Den 07. juli 2010 00:43, skrev Veli-Matti Lintu: > ti, 2010-06-15 kello 13:44 +0200, John S. Skogtvedt kirjoitti: >> Den 15. juni 2010 12:51, skrev Jonas Smedegaard: >>> On Tue, Jun 15, 2010 at 12:02:57PM +0200, John S. Skogtvedt wrote: >>>> >>>> With /skole/tjener/home0, the problem is that the machine itself needs a >>>> "$hostname/nfs" principal with corresponding secret key. It's not enough >>>> that the user can authenticate to Kerberos. >>> >>> Oh. I was unaware that the machine needed a separate key for NFS. >>> Problem, yes! >>> >>> What exactly do a $host/nfs key grant access to? The whole partition, >>> encrypted by user keys, or the whole partition, unencrypted? >>> >> >> I'm not a Kerberos/NFSv4 expert, but AFAIK it's a ticket-granting ticket >> (TGT) which firstly gives the machine read-only access to the entire >> exported filesystem, and secondly allows the machine to grant a RW >> ticket to the user. Kerberos is used to authenticate writes, and >> optionally for encryption as well. >> >>> Would AFS perhaps provide a key structure better suited for this? My >>> question here is _only_ about the key structure - AFS might have other >>> limitations making it unsuitable, but the act of comparing key handling >>> might help understand possible/sane approaches. >>> >>> Ideally we would use a filesystem requiring only user key to >>> authenticate. Hmm - would it perhaps be possible (while still secure) >>> to create and permiy a $user/nfs keypair acting as host key for >>> .../home* mount points? > > Hi, > > I've been dealing with these same issues recently and after testing it > looks like machine credentials are not needed to get diskless clients > working with kerberos. > > What I have understood is that with NFSv4 the machine credentials are > used for the initial mount + root access. For the initial mount > credentials any credentials are actually ok and if rpc.gssd is run with > -n option, it uses existing credentials for the mount. When using > sec=krb5 access to users' home directories on the mounted directory then > requires valid credentials for the user. > > I haven't really tested the root access part here as I have always used > root_squash on all the exports. > > Using user's credentials instead of a keytab means of course that the > mount works only as long as the credentials are valid. > > > man rpc.gssd > > -n By default, rpc.gssd treats accesses by the user with UID 0 spe‐ > cially, and uses "machine credentials" for all accesses by that > user which require Kerberos authentication. With the -n option, > "machine credentials" will not be used for accesses by UID 0. > Instead, credentials must be obtained manually like all other > users. Use of this option means that "root" must manually > obtain Kerberos credentials before attempting to mount an nfs > filesystem requiring Kerberos authentication. > > > Veli-Matti > >
Kiitos, this is very helpful. Which DM/desktop did you test with? gdm for instance used to (or still does) check as root if the user's homedirectory existed, which might cause problems. I will try to test with debian-edu within the next two weeks. John. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
