Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds
On Fri, Jan 27, 2012 at 09:19:21PM +0100, Petter Reinholdtsen wrote:
> [Andreas B. Mundt]
> > The script executed right after authentication copies the user's
> > Kerberos ticket to the file krb5cc_diskless which is owned by root.
> > This ticket will be picked up by gssd to create the security context
> > needed. However, it's needed to restart autofs, I am not exactly
> > sure why. It looks like autofs caches failures in mounting a
> > directory (which it tries earlier in the login process), and does
> > not try again immediately when the ticket is available.
> I guess we also need to remove the file when the user log in, to make
> sure other users can't use another users ticket to mount?
I think the ticket is used as if it where root's ticket, as the
automounter runs under root's ID. If the ticket is removed and the
automounter umounts the NFS after some time, accessing the home
directory again will fail, because there is no ticket anymore to
remount. The trick is a bit dirty, but so far I could not think of
any way to misuse the copied ticket, as it's only accessible by root.
A user logging in later or in parallel has no access.
> > With these modifications fully kerberized NFSv4 mounting should be
> > possible on all machines if there are no other issues like those
> > reported in <URL:http://bugs.debian.org/613167#30> (pending?). I
> > did not test LTSP diskless clients but a home-made chroot in
> > combination with aufs.
> This approach look really promosing. What about just dropping autofs
> and mount the NFS volume in the pam module instead, like pam-mount?
I don't know if pam-mount has any disadvantages compared to autofs
(umounting after some time of 'silence' on the file system?), but if
not, it's probably a good idea to switch.