Trond, how hard is it to get this working on Linux? Or does it already? Ced ---------- Forwarded message ---------- From: Wang Shouhua <shouhuaw@xxxxxxxxx> Date: Sat, Apr 12, 2014 at 11:24 AM Subject: Accessing Kerberos NFS version 4 (not 2, 3) via /net automounter with kinit only (no /etc/krb5.conf access) To: Kerberos@xxxxxxx Lets recap: 1. Requirements: - Linux or Solaris - NFS automounter set up at /net - Kerberos5 configured for realm EXAMPLE2.COM, rpc.gssd running - A NFS server (version 4 only) nfsserver.most.gov.cn exists in the realm MOST.GOV.CN, with a subdir of test3 2. Goal: A user provides his password to obtain a ticket for user2@xxxxxxxxxxx (optionally nfs@xxxxxxxxxxx, if this is a requirement to do a mount), and is then able to cd into /net/nfsserver.most.gov.cn/test3, and do a successful ls -al there Is that possible? Wang ---------- Forwarded message ---------- From: Will Fiveash <will.fiveash@xxxxxxxxxx> Date: 11 April 2014 22:14 Subject: Re: Accessing Kerberos NFS via /net automounter with kinit only (no /etc/krb5.conf access) To: Wang Shouhua <shouhuaw@xxxxxxxxx> Cc: Kerberos@xxxxxxx On Tue, Apr 01, 2014 at 06:00:45PM +0200, Wang Shouhua wrote: > I am on Solaris 10U4 - can I access a NFS filesystem with (mandatory) > krb5p authentication via the Solaris /net automounter with kinit only, > without having r/w access to /etc/krb5.conf access)? You'll need to have Solaris krb configured which stores its config in /etc/krb5 not /etc as is the MIT default. You'll also need read access to /etc/krb5/krb5.conf and have the system properly configured to do NFS with krb in general (read the Solaris 10 online docs). Beyond that, whether a user kinit'ing is enough depends on which version of NFS you are using. On the client side NFSv3 sec=krb5p shares will automount if the user triggering the mount has a krb cred in their ccache (klist will show that) and does not require any keys in the system keytab nor does it require root to have a krb cred in general. NFSv4 on the other hand does require that the root on the NFS client system have a krb cred in its ccache. This can be done either by running kinit as root or having at least one set of keys for either the root/<host> or host/<host> service princ in the system keytab which will be automatically used to acquire a krb cred for root. On the client system "nfsstat -m" will show what version of NFS is being used. -- Will Fiveash Oracle Solaris Software Engineer -- Wang Shouhua - shouhuaw@xxxxxxxxx 中华人民共和国科学技术部 - HTTP://WWW.MOST.GOV.CN ________________________________________________ Kerberos mailing list Kerberos@xxxxxxx https://mailman.mit.edu/mailman/listinfo/kerberos -- Cedric Blancher <cedric.blancher@xxxxxxxxx> Institute Pasteur -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
