DC in domain , want to move roles but cant.
... KDC errors. ... check if Time server is Sync, ... It also seems that you're right on the limit of 60 Days of replication ythis ... Logon failure: unknown user name or bad password. ...
(microsoft.public.windows.server.active_directory)
Re: error : kinit(v5) : KRB5 error code 52 while getting initial credentials
... In this XX.COM is implemented in Windows Domain Controller and KDC is existing here. ... Now here my machine is a test server. ... I need to get a ticket for my test server from KDC which is in other domain XX.COM. ...
(comp.protocols.kerberos)
Re: Rhosts/shosts for OpenSSH 3.4p1
... >allowed root access to NFS server based user directories, ... salskrak} cat ~per/.shosts ... cat: cannot open /home/share/per/.shosts ... cache on the server (i.e. the NFS client), ...
(comp.security.ssh)