Re: Kerberised NFS





Edward Irvine wrote:
Hi Folks,

Is there a ticket beween client and server that expires? If so, how does it get renewed?

Kerberised NFS presumably requires authentication and (optionally) encryption between client and server, so presumably the client needs to get a ticket prior to contacting the server.

Are you talking NFSv4 or NFSv3?

I appear to be successfully using sharing out /export/home from a server with kerberos security options, and successfully automounting user's home directories on client machines when they log in. However, first thing in the morning the home directories on client machines are inaccessable (i.e. when I ssh in my home directory is unavaliable). Restarting automountd fixes things for the rest of the day.

First of all the sshd must get a kerberos ticket, either by
delegated gssapi credentials( i.e. forwarded kerberos ticket),
or by keyboard interactive. You will need to setup pam.conf for sshd-*


On Solairs the sshd has multiple entries in pam.conf depending on
which authentication method was used see the man page for sshd at the end
for sshd-gssapi and sshd-kbdint.

dtlogin can also call pam_krb5 see the man page on pam_krb5.


This is Solaris 10 u6 on client and server, and using the Solaris 10 u6 Kerberos server. There is no NIS or LDAP naming going on (yet) - nsswitch is to files and DNS. The mapid domain name is set in /etc/ defaults/nfs.

Solaris with NFSv4 will only use the default Kerberos ticket cache,
for a user: /tmp/krb5cc_<uid> Even if you have KRB5CCNAME set.
(Personally, I consider this a step backwards and have expressed this
to Sun many times.)

Having said all the above, we do get tickets at login, sshd and screen
unlock, but use AFS (which uses Kerberos V5) for home directories,
not NFS. I would expect that if pam is setup to get the tickets,
the NFS code would use them for home directory access.



Any pointers greatly appreciated.

Eddie

________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos



--

Douglas E. Engert <DEEngert@xxxxxxx>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
.



Relevant Pages

  • Re: Kerberized NFSv3 incorrect behavior
    ... I am running FBSD8-STABLE on an nfsv3 server and an nfsv3 client. ... Everything works fine, until I try to kdestroy my tickets or kinit to some other user, where the system insists to think that I am the user that initially obtained their ticket. ... Both client and server have their respective keytabs stored in /etc/krb5.keytab, and I use two users in my example: mamalos and testakis. ...
    (freebsd-current)
  • Re: Kerberized NFSv3 incorrect behavior
    ... I am running FBSD8-STABLE on an nfsv3 server and an nfsv3 client. ... Everything works fine, until I try to kdestroy my tickets or kinit to some other user, where the system insists to think that I am the user that initially obtained their ticket. ... Both client and server have their respective keytabs stored in /etc/krb5.keytab, and I use two users in my example: mamalos and testakis. ...
    (freebsd-stable)
  • Re: Kerberos with Windows Integrated authentication
    ... behaviour if your Web server is in the client broweser's Internet zone. ... referencing it by computer name rather than FQDN), the browser will request ... Obviously, if you want to use Kerberos for authentication, you will either ...
    (microsoft.public.windows.server.security)
  • Re: Server not found in Kerberos Database
    ... Server not found in Kerberos Database ... When I am trying to do a kinit on the client, ... I have a KDC on Win2003 and a client which is a Linux is trying = ...
    (comp.protocols.kerberos)
  • Re: Kerberos authentication fails
    ... we had have kerberos log activated yesterday while we test the ... Client Server Name: ... * System Event logs in GPRSServer03 ... Server domain: DISTROMEL.GPRS ...
    (microsoft.public.sqlserver)