Hi Folks, Thanks for the feedback everyone.
On 13/02/2009, at 3:52 AM, Douglas E. Engert wrote: > > > Edward Irvine wrote: >> Hi Folks, >> Is there a ticket beween client and server that expires? If so, >> how does it get renewed? >> Kerberised NFS presumably requires authentication and >> (optionally) encryption between client and server, so presumably >> the client needs to get a ticket prior to contacting the server. > > Are you talking NFSv4 or NFSv3? NFSv4: nothing was done to downgrade it to NFSv3 >> I appear to be successfully using sharing out /export/home from a >> server with kerberos security options, and successfully >> automounting user's home directories on client machines when they >> log in. However, first thing in the morning the home directories >> on client machines are inaccessable (i.e. when I ssh in my home >> directory is unavaliable). Restarting automountd fixes things for >> the rest of the day. > > First of all the sshd must get a kerberos ticket, either by > delegated gssapi credentials( i.e. forwarded kerberos ticket), > or by keyboard interactive. You will need to setup pam.conf for sshd-* Yes and no. When I logged in with ssh I *thought* I got a ticket. But now I suspect the TGT I saw yesterday was a stale one. Turns out when I logged in directly to the machine using username/ password I got a TGT (via pam_krb5). Home directory mounting worked as expected. However, when I logged in to the target via another kerberised machine I authenticated "seamlessly" via GSSAPI. In which case I did not have a TGT on the target as it was not being forwarded by my workstation. Thus, my Kerberos protected home directory on the target was not being automounted. > > On Solairs the sshd has multiple entries in pam.conf depending on > which authentication method was used see the man page for sshd at > the end > for sshd-gssapi and sshd-kbdint. > > dtlogin can also call pam_krb5 see the man page on pam_krb5. > >> This is Solaris 10 u6 on client and server, and using the Solaris >> 10 u6 Kerberos server. There is no NIS or LDAP naming going on >> (yet) - nsswitch is to files and DNS. The mapid domain name is >> set in /etc/ defaults/nfs. > > Solaris with NFSv4 will only use the default Kerberos ticket cache, > for a user: /tmp/krb5cc_<uid> Even if you have KRB5CCNAME set. > (Personally, I consider this a step backwards and have expressed this > to Sun many times.) > > Having said all the above, we do get tickets at login, sshd and screen > unlock, but use AFS (which uses Kerberos V5) for home directories, > not NFS. I would expect that if pam is setup to get the tickets, > the NFS code would use them for home directory access. > > >> Any pointers greatly appreciated. >> Eddie On my workstation (and all kerberos clients) I have now inserted: a) "GSSAPIDelegateCredentials yes" parameter into /etc/ssh/ ssh_config, and; b) "forwardable = true" in the [libdefaults] section of /etc/krb/ krb5.conf, and; c) Played around with /etc/krb5/warn.conf so that tickets are automatically renewed. The end result is that I now have a TGT on the target, even when I log in to an intermediate machine first. I also did a little experiment. After logging in to the target machine, (with the GSSAPIDelegateCredentials working and all), I ran the "kdestroy" command. As expected, my home directory became immediately unreadable until I got a new TGT with the "kinit" command. Cool... > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
