Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds
Since quite some time we have been thinking about how to make
kerberized NFSv4 mounting of home directories work with diskless
clients, where no machine credentials (keytab) are available.
It was mentioned  that using "-n" for gssd on the diskless client
might help, however this seems not to be enough.
I finally figured out a way now, which works here and is not too
First, make sure you have the package libpam-script available at the
diskless client's chroot. libpam-script allows to run a script after
successfull authentication. The script executed can be created by
cat > $FILE <<EOF
if [ \$PAM_USER = "root" ] || ls /tmp/krb5cc_diskless > /dev/null
cp -v /tmp/krb5cc_pam_* \$FILE
/etc/init.d/autofs restart > /dev/null
chmod 0755 $FILE
The script executed right after authentication copies the user's
Kerberos ticket to the file krb5cc_diskless which is owned by root.
This ticket will be picked up by gssd to create the security context
needed. However, it's needed to restart autofs, I am not exactly sure
why. It looks like autofs caches failures in mounting a directory
(which it tries earlier in the login process), and does not try again
immediately when the ticket is available.
In addition, add the line
to /etc/default/nfs-common and the line
auth optional pam_script.so
With these modifications fully kerberized NFSv4 mounting should
be possible on all machines if there are no other issues like those
reported in <URL:http://bugs.debian.org/613167#30> (pending?). I did
not test LTSP diskless clients but a home-made chroot in combination