Re: Kerberos on diskless clients
to, 2010-07-08 kello 11:45 +0200, John S. Skogtvedt kirjoitti:
> Den 07. juli 2010 00:43, skrev Veli-Matti Lintu:
> >
> > I've been dealing with these same issues recently and after testing it
> > looks like machine credentials are not needed to get diskless clients
> > working with kerberos.
> >
> > What I have understood is that with NFSv4 the machine credentials are
> > used for the initial mount + root access. For the initial mount
> > credentials any credentials are actually ok and if rpc.gssd is run with
> > -n option, it uses existing credentials for the mount. When using
> > sec=krb5 access to users' home directories on the mounted directory then
> > requires valid credentials for the user.
> >
> > I haven't really tested the root access part here as I have always used
> > root_squash on all the exports.
> Kiitos, this is very helpful. Which DM/desktop did you test with? gdm
> for instance used to (or still does) check as root if the user's
> homedirectory existed, which might cause problems.
>
> I will try to test with debian-edu within the next two weeks.
We got it to work with both ldm (LTSP 5) and gdm with Gnome on Ubuntu
10.04. I do not know the current differences between Debian and Ubuntu
versions of ldm, but I'd guess they are pretty close and scripting
should be possible. Using ldm does require custom scripts to get the
kerberos ticket on the client as normally the ticket is acquired on the
server when ssh login is made.
Using gdm should be possible on all platforms (netboot or local install)
as it really doesn't depend on any ltsp specific stuff. Some creative
PAM stack hacking is required to get the user's kerberos ticket in
correct places right after authentication so that rpc.gssd can be
(re)started. Now this is done with a script that is run by pam_exec
module.
There are still untested pieces in the puzzle, so something else might
still come up, but I hope this helps..
Veli-Matti
Reply to: