[36027] in Kerberos
Re: Accessing Kerberos NFS via /net automounter with kinit only (no
daemon@ATHENA.MIT.EDU (Will Fiveash)
Fri Apr 11 16:14:49 2014
Date: Fri, 11 Apr 2014 15:14:24 -0500
From: Will Fiveash <will.fiveash@oracle.com>
To: Wang Shouhua <shouhuaw@gmail.com>
Message-ID: <20140411201424.GA5279@oracle.com>
Mail-Followup-To: Wang Shouhua <shouhuaw@gmail.com>, Kerberos@mit.edu
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <CANzOW++AwvhbqjMdztR1tp=_T1EkR6-EQAE-4T=Dj67ps=nDEg@mail.gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Apr 01, 2014 at 06:00:45PM +0200, Wang Shouhua wrote:
> I am on Solaris 10U4 - can I access a NFS filesystem with (mandatory)
> krb5p authentication via the Solaris /net automounter with kinit only,
> without having r/w access to /etc/krb5.conf access)?
You'll need to have Solaris krb configured which stores its config in
/etc/krb5 not /etc as is the MIT default. You'll also need read access
to /etc/krb5/krb5.conf and have the system properly configured to do NFS
with krb in general (read the Solaris 10 online docs).
Beyond that, whether a user kinit'ing is enough depends on which version
of NFS you are using. On the client side NFSv3 sec=krb5p shares will
automount if the user triggering the mount has a krb cred in their
ccache (klist will show that) and does not require any keys in the
system keytab nor does it require root to have a krb cred in general.
NFSv4 on the other hand does require that the root on the NFS client
system have a krb cred in its ccache. This can be done either by
running kinit as root or having at least one set of keys for either the
root/<host> or host/<host> service princ in the system keytab which will
be automatically used to acquire a krb cred for root.
On the client system "nfsstat -m" will show what version of NFS is being
used.
--
Will Fiveash
Oracle Solaris Software Engineer
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
