to, 2010-07-08 kello 11:45 +0200, John S. Skogtvedt kirjoitti: > Den 07. juli 2010 00:43, skrev Veli-Matti Lintu: > > > > I've been dealing with these same issues recently and after testing it > > looks like machine credentials are not needed to get diskless clients > > working with kerberos. > > > > What I have understood is that with NFSv4 the machine credentials are > > used for the initial mount + root access. For the initial mount > > credentials any credentials are actually ok and if rpc.gssd is run with > > -n option, it uses existing credentials for the mount. When using > > sec=krb5 access to users' home directories on the mounted directory then > > requires valid credentials for the user. > > > > I haven't really tested the root access part here as I have always used > > root_squash on all the exports.
> Kiitos, this is very helpful. Which DM/desktop did you test with? gdm > for instance used to (or still does) check as root if the user's > homedirectory existed, which might cause problems. > > I will try to test with debian-edu within the next two weeks. We got it to work with both ldm (LTSP 5) and gdm with Gnome on Ubuntu 10.04. I do not know the current differences between Debian and Ubuntu versions of ldm, but I'd guess they are pretty close and scripting should be possible. Using ldm does require custom scripts to get the kerberos ticket on the client as normally the ticket is acquired on the server when ssh login is made. Using gdm should be possible on all platforms (netboot or local install) as it really doesn't depend on any ltsp specific stuff. Some creative PAM stack hacking is required to get the user's kerberos ticket in correct places right after authentication so that rpc.gssd can be (re)started. Now this is done with a script that is run by pam_exec module. There are still untested pieces in the puzzle, so something else might still come up, but I hope this helps.. Veli-Matti -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
