Okay, well, according to the docs, I don't see that I am doing anything wrong. Here's a load of info showing the situation and the resulting KDC info.
PS: The catted example krb5.conf at http://docs.sun.com/app/docs/doc/816-4557/setup-148?a=view is missing a closing brace for gkadmin in appdefaults :) ==== Basic NFS works ============================================ ~:barnowl> sudo share -F nfs -o rw=crete /var/sadm ~:crete> sudo mount -F nfs barnowl:/var/sadm /mnt ~:crete> sudo umount /mnt ~:barnowl> sudo unshare /var/sadm ~:barnowl> ==== Basic krb5 auth works, FWIW ================================ ~:crete> /usr/bin/klist Ticket cache: FILE:/tmp/krb5cc_26560 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 05/15/08 20:07:07 05/22/08 20:07:07 krbtgt/[EMAIL PROTECTED] renew until 05/22/08 20:07:07 ~:crete> ==== The failing NFSv4 with krb5 ================================ SERVER ------ ~:barnowl> sudo klist -e -k /etc/krb5/krb5.keytab | grep barnowl 12 host/[EMAIL PROTECTED] (Triple DES cbc mode with HMAC/sha1) 12 host/[EMAIL PROTECTED] (DES cbc mode with CRC-32) 6 nfs/[EMAIL PROTECTED] (DES cbc mode with CRC-32) ~:barnowl> ~:barnowl> grep krb5 /etc/nfssec.conf krb5 390003 kerberos_v5 default - # RPCSEC_GSS krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS ~:barnowl> ~:barnowl> sudo svcadm restart network/rpc/gss ~:barnowl> ~:barnowl> svcs -x nfs/server svc:/network/nfs/server:default (NFS server) State: online since May 15, 2008 8:06:05 PM EDT See: nfsd(1M) See: /var/svc/log/network-nfs-server:default.log Impact: None. ~:barnowl> ~:barnowl> sudo share - /usr sec=krb5,rw=crete "" ~:barnowl> CLIENT ------ ~:crete> sudo klist -e -k /etc/krb5/krb5.keytab | grep crete 5 nfs/[EMAIL PROTECTED] (DES cbc mode with CRC-32) 6 host/[EMAIL PROTECTED] (DES cbc mode with CRC-32) ~:crete> ~:crete> grep krb5 /etc/nfssec.conf krb5 390003 kerberos_v5 default - # RPCSEC_GSS krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS ~:crete> ~:crete> sudo svcadm restart network/rpc/gss ~:crete> ~:crete> sudo kdestroy ~:crete> sudo mount -F nfs -o sec=krb5 barnowl:/usr /mnt nfs mount: mount: /mnt: Permission denied ~:crete> sudo klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/[EMAIL PROTECTED] Valid starting Expires Service principal 05/15/08 20:49:34 05/16/08 06:49:34 krbtgt/[EMAIL PROTECTED] 05/15/08 20:49:34 05/16/08 06:49:34 nfs/[EMAIL PROTECTED] Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached ~:crete> ON THE KDC WHEN THE MOUNT FAILS ------------------------------- May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): AS_REQ (5 etypes {17 16 23 3 1}) 128.29.72.73: CLIENT_NOT_FOUND: root/[EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED], Client not found in Kerberos database May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): DISPATCH: repeated (retransmitted?) request from 128.29.72.73, resending previous response May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): AS_REQ (5 etypes {17 16 23 3 1}) 128.29.72.73: ISSUE: authtime 1210898974, etypes {rep=3 tkt=16 ses=16}, host/[EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED] May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): TGS_REQ (5 etypes {17 16 23 3 1}) 128.29.72.73: ISSUE: authtime 1210898974, etypes {rep=16 tkt=1 ses=1}, host/[EMAIL PROTECTED] for nfs/[EMAIL PROTECTED] ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
