Edward Irvine wrote: > Hi Folks, > > Is there a ticket beween client and server that expires? If so, how > does it get renewed? > > Kerberised NFS presumably requires authentication and (optionally) > encryption between client and server, so presumably the client needs > to get a ticket prior to contacting the server.
Are you talking NFSv4 or NFSv3? > > I appear to be successfully using sharing out /export/home from a > server with kerberos security options, and successfully automounting > user's home directories on client machines when they log in. However, > first thing in the morning the home directories on client machines > are inaccessable (i.e. when I ssh in my home directory is > unavaliable). Restarting automountd fixes things for the rest of the > day. First of all the sshd must get a kerberos ticket, either by delegated gssapi credentials( i.e. forwarded kerberos ticket), or by keyboard interactive. You will need to setup pam.conf for sshd-* On Solairs the sshd has multiple entries in pam.conf depending on which authentication method was used see the man page for sshd at the end for sshd-gssapi and sshd-kbdint. dtlogin can also call pam_krb5 see the man page on pam_krb5. > > This is Solaris 10 u6 on client and server, and using the Solaris 10 > u6 Kerberos server. There is no NIS or LDAP naming going on (yet) - > nsswitch is to files and DNS. The mapid domain name is set in /etc/ > defaults/nfs. Solaris with NFSv4 will only use the default Kerberos ticket cache, for a user: /tmp/krb5cc_<uid> Even if you have KRB5CCNAME set. (Personally, I consider this a step backwards and have expressed this to Sun many times.) Having said all the above, we do get tickets at login, sshd and screen unlock, but use AFS (which uses Kerberos V5) for home directories, not NFS. I would expect that if pam is setup to get the tickets, the NFS code would use them for home directory access. > > Any pointers greatly appreciated. > > Eddie > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
