[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds

Hi everybody!

Since quite some time we have been thinking about how to make
kerberized NFSv4 mounting of home directories work with diskless
clients, where no machine credentials (keytab) are available.  

It was mentioned [1] that using "-n" for gssd on the diskless client
might help, however this seems not to be enough.  

I finally figured out a way now, which works here and is not too

First, make sure you have the package libpam-script available at the
diskless client's chroot.  libpam-script allows to run a script after
successfull authentication.  The script executed can be created by

set -e


cat > $FILE <<EOF
set -e
if [ \$PAM_USER = "root" ] || ls /tmp/krb5cc_diskless > /dev/null
2>&1; then
    exit 0

cp -v /tmp/krb5cc_pam_* \$FILE
/etc/init.d/autofs restart > /dev/null

exit 0

chmod 0755 $FILE

The script executed right after authentication copies the user's
Kerberos ticket to the file krb5cc_diskless which is owned by root. 
This ticket will be picked up by gssd to create the security context
needed.  However, it's needed to restart autofs, I am not exactly sure
why.  It looks like autofs caches failures in mounting a directory
(which it tries earlier in the login process), and does not try again
immediately when the ticket is available.     

In addition, add the line 
to /etc/default/nfs-common and the line
   auth    optional  pam_script.so
to /etc/pam.d/common-auth. 

With these modifications fully kerberized NFSv4 mounting should
be possible on all machines if there are no other issues like those
reported in <URL:http://bugs.debian.org/613167#30> (pending?).  I did
not test LTSP diskless clients but a home-made chroot in combination
with aufs.

Best regards,  


[1] http://lists.debian.org/debian-edu/2010/07/msg00065.html

Reply to: