[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds

[Andreas B. Mundt]
> I finally figured out a way now, which works here and is not too
> invasive:


> First, make sure you have the package libpam-script available at the
> diskless client's chroot.  libpam-script allows to run a script
> after successfull authentication.  The script executed can be
> created by running:

We already use libpam-python for libpam-mklocaluser, which allow a
python script to provide a pam module.  Perhaps it is better to
rewrite as python to avoid pulling in another dependency?

> The script executed right after authentication copies the user's
> Kerberos ticket to the file krb5cc_diskless which is owned by root.
> This ticket will be picked up by gssd to create the security context
> needed.  However, it's needed to restart autofs, I am not exactly
> sure why.  It looks like autofs caches failures in mounting a
> directory (which it tries earlier in the login process), and does
> not try again immediately when the ticket is available.

I guess we also need to remove the file when the user log in, to make
sure other users can't use another users ticket to mount?

> With these modifications fully kerberized NFSv4 mounting should be
> possible on all machines if there are no other issues like those
> reported in <URL:http://bugs.debian.org/613167#30> (pending?).  I
> did not test LTSP diskless clients but a home-made chroot in
> combination with aufs.

This approach look really promosing.  What about just dropping autofs
and mount the NFS volume in the pam module instead, like pam-mount?
Happy hacking
Petter Reinholdtsen

Reply to: