OK. I am still working on this Kerberos+LDAP+NFSv4 transition. Now, I have started occasionally seeing some strange behavior when logging in via ssh. Essentially, what happens is that when logging in via SSH, the user is sometimes prevented from accessing his home directory. Now, miami is my workstation into which I am physically logged in, while manta is a remote host (in this case, a CentOS machine, but I can reliably reproduce this will sshing in to a machine running Debian; all my Debian machines, servers and workstations, are running Etch). My user account is roberto, with uid 2000. Now, while I periodically get deinied access to my home directory while using ssh to log in, this has never happened when logging in at the console. What I don't understand is: 1) Why the problem when logging in via ssh? 2) Why is kdestroy alone not sufficient (i.e., why do I also need to run kinit)? roberto@miami:~$ ssh manta Last login: Mon Oct 8 07:09:18 2007 from miami.connexer.com Could not chdir to home directory /network/home/roberto: Permission denied /usr/X11R6/bin/xauth: timeout in locking authority file /network/home/roberto/.Xauthority -bash: /network/home/roberto/.bash_profile: Permission denied -bash-3.00$ logout -bash: /network/home/roberto/.bash_logout: Permission denied Connection to manta closed. roberto@miami:~$ ssh manta Last login: Mon Oct 8 07:46:11 2007 from miami.connexer.com Could not chdir to home directory /network/home/roberto: Permission denied /usr/X11R6/bin/xauth: timeout in locking authority file /network/home/roberto/.Xauthority -bash: /network/home/roberto/.bash_profile: Permission denied -bash-3.00$ klist Ticket cache: FILE:/tmp/krb5cc_2000 Default principal: roberto@CONNEXER.COM Valid starting Expires Service principal 10/07/07 09:35:13 10/07/07 19:35:13 krbtgt/CONNEXER.COM@CONNEXER.COM renew until 10/08/07 09:35:12 10/07/07 09:35:14 10/07/07 19:35:13 nfs/miami.connexer.com@CONNEXER.COM renew until 10/08/07 09:35:12 Kerberos 4 ticket cache: /tmp/tkt2000 klist: You have no tickets cached -bash-3.00$ kdestroy -bash-3.00$ logout -bash: /network/home/roberto/.bash_logout: Permission denied Connection to manta closed. roberto@miami:~$ ssh manta Last login: Mon Oct 8 07:47:33 2007 from miami.connexer.com Could not chdir to home directory /network/home/roberto: Permission denied /usr/X11R6/bin/xauth: timeout in locking authority file /network/home/roberto/.Xauthority -bash: /network/home/roberto/.bash_profile: Permission denied -bash-3.00$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_2000) Kerberos 4 ticket cache: /tmp/tkt2000 klist: You have no tickets cached -bash-3.00$ kinit Password for roberto@CONNEXER.COM: -bash-3.00$ logout Connection to manta closed. roberto@miami:~$ ssh manta Last login: Mon Oct 8 07:48:09 2007 from miami.connexer.com 07:48:49 up 1:07, 1 user, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT roberto pts/0 miami.connexer.c 07:48 1.00s 0.00s 0.00s -bash roberto@manta:~$ mount |grep \/network miami:/ on /network type nfs4 (rw,sec=krb5p,addr=66.93.22.253) roberto@manta:~$ Oct 8 07:47:54 manta rpc.gssd[1948]: rpcsec_gss: gss_init_sec_context: (major) Miscellaneous failure - (minor) Unknown code krb5 32 Oct 8 07:47:54 manta rpc.gssd[1948]: WARNING: Failed to create krb5 context for user with uid 2000 for server miami.connexer.com If anyone has even the faintest idea what is going on, I would appreciate to know your thoughts on this. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
Attachment:
signature.asc
Description: Digital signature