Re: Kerberised NFS





Edward Irvine wrote:
Hi Folks,

Is there a ticket beween client and server that expires? If so, how does it get renewed?

Kerberised NFS presumably requires authentication and (optionally) encryption between client and server, so presumably the client needs to get a ticket prior to contacting the server.

Are you talking NFSv4 or NFSv3?

I appear to be successfully using sharing out /export/home from a server with kerberos security options, and successfully automounting user's home directories on client machines when they log in. However, first thing in the morning the home directories on client machines are inaccessable (i.e. when I ssh in my home directory is unavaliable). Restarting automountd fixes things for the rest of the day.

First of all the sshd must get a kerberos ticket, either by
delegated gssapi credentials( i.e. forwarded kerberos ticket),
or by keyboard interactive. You will need to setup pam.conf for sshd-*


On Solairs the sshd has multiple entries in pam.conf depending on
which authentication method was used see the man page for sshd at the end
for sshd-gssapi and sshd-kbdint.

dtlogin can also call pam_krb5 see the man page on pam_krb5.


This is Solaris 10 u6 on client and server, and using the Solaris 10 u6 Kerberos server. There is no NIS or LDAP naming going on (yet) - nsswitch is to files and DNS. The mapid domain name is set in /etc/ defaults/nfs.

Solaris with NFSv4 will only use the default Kerberos ticket cache,
for a user: /tmp/krb5cc_<uid> Even if you have KRB5CCNAME set.
(Personally, I consider this a step backwards and have expressed this
to Sun many times.)

Having said all the above, we do get tickets at login, sshd and screen
unlock, but use AFS (which uses Kerberos V5) for home directories,
not NFS. I would expect that if pam is setup to get the tickets,
the NFS code would use them for home directory access.



Any pointers greatly appreciated.

Eddie

________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos



--

Douglas E. Engert <DEEngert@xxxxxxx>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
.