HI, your solution seems more or less an unavoidable hack.
Nice would be to tell Kerberos to avoid service check and control only user ID. What about this: http://docs.oracle.com/cd/E19963-01/html/821-1456/setup-148.html#gihyu Maybe could be a solution, but I don't know exactly if it works as I think it should: client # cat /etc/krb5/krb5.conf [libdefaults] default_realm = EXAMPLE.COM verify_ap_req_nofail = false ... It should be possible to do it in a separate thiny client realm Cheers Giorgio On Fri, Jan 27, 2012 at 06:18:31PM +0100, Andreas B. Mundt wrote: > Hi Giorgio, > > On Fri, Jan 27, 2012 at 05:59:41PM +0100, Giorgio Pioda wrote: > > > > What does autofs manage? / or only /home0 ? > > > > Only home0 > > > > It shuldn't be that difficoult to mount / without kerberos > > with plain nfs mounting at boot time > > and /home0 with a securized env. later on login > > > > How to make the securized env. ? As far as I know for mounting NFSv4 > with sec=krb5 usually machine credential are needed > i.e. /etc/krb5.keytab. But /etc/krb5.keytab must not be in the > chroot, because it will be readable by everyone in the network. > > Do you know another solution to this problem? > > Cheers, > > Andi > > > > > On Fri, Jan 27, 2012 at 05:18:53PM +0100, Andreas B. Mundt wrote: > > > Hi everybody! > > > > > > Since quite some time we have been thinking about how to make > > > kerberized NFSv4 mounting of home directories work with diskless > > > clients, where no machine credentials (keytab) are available. > > > > > > It was mentioned [1] that using "-n" for gssd on the diskless client > > > might help, however this seems not to be enough. > > > > > > I finally figured out a way now, which works here and is not too > > > invasive: > > > > > > First, make sure you have the package libpam-script available at the > > > diskless client's chroot. libpam-script allows to run a script after > > > successfull authentication. The script executed can be created by > > > running: > > > > > > #!/bin/sh > > > # > > > set -e > > > > > > FILE=/usr/share/libpam-script/pam_script_auth > > > > > > cat > $FILE <<EOF > > > #!/bin/sh > > > # > > > set -e > > > if [ \$PAM_USER = "root" ] || ls /tmp/krb5cc_diskless > /dev/null > > > 2>&1; then > > > exit 0 > > > fi > > > > > > FILE=/tmp/krb5cc_diskless > > > cp -v /tmp/krb5cc_pam_* \$FILE > > > /etc/init.d/autofs restart > /dev/null > > > > > > exit 0 > > > EOF > > > > > > chmod 0755 $FILE > > > #============================ > > > > > > The script executed right after authentication copies the user's > > > Kerberos ticket to the file krb5cc_diskless which is owned by root. > > > This ticket will be picked up by gssd to create the security context > > > needed. However, it's needed to restart autofs, I am not exactly sure > > > why. It looks like autofs caches failures in mounting a directory > > > (which it tries earlier in the login process), and does not try again > > > immediately when the ticket is available. > > > > > > In addition, add the line > > > RPCGSSDOPTS="-n" > > > to /etc/default/nfs-common and the line > > > auth optional pam_script.so > > > to /etc/pam.d/common-auth. > > > > > > With these modifications fully kerberized NFSv4 mounting should > > > be possible on all machines if there are no other issues like those > > > reported in <URL:http://bugs.debian.org/613167#30> (pending?). I did > > > not test LTSP diskless clients but a home-made chroot in combination > > > with aufs. > > > > > > Best regards, > > > > > > Andi > > > > > > > > > [1] http://lists.debian.org/debian-edu/2010/07/msg00065.html > > > > > > > > > -- > > > To UNSUBSCRIBE, email to [email protected] > > > with a subject of "unsubscribe". Trouble? Contact > > > [email protected] > > > Archive: http://lists.debian.org/20120127161853.GA17722@flashgordon > > > > > > > > > > -- > > Sysadmin SPSE-Tenero > > Ufficio: +41 91 735 62 48 > > Cellulare: +41 79 629 20 63 > > -- > > ---------------------------------- > > A N D R E A S B. M U N D T > > Auf dem Rucken 68 > 89143 Blaubeuren > > > phone priv.: 0049 (0)7344 17 909 38 > mobile: 0049 (0)1577 29 222 42 > VoIP: sip:[email protected] > > email: [email protected] > [email protected] > [email protected] > > GPG key: 4096R/617B586D 2010-03-22 Andreas B. Mundt--<[email protected]> > Andreas B. Mundt--<[email protected]> > > ============================================================================ > -- Sysadmin SPSE-Tenero Ufficio: +41 91 735 62 48 Cellulare: +41 79 629 20 63 -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
