On Thu, May 15, 2008 at 08:55:31PM -0400, Jeff Blaine wrote: > Okay, well, according to the docs, I don't see that I am > doing anything wrong. Here's a load of info showing the > situation and the resulting KDC info.
In general it looks like it should be working. Can you do the sudo share -F nfs -o sec=krb5,rw=crete:barnowl /usr sudo mount -F nfs -o sec=krb5 barnowl:/usr /mnt while on barnowl? Note, make sure nothing is mounted on /mnt first of course. If that doesn't work can you try using an actually root session and run the mount without sudo (which is not a native Solaris command). If it works without sudo, try that on crete. Also, what variant of krb are you using on crete? I ask because the klist output on that system shows krb v4 info which the native Solaris krb knows nothing about. While I don't think this is causing the problem with the mount command one should be careful about mixing use of krb variants on a system. > PS: The catted example krb5.conf at > http://docs.sun.com/app/docs/doc/816-4557/setup-148?a=view > is missing a closing brace for gkadmin in appdefaults :) Okay, thanks for the bug tip. > ==== Basic NFS works ============================================ > > ~:barnowl> sudo share -F nfs -o rw=crete /var/sadm > > ~:crete> sudo mount -F nfs barnowl:/var/sadm /mnt > ~:crete> sudo umount /mnt > > ~:barnowl> sudo unshare /var/sadm > ~:barnowl> > > ==== Basic krb5 auth works, FWIW ================================ > > ~:crete> /usr/bin/klist > Ticket cache: FILE:/tmp/krb5cc_26560 > Default principal: [EMAIL PROTECTED] > > Valid starting Expires Service principal > 05/15/08 20:07:07 05/22/08 20:07:07 krbtgt/[EMAIL PROTECTED] > renew until 05/22/08 20:07:07 > ~:crete> > > ==== The failing NFSv4 with krb5 ================================ > > SERVER > ------ > > ~:barnowl> sudo klist -e -k /etc/krb5/krb5.keytab | grep barnowl > 12 host/[EMAIL PROTECTED] (Triple DES cbc mode with > HMAC/sha1) > 12 host/[EMAIL PROTECTED] (DES cbc mode with CRC-32) > 6 nfs/[EMAIL PROTECTED] (DES cbc mode with CRC-32) > ~:barnowl> > > ~:barnowl> grep krb5 /etc/nfssec.conf > krb5 390003 kerberos_v5 default - # RPCSEC_GSS > krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS > krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS > ~:barnowl> > > ~:barnowl> sudo svcadm restart network/rpc/gss > ~:barnowl> > > ~:barnowl> svcs -x nfs/server > svc:/network/nfs/server:default (NFS server) > State: online since May 15, 2008 8:06:05 PM EDT > See: nfsd(1M) > See: /var/svc/log/network-nfs-server:default.log > Impact: None. > ~:barnowl> > > ~:barnowl> sudo share > - /usr sec=krb5,rw=crete "" > ~:barnowl> > > CLIENT > ------ > > ~:crete> sudo klist -e -k /etc/krb5/krb5.keytab | grep crete > 5 nfs/[EMAIL PROTECTED] (DES cbc mode with CRC-32) > 6 host/[EMAIL PROTECTED] (DES cbc mode with CRC-32) > ~:crete> > > ~:crete> grep krb5 /etc/nfssec.conf > krb5 390003 kerberos_v5 default - # RPCSEC_GSS > krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS > krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS > ~:crete> > > ~:crete> sudo svcadm restart network/rpc/gss > ~:crete> > > ~:crete> sudo kdestroy > ~:crete> sudo mount -F nfs -o sec=krb5 barnowl:/usr /mnt > nfs mount: mount: /mnt: Permission denied > ~:crete> sudo klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: host/[EMAIL PROTECTED] > > Valid starting Expires Service principal > 05/15/08 20:49:34 05/16/08 06:49:34 krbtgt/[EMAIL PROTECTED] > 05/15/08 20:49:34 05/16/08 06:49:34 nfs/[EMAIL PROTECTED] > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > ~:crete> > > ON THE KDC WHEN THE MOUNT FAILS > ------------------------------- > > May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): AS_REQ (5 > etypes {17 16 23 3 1}) 128.29.72.73: CLIENT_NOT_FOUND: > root/[EMAIL PROTECTED] for > krbtgt/[EMAIL PROTECTED], Client not found in Kerberos database > May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): DISPATCH: > repeated (retransmitted?) request from 128.29.72.73, resending previous > response > May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): AS_REQ (5 > etypes {17 16 23 3 1}) 128.29.72.73: ISSUE: authtime 1210898974, etypes > {rep=3 tkt=16 ses=16}, host/[EMAIL PROTECTED] for > krbtgt/[EMAIL PROTECTED] > May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): TGS_REQ (5 > etypes {17 16 23 3 1}) 128.29.72.73: ISSUE: authtime 1210898974, etypes > {rep=16 tkt=1 ses=1}, host/[EMAIL PROTECTED] for > nfs/[EMAIL PROTECTED] > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
