[Andreas B. Mundt] > I finally figured out a way now, which works here and is not too > invasive:
Cool. > First, make sure you have the package libpam-script available at the > diskless client's chroot. libpam-script allows to run a script > after successfull authentication. The script executed can be > created by running: We already use libpam-python for libpam-mklocaluser, which allow a python script to provide a pam module. Perhaps it is better to rewrite as python to avoid pulling in another dependency? > The script executed right after authentication copies the user's > Kerberos ticket to the file krb5cc_diskless which is owned by root. > This ticket will be picked up by gssd to create the security context > needed. However, it's needed to restart autofs, I am not exactly > sure why. It looks like autofs caches failures in mounting a > directory (which it tries earlier in the login process), and does > not try again immediately when the ticket is available. I guess we also need to remove the file when the user log in, to make sure other users can't use another users ticket to mount? > With these modifications fully kerberized NFSv4 mounting should be > possible on all machines if there are no other issues like those > reported in <URL:http://bugs.debian.org/613167#30> (pending?). I > did not test LTSP diskless clients but a home-made chroot in > combination with aufs. This approach look really promosing. What about just dropping autofs and mount the NFS volume in the pam module instead, like pam-mount? -- Happy hacking Petter Reinholdtsen -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
