Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds

To: "Andreas B. Mundt" <andi.mundt@web.de>, debian-edu@lists.debian.org
Subject: Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds
From: Giorgio Pioda <gfwp@ticino.com>
Date: Mon, 6 Feb 2012 08:45:35 +0100
Message-id: <[🔎] 20120206074534.GB2854@ticino.com>
In-reply-to: <[🔎] 20120205213507.GA6821@flashgordon>
References: <20120127161853.GA17722@flashgordon> <[🔎] 20120205162520.GA2852@ticino.com> <[🔎] 20120205213507.GA6821@flashgordon>

Hi

On Sun, Feb 05, 2012 at 10:35:08PM +0100, Andreas B. Mundt wrote:
> Hi,
> 
> On Sun, Feb 05, 2012 at 05:25:20PM +0100, Giorgio Pioda wrote:
> 
> > > The script executed right after authentication copies the user's
> > > Kerberos ticket to the file krb5cc_diskless which is owned by root. 
> > > This ticket will be picked up by gssd to create the security context
> > > needed.  However, it's needed to restart autofs, I am not exactly sure
> > > why.  It looks like autofs caches failures in mounting a directory
> > > (which it tries earlier in the login process), and does not try again
> > > immediately when the ticket is available.     
> > > 
> > 
> > What about setting a delay in autofs?
> > 
> 
> How long?  I think entering the username triggers autofs (to read the
> user's configuration, for example which desktop he want's to start by
> default).  What if someone takes 15 seconds to enter his password, and
> someone else needs only 3 seconds?  Only if exactly at the right
> moment where pam gives the OK (i.e. the ticket is available) for login
> the autofs is triggered it will manage to provide the home directory.
> Imediatelly after that the user will have / as home (or might not be
> allowed to login on gdm).

It is pam that triggers autofs, I guess. Probably it is possible to
construct pam rules in such a way that your script is first executed
and only after this step aufofs is called, (either with libpam-script
or libpam-exec).

I've read around that such an hack has been
tested for EduUbuntu (thiny client based), but the guys didn't
publish the details.


> So I don't think that will work.  Did you have any success with the 
>    
>    verify_ap_req_nofail = false
> 

Yes, but it seems to be false by default. I have to test it again; no
success until now.

> stuff?
> 
> Best regards,
> 
>      Andi
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-edu-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 20120205213507.GA6821@flashgordon">http://lists.debian.org/[🔎] 20120205213507.GA6821@flashgordon
> 
> 

Regards

Giorgio

-- 
Sysadmin SPSE-Tenero
Ufficio:   +41 91 735 62 48 
Cellulare: +41 79 629 20 63

Reply to:

References:
- Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds
  - From: Giorgio Pioda <gfwp@ticino.com>
- Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds
  - From: "Andreas B. Mundt" <andi.mundt@web.de>

Prev by Date: Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds
Next by Date: Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds
Previous by thread: Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds
Next by thread: EduFication package
Index(es):
- Date
- Thread