Re: Diskless clients: NFSv4 mounting with sec=krb5p and no machine creds
Hi
On Sun, Feb 05, 2012 at 10:35:08PM +0100, Andreas B. Mundt wrote:
> Hi,
>
> On Sun, Feb 05, 2012 at 05:25:20PM +0100, Giorgio Pioda wrote:
>
> > > The script executed right after authentication copies the user's
> > > Kerberos ticket to the file krb5cc_diskless which is owned by root.
> > > This ticket will be picked up by gssd to create the security context
> > > needed. However, it's needed to restart autofs, I am not exactly sure
> > > why. It looks like autofs caches failures in mounting a directory
> > > (which it tries earlier in the login process), and does not try again
> > > immediately when the ticket is available.
> > >
> >
> > What about setting a delay in autofs?
> >
>
> How long? I think entering the username triggers autofs (to read the
> user's configuration, for example which desktop he want's to start by
> default). What if someone takes 15 seconds to enter his password, and
> someone else needs only 3 seconds? Only if exactly at the right
> moment where pam gives the OK (i.e. the ticket is available) for login
> the autofs is triggered it will manage to provide the home directory.
> Imediatelly after that the user will have / as home (or might not be
> allowed to login on gdm).
It is pam that triggers autofs, I guess. Probably it is possible to
construct pam rules in such a way that your script is first executed
and only after this step aufofs is called, (either with libpam-script
or libpam-exec).
I've read around that such an hack has been
tested for EduUbuntu (thiny client based), but the guys didn't
publish the details.
> So I don't think that will work. Did you have any success with the
>
> verify_ap_req_nofail = false
>
Yes, but it seems to be false by default. I have to test it again; no
success until now.
> stuff?
>
> Best regards,
>
> Andi
>
>
> --
> To UNSUBSCRIBE, email to debian-edu-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 20120205213507.GA6821@flashgordon">http://lists.debian.org/[🔎] 20120205213507.GA6821@flashgordon
>
>
Regards
Giorgio
--
Sysadmin SPSE-Tenero
Ufficio: +41 91 735 62 48
Cellulare: +41 79 629 20 63
Reply to: