Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds
[Andreas B. Mundt]
> I finally figured out a way now, which works here and is not too
> First, make sure you have the package libpam-script available at the
> diskless client's chroot. libpam-script allows to run a script
> after successfull authentication. The script executed can be
> created by running:
We already use libpam-python for libpam-mklocaluser, which allow a
python script to provide a pam module. Perhaps it is better to
rewrite as python to avoid pulling in another dependency?
> The script executed right after authentication copies the user's
> Kerberos ticket to the file krb5cc_diskless which is owned by root.
> This ticket will be picked up by gssd to create the security context
> needed. However, it's needed to restart autofs, I am not exactly
> sure why. It looks like autofs caches failures in mounting a
> directory (which it tries earlier in the login process), and does
> not try again immediately when the ticket is available.
I guess we also need to remove the file when the user log in, to make
sure other users can't use another users ticket to mount?
> With these modifications fully kerberized NFSv4 mounting should be
> possible on all machines if there are no other issues like those
> reported in <URL:http://bugs.debian.org/613167#30> (pending?). I
> did not test LTSP diskless clients but a home-made chroot in
> combination with aufs.
This approach look really promosing. What about just dropping autofs
and mount the NFS volume in the pam module instead, like pam-mount?