Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds

To: "Andreas B. Mundt" <andi.mundt@web.de>, debian-edu@lists.debian.org
Subject: Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds
From: Giorgio Pioda <gfwp@ticino.com>
Date: Fri, 27 Jan 2012 23:14:04 +0100
Message-id: <[🔎] 20120127221404.GA1303@ticino.com>
In-reply-to: <20120127171831.GB17722@flashgordon>
References: <[🔎] 20120127161853.GA17722@flashgordon> <20120127165941.GA14207@ticino.com> <20120127171831.GB17722@flashgordon>

HI,

your solution seems more or less an unavoidable hack.

Nice would be to tell Kerberos to avoid service check and control
only user ID.

What about this:

http://docs.oracle.com/cd/E19963-01/html/821-1456/setup-148.html#gihyu

Maybe could be a solution, but I don't know exactly if it works
as I think it should:

client # cat /etc/krb5/krb5.conf
[libdefaults]
        default_realm = EXAMPLE.COM
        verify_ap_req_nofail = false
  ...

It should be possible to do it in a separate thiny client realm

Cheers

Giorgio



On Fri, Jan 27, 2012 at 06:18:31PM +0100, Andreas B. Mundt wrote:
> Hi Giorgio,
> 
> On Fri, Jan 27, 2012 at 05:59:41PM +0100, Giorgio Pioda wrote:
> > 
> > What does autofs manage? / or only /home0 ?
> > 
> 
> Only home0
> 
> 
> > It shuldn't be that difficoult to mount / without kerberos
> > with plain nfs mounting at boot time
> > and /home0 with a securized env. later on login
> > 
> 
> How to make the securized env. ?  As far as I know for mounting NFSv4
> with sec=krb5 usually machine credential are needed
> i.e. /etc/krb5.keytab.  But /etc/krb5.keytab must not be in the
> chroot, because it will be readable by everyone in the network.
> 
> Do you know another solution to this problem?
> 
> Cheers,
> 
> 	Andi
> 
> > 
> > On Fri, Jan 27, 2012 at 05:18:53PM +0100, Andreas B. Mundt wrote:
> > > Hi everybody!
> > > 
> > > Since quite some time we have been thinking about how to make
> > > kerberized NFSv4 mounting of home directories work with diskless
> > > clients, where no machine credentials (keytab) are available.  
> > > 
> > > It was mentioned [1] that using "-n" for gssd on the diskless client
> > > might help, however this seems not to be enough.  
> > > 
> > > I finally figured out a way now, which works here and is not too
> > > invasive:
> > > 
> > > First, make sure you have the package libpam-script available at the
> > > diskless client's chroot.  libpam-script allows to run a script after
> > > successfull authentication.  The script executed can be created by
> > > running: 
> > > 
> > > #!/bin/sh
> > > #
> > > set -e
> > > 
> > > FILE=/usr/share/libpam-script/pam_script_auth
> > > 
> > > cat > $FILE <<EOF
> > > #!/bin/sh
> > > #
> > > set -e
> > > if [ \$PAM_USER = "root" ] || ls /tmp/krb5cc_diskless > /dev/null
> > > 2>&1; then
> > >     exit 0
> > > fi
> > > 
> > > FILE=/tmp/krb5cc_diskless
> > > cp -v /tmp/krb5cc_pam_* \$FILE
> > > /etc/init.d/autofs restart > /dev/null
> > > 
> > > exit 0
> > > EOF
> > > 
> > > chmod 0755 $FILE
> > > #============================
> > > 
> > > The script executed right after authentication copies the user's
> > > Kerberos ticket to the file krb5cc_diskless which is owned by root. 
> > > This ticket will be picked up by gssd to create the security context
> > > needed.  However, it's needed to restart autofs, I am not exactly sure
> > > why.  It looks like autofs caches failures in mounting a directory
> > > (which it tries earlier in the login process), and does not try again
> > > immediately when the ticket is available.     
> > > 
> > > In addition, add the line 
> > >    RPCGSSDOPTS="-n" 
> > > to /etc/default/nfs-common and the line
> > >    auth    optional  pam_script.so
> > > to /etc/pam.d/common-auth. 
> > > 
> > > With these modifications fully kerberized NFSv4 mounting should
> > > be possible on all machines if there are no other issues like those
> > > reported in <URL:http://bugs.debian.org/613167#30> (pending?).  I did
> > > not test LTSP diskless clients but a home-made chroot in combination
> > > with aufs.
> > > 
> > > Best regards,  
> > > 
> > >      Andi
> > >   
> > > 
> > > [1] http://lists.debian.org/debian-edu/2010/07/msg00065.html
> > > 
> > > 
> > > -- 
> > > To UNSUBSCRIBE, email to debian-edu-REQUEST@lists.debian.org
> > > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> > > Archive: [🔎] 20120127161853.GA17722@flashgordon">http://lists.debian.org/[🔎] 20120127161853.GA17722@flashgordon
> > > 
> > > 
> > 
> > -- 
> > Sysadmin SPSE-Tenero
> > Ufficio:   +41 91 735 62 48 
> > Cellulare: +41 79 629 20 63
> 
> -- 
> 
> ----------------------------------
> 
> A N D R E A S   B.  M U N D T
> 
>   Auf dem Rucken 68
>   89143 Blaubeuren
> 
> 
> phone priv.:  0049 (0)7344  17 909 38
>      mobile:  0049 (0)1577  29 222 42
>        VoIP:  sip:andi.mundt@ekiga.net
> 
> email:  andi.mundt@web.de
>         andreas.b.mundt@web.de
>         and1bm@web.de
> 
> GPG key: 4096R/617B586D 2010-03-22 Andreas B. Mundt--<andreas.b.mundt@web.de>
>                                    Andreas B. Mundt--<andi.mundt@web.de>
> 
> ============================================================================
> 

-- 
Sysadmin SPSE-Tenero
Ufficio:   +41 91 735 62 48 
Cellulare: +41 79 629 20 63

Reply to:

Follow-Ups:
- Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds
  - From: "Andreas B. Mundt" <andi.mundt@web.de>

References:
- Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds
  - From: "Andreas B. Mundt" <andi.mundt@web.de>

Prev by Date: Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds
Next by Date: Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds
Previous by thread: Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds
Next by thread: Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds
Index(es):
- Date
- Thread