Re: Kerberos on diskless clients
Den 07. juli 2010 00:43, skrev Veli-Matti Lintu:
> ti, 2010-06-15 kello 13:44 +0200, John S. Skogtvedt kirjoitti:
>> Den 15. juni 2010 12:51, skrev Jonas Smedegaard:
>>> On Tue, Jun 15, 2010 at 12:02:57PM +0200, John S. Skogtvedt wrote:
>>>>
>>>> With /skole/tjener/home0, the problem is that the machine itself needs a
>>>> "$hostname/nfs" principal with corresponding secret key. It's not enough
>>>> that the user can authenticate to Kerberos.
>>>
>>> Oh. I was unaware that the machine needed a separate key for NFS.
>>> Problem, yes!
>>>
>>> What exactly do a $host/nfs key grant access to? The whole partition,
>>> encrypted by user keys, or the whole partition, unencrypted?
>>>
>>
>> I'm not a Kerberos/NFSv4 expert, but AFAIK it's a ticket-granting ticket
>> (TGT) which firstly gives the machine read-only access to the entire
>> exported filesystem, and secondly allows the machine to grant a RW
>> ticket to the user. Kerberos is used to authenticate writes, and
>> optionally for encryption as well.
>>
>>> Would AFS perhaps provide a key structure better suited for this? My
>>> question here is _only_ about the key structure - AFS might have other
>>> limitations making it unsuitable, but the act of comparing key handling
>>> might help understand possible/sane approaches.
>>>
>>> Ideally we would use a filesystem requiring only user key to
>>> authenticate. Hmm - would it perhaps be possible (while still secure)
>>> to create and permiy a $user/nfs keypair acting as host key for
>>> .../home* mount points?
>
> Hi,
>
> I've been dealing with these same issues recently and after testing it
> looks like machine credentials are not needed to get diskless clients
> working with kerberos.
>
> What I have understood is that with NFSv4 the machine credentials are
> used for the initial mount + root access. For the initial mount
> credentials any credentials are actually ok and if rpc.gssd is run with
> -n option, it uses existing credentials for the mount. When using
> sec=krb5 access to users' home directories on the mounted directory then
> requires valid credentials for the user.
>
> I haven't really tested the root access part here as I have always used
> root_squash on all the exports.
>
> Using user's credentials instead of a keytab means of course that the
> mount works only as long as the credentials are valid.
>
>
> man rpc.gssd
>
> -n By default, rpc.gssd treats accesses by the user with UID 0 spe‐
> cially, and uses "machine credentials" for all accesses by that
> user which require Kerberos authentication. With the -n option,
> "machine credentials" will not be used for accesses by UID 0.
> Instead, credentials must be obtained manually like all other
> users. Use of this option means that "root" must manually
> obtain Kerberos credentials before attempting to mount an nfs
> filesystem requiring Kerberos authentication.
>
>
> Veli-Matti
>
>
Kiitos, this is very helpful. Which DM/desktop did you test with? gdm
for instance used to (or still does) check as root if the user's
homedirectory existed, which might cause problems.
I will try to test with debian-edu within the next two weeks.
John.
Reply to: