Yes, the ticket is /tmp/krb5cc_<uid>_<randstring> and the only
difference in these two scenarios I describe is that when $HOME is NFS
mounted `klist` show that I have the "nfs/<hostname>@REALM" service
ticket whilst it does not in the second scenario.
>From what I could see in the nfs-utils docs though, RPCGSSDOPTS="-n"
means you have to acquire the NFS service ticket as root manually before
the user is able to mount any kerberized exports. This leads me to
believe something is triggered in the login process (as root) making
kerberos able to get the service ticket and insert into my credentials
*IF* my home is NFS mounted. Plausible?
I have tried logging in through both gdm and terminal and the behaviour
is exactly the same. pam_krb5.so issue?
Here is some proof of concept, first with autofs mouting my home under
/net/home/user1:
Ubuntu 9.04 tty1
hostname login: user1
Password:
[ .. snip .. ]
us...@hostname:~# klist
Ticket cache: FILE:/tmp/krb5cc_1001_F4RoT
Default principal: us...@realm
Valid starting Expires Service principal
04/28/09 17:31:12 04/29/09 03:31:12 krbtgt/re...@relam
renew until 04/29/09 17:31:12
Kerberos 4 ticket cache: /tmp/tkt1001
klist: You have no tickets cached
us...@hostname:~# ls -l /net/home/user1
ls: cannot access /net/home/user1: No such file or directory
us...@hostname:~# logout
In syslog I see rpc.gssd complain about 'CC file '/tmp/krb5cc_1001_F4RoT
owned by 1001, no 0' and automount 'access denied by server while
mounting ....'.
Now I log in as root and modify autofs to mount my home at /home/user1
then restart autofs daemon and log in as user1 again:
Ubuntu 9.04 tty1
hostname login: user1
Password:
[ .. snip .. ]
us...@hostname:~# klist
Ticket cache: FILE:/tmp/krb5cc_1001_Ru4r3l
Default principal: us...@realm
Valid starting Expires Service principal
04/28/09 17:36:12 04/29/09 03:36:12 krbtgt/re...@relam
renew until 04/29/09 17:36:12
04/28/09 17:36:12 04/29/09 03:36:12 nfs/nfs-server.example....@relam
renew until 04/29/09 17:36:12
Kerberos 4 ticket cache: /tmp/tkt1001
klist: You have no tickets cached
us...@hostname:~# logout
Magically I now have an NFS service ticket apparently because my $HOME
is pointing at the NFS server and I can easily browse my NFS home
folder....
In syslog I see something that might explain the behaviour. rpc.gssd
says: 'CC file '/tmp/krb5cc_pam_<randstring>' (us...@realm) passed all
checks and has mtime of <unixtime>' and 'using
FILE:/tmp/krb5cc_pam_<randstring> as credentials cache for client with
uid 0 for server nfs-server.example.com'. Apparently PAM does some magic
if it sees your home folder lives on NFS and creates a temporary
credentials cache? Does this help to figure out what is causing this and
how to fix it?
Thanks
Max
PS: I couldn't copy/paste the above console output so it might have some
typos
--
Kerberos, NFS4 and autofs issue
https://bugs.launchpad.net/bugs/368153
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
