As I know next to nothing about AFS, I don't fully understand what is going on.
However, I have had some mountpoints come -t nfs and others come -t nfs4, and autofs will let you do this. We mount different users' home directories from different filesystems via autofs as well. Have you tried a manual nfs4 mount? ie: mkdir /tmp/testmount mount nfs4server:/userhomedirectories/amy /tmp/testmount -t nfs4 su amy kinit amy cd /tmp/testmount On 10/16/2011 08:20 AM, Lee Eric wrote: > Hey mate, > > No. I don't use autofs here. However, I noticed a very strange > phenomemon here. In the client side I can use ksu to login by user > amy. > > [root@submit ~]# kinit amy > Password for [email protected]: > [root@submit ~]# ksu amy > Changing uid to amy (502) > [amy@submit root]$ klist > Ticket cache: FILE:/tmp/krb5cc_502.1 > Default principal: [email protected] > > Valid starting Expires Service principal > 10/16/11 02:25:54 10/17/11 02:25:44 > krbtgt/[email protected] > renew until 10/16/11 02:25:54 > 10/16/11 02:26:01 10/17/11 02:25:44 > afs/[email protected] > renew until 10/16/11 02:25:54 > [amy@submit root]$ cd ~ > [amy@submit ~]$ pwd > /pool/home/amy > [amy@submit ~]$ > > But I don't think it makes sense to get afs TGS. In server side, I saw > following information. > > Oct 16 02:25:44 server.herdingcat.internal krb5kdc[4522](info): AS_REQ > (4 etypes {18 17 16 23}) 192.168.122.17: NEEDED_PREAUTH: > [email protected] for > krbtgt/[email protected], Additional > pre-authentication required > Oct 16 02:25:54 server.herdingcat.internal krb5kdc[4522](info): AS_REQ > (4 etypes {18 17 16 23}) 192.168.122.17: ISSUE: authtime 1318746354, > etypes {rep=18 tkt=18 ses=18}, [email protected] for > krbtgt/[email protected] > Oct 16 02:26:01 server.herdingcat.internal krb5kdc[4522](info): > TGS_REQ (1 etypes {1}) 192.168.122.17: ISSUE: authtime 1318746354, > etypes {rep=18 tkt=1 ses=1}, [email protected] for > afs/[email protected] > > Why it will try to get OpenAFS stuff? That really makes me confused. > > Thanks. > > Eric > > On Sun, Oct 16, 2011 at 7:48 PM, Mehta, Rohit<[email protected]> wrote: >> Hi eric have you configured auto.home for -t nfs4? >> >> Lee Eric<[email protected]> wrote: >> >> >> Hi all, >> >> I integrated NFS4 and Kerberos properly. However, I noticed the users >> cannot login which users' home dirs are in NFS4 shares. In my >> environment, some users are using OpenAFS, others using NFS4 as home >> dirs. >> >> Here's the client side(host name: submit) /var/log/secure partial log >> as the user amy login. >> >> Oct 16 01:59:19 submit unix_chkpwd[1272]: password check failed for user >> (amy) >> Oct 16 01:59:19 submit login: pam_unix(login:auth): authentication >> failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= user=amy >> >> And here's the client side /etc/pam.d/system-auth contents. >> >> auth required pam_env.so >> auth sufficient pam_unix.so nullok try_first_pass >> auth requisite pam_succeed_if.so uid>= 500 quiet >> auth sufficient pam_krb5.so use_first_pass >> auth optional pam_afs_session.so >> auth required pam_deny.so >> >> account required pam_unix.so broken_shadow >> account sufficient pam_succeed_if.so uid< 500 quiet >> account [default=bad success=ok user_unknown=ignore] pam_krb5.so >> account required pam_permit.so >> >> password requisite pam_cracklib.so try_first_pass retry=3 type= >> password sufficient pam_unix.so sha512 shadow nullok >> try_first_pass use_authtok >> password sufficient pam_krb5.so use_authtok >> password required pam_deny.so >> >> session optional pam_keyinit.so revoke >> session required pam_limits.so >> -session optional pam_systemd.so >> session [success=1 default=ignore] pam_succeed_if.so service in >> crond quiet use_uid >> session required pam_unix.so >> session optional pam_krb5.so >> session required pam_afs_session.so >> >> Here's the partial log of /var/log/krb5kdc.log in server side(host >> name: server) as user amy login. >> >> Oct 16 02:01:50 server.herdingcat.internal krb5kdc[4522](info): AS_REQ >> (4 etypes {18 17 16 23}) 192.168.122.17: NEEDED_PREAUTH: >> [email protected] for >> krbtgt/[email protected], Additional >> pre-authentication required >> Oct 16 02:01:50 server.herdingcat.internal krb5kdc[4522](info): AS_REQ >> (4 etypes {18 17 16 23}) 192.168.122.17: ISSUE: authtime 1318744910, >> etypes {rep=18 tkt=18 ses=18}, [email protected] for >> krbtgt/[email protected] >> Oct 16 02:01:51 server.herdingcat.internal krb5kdc[4522](info): >> TGS_REQ (1 etypes {1}) 192.168.122.17: ISSUE: authtime 1318744910, >> etypes {rep=18 tkt=1 ses=1}, [email protected] for >> afs/[email protected] >> >> I'm very curious why the system is going to try afs there. I have >> defined the home dirs in NFS shares. >> >> Could anyone help me to figure it out? >> >> Thanks very much. >> >> Eric >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos >> -- Rohit Mehta Computer Engineer University of Connecticut Engineering Computing Services 371 Fairfield Road Unit 2031 Storrs, CT 06269-2031 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
