[36029] in Kerberos
Re: Accessing Kerberos NFS via /net automounter with kinit only (no
daemon@ATHENA.MIT.EDU (Wang Shouhua)
Sat Apr 12 03:50:39 2014
MIME-Version: 1.0
In-Reply-To: <20140411201424.GA5279@oracle.com>
Date: Sat, 12 Apr 2014 09:50:25 +0200
Message-ID: <CANzOW+JW526qTCqYB8Xw=PPHWvdgh4z54yO3wwikCVyyKRBwpQ@mail.gmail.com>
From: Wang Shouhua <shouhuaw@gmail.com>
To: Wang Shouhua <shouhuaw@gmail.com>, Kerberos@mit.edu,
Will Fiveash <will.fiveash@oracle.com>
Content-Type: multipart/mixed; boundary="===============1850470884=="
Errors-To: kerberos-bounces@mit.edu
--===============1850470884==
Content-Type: text/plain; charset=GB2312
Content-Transfer-Encoding: 8bit
On 11 April 2014 22:14, Will Fiveash <will.fiveash@oracle.com> wrote:
> On Tue, Apr 01, 2014 at 06:00:45PM +0200, Wang Shouhua wrote:
>> I am on Solaris 10U4 - can I access a NFS filesystem with (mandatory)
>> krb5p authentication via the Solaris /net automounter with kinit only,
>> without having r/w access to /etc/krb5.conf access)?
>
> You'll need to have Solaris krb configured which stores its config in
> /etc/krb5 not /etc as is the MIT default. You'll also need read access
> to /etc/krb5/krb5.conf and have the system properly configured to do NFS
> with krb in general (read the Solaris 10 online docs).
>
> Beyond that, whether a user kinit'ing is enough depends on which version
> of NFS you are using. On the client side NFSv3 sec=krb5p shares will
> automount if the user triggering the mount has a krb cred in their
> ccache (klist will show that) and does not require any keys in the
> system keytab nor does it require root to have a krb cred in general.
>
> NFSv4 on the other hand does require that the root on the NFS client
> system have a krb cred in its ccache. This can be done either by
> running kinit as root or having at least one set of keys for either the
> root/<host> or host/<host> service princ in the system keytab which will
> be automatically used to acquire a krb cred for root.
>
> On the client system "nfsstat -m" will show what version of NFS is being
> used.
We are talking about NFS version 4 (NFSv4) on Solaris only. Why does
NFSv4 have such extra requirements?
What we hoped is that if a machine has Kerberos5 enabled it can
connect to *any* other Keberos5 (krb5p/krb5i) filesystem, not only
those in the current Kerberos5 realm, if kinit can be provided with
the correct tickets. If it doesn't work then it looks like a bug to us
(speaking for MOST.GOV.CN).
How can we get this fixed?
Wang
--
Wang Shouhua - shouhuaw@gmail.com
中华人民共和国科学技术部 - HTTP://WWW.MOST.GOV.CN
--===============1850470884==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1850470884==--
