Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds
Hi everybody!
Since quite some time we have been thinking about how to make
kerberized NFSv4 mounting of home directories work with diskless
clients, where no machine credentials (keytab) are available.
It was mentioned [1] that using "-n" for gssd on the diskless client
might help, however this seems not to be enough.
I finally figured out a way now, which works here and is not too
invasive:
First, make sure you have the package libpam-script available at the
diskless client's chroot. libpam-script allows to run a script after
successfull authentication. The script executed can be created by
running:
#!/bin/sh
#
set -e
FILE=/usr/share/libpam-script/pam_script_auth
cat > $FILE <<EOF
#!/bin/sh
#
set -e
if [ \$PAM_USER = "root" ] || ls /tmp/krb5cc_diskless > /dev/null
2>&1; then
exit 0
fi
FILE=/tmp/krb5cc_diskless
cp -v /tmp/krb5cc_pam_* \$FILE
/etc/init.d/autofs restart > /dev/null
exit 0
EOF
chmod 0755 $FILE
#============================
The script executed right after authentication copies the user's
Kerberos ticket to the file krb5cc_diskless which is owned by root.
This ticket will be picked up by gssd to create the security context
needed. However, it's needed to restart autofs, I am not exactly sure
why. It looks like autofs caches failures in mounting a directory
(which it tries earlier in the login process), and does not try again
immediately when the ticket is available.
In addition, add the line
RPCGSSDOPTS="-n"
to /etc/default/nfs-common and the line
auth optional pam_script.so
to /etc/pam.d/common-auth.
With these modifications fully kerberized NFSv4 mounting should
be possible on all machines if there are no other issues like those
reported in <URL:http://bugs.debian.org/613167#30> (pending?). I did
not test LTSP diskless clients but a home-made chroot in combination
with aufs.
Best regards,
Andi
[1] http://lists.debian.org/debian-edu/2010/07/msg00065.html
Reply to: