[29837] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Solaris 10, secure nfs, permission denied

daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Thu May 15 13:42:00 2008

Message-ID: <482C758E.9000206@anl.gov>
Date: Thu, 15 May 2008 12:40:30 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Jeff Blaine <jblaine@kickflop.net>
In-Reply-To: <482C6AF3.9070206@kickflop.net>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu



Jeff Blaine wrote:
> If anyone has any idea what I am doing wrong here, please
> chime in.
> 
> ~:barnowl> uname -a
> SunOS barnowl.foo.com 5.10 Generic_127127-11 sun4u sparc
> SUNW,Sun-Fire-V240
> ~:barnowl> sudo klist -e -k /etc/krb5.keytab | grep nfs
>     3 nfs/barnowl.foo.com@RCF.FOO.COM (DES cbc mode with CRC-32)
>     4 nfs/crete.foo.com@RCF.FOO.COM (DES cbc mode with CRC-32)

Why does barnowl have a keytab entry for crete in its keytab?

> ~:barnowl> sudo share
> -               /usr   sec=krb5:krb5i:krb5p   ""
> ~:barnowl>
> 
> 
> ~:crete> uname -a
> SunOS crete.foo.com 5.10 Generic_118833-36 sun4v sparc SUNW,Sun-Fire-T200
> ~:crete> sudo klist -e -k /etc/krb5.keytab | grep nfs

Could be hostname and principla dont match: crete.foo.com != crete.mitre.org
and realms don't match between the two machines.

>     3 nfs/crete.mitre.org@RCF.MITRE.ORG (DES cbc mode with CRC-32)
>     4 nfs/barnowl.mitre.org@RCF.MITRE.ORG (DES cbc mode with CRC-32)

Why does crete have a keytab entry for barnowl in its keytab?

> ~:crete> sudo mount -F nfs -o sec=krb5 barnowl:/usr /mnt/barnowl
> nfs mount: mount: /mnt/barnowl: Permission denied
> ~:crete>
> 
> krb5kdc.log on the KDC shows absolutely nothing
> 
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post