[29839] in Kerberos
Re: Solaris 10, secure nfs, permission denied
daemon@ATHENA.MIT.EDU (Kevin Coffman)
Thu May 15 13:48:56 2008
Message-ID: <4d569c330805151048t7a3e5ad6x1857ba53feeaa8e3@mail.gmail.com>
Date: Thu, 15 May 2008 13:48:03 -0400
From: "Kevin Coffman" <kwc@citi.umich.edu>
To: "Jeff Blaine" <jblaine@kickflop.net>
In-Reply-To: <482C6AF3.9070206@kickflop.net>
MIME-Version: 1.0
Content-Disposition: inline
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, May 15, 2008 at 12:55 PM, Jeff Blaine <jblaine@kickflop.net> wrote:
> If anyone has any idea what I am doing wrong here, please
> chime in.
>
> ~:barnowl> uname -a
> SunOS barnowl.foo.com 5.10 Generic_127127-11 sun4u sparc
> SUNW,Sun-Fire-V240
> ~:barnowl> sudo klist -e -k /etc/krb5.keytab | grep nfs
> 3 nfs/barnowl.foo.com@RCF.FOO.COM (DES cbc mode with CRC-32)
> 4 nfs/crete.foo.com@RCF.FOO.COM (DES cbc mode with CRC-32)
> ~:barnowl> sudo share
> - /usr sec=krb5:krb5i:krb5p ""
> ~:barnowl>
>
>
> ~:crete> uname -a
> SunOS crete.foo.com 5.10 Generic_118833-36 sun4v sparc SUNW,Sun-Fire-T200
> ~:crete> sudo klist -e -k /etc/krb5.keytab | grep nfs
> 3 nfs/crete.mitre.org@RCF.MITRE.ORG (DES cbc mode with CRC-32)
> 4 nfs/barnowl.mitre.org@RCF.MITRE.ORG (DES cbc mode with CRC-32)
> ~:crete> sudo mount -F nfs -o sec=krb5 barnowl:/usr /mnt/barnowl
> nfs mount: mount: /mnt/barnowl: Permission denied
> ~:crete>
>
> krb5kdc.log on the KDC shows absolutely nothing
It looks like maybe you tried to hide some details, but didn't get
them all? Does your real DNS domain match your REALM name? If not,
does your krb5.conf (/etc/krb5/krb5.conf) properly map the hosts'
domain(s) to your realm?
BTW, there is no need to limit Solaris 10 hosts to DES-only keys.
That is a current Linux limitation. As long as your Solaris server
has a DES key (along with keys for stronger enctypes), the Linux
client should be able to negotiate the correct DES enctype. Solaris
10 servers and clients can handle the stronger encryption types.
K.C.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
