OK. I am still working on this Kerberos+LDAP+NFSv4 transition. Now, I
have started occasionally seeing some strange behavior when logging in
via ssh.
Essentially, what happens is that when logging in via SSH, the user is
sometimes prevented from accessing his home directory. Now, miami is my
workstation into which I am physically logged in, while manta is a
remote host (in this case, a CentOS machine, but I can reliably
reproduce this will sshing in to a machine running Debian; all my Debian
machines, servers and workstations, are running Etch). My user account
is roberto, with uid 2000. Now, while I periodically get deinied access
to my home directory while using ssh to log in, this has never happened
when logging in at the console.
What I don't understand is:
1) Why the problem when logging in via ssh?
2) Why is kdestroy alone not sufficient (i.e., why do I also need to
run kinit)?
roberto@miami:~$ ssh manta
Last login: Mon Oct 8 07:09:18 2007 from miami.connexer.com
Could not chdir to home directory /network/home/roberto: Permission denied
/usr/X11R6/bin/xauth: timeout in locking authority file /network/home/roberto/.Xauthority
-bash: /network/home/roberto/.bash_profile: Permission denied
-bash-3.00$ logout
-bash: /network/home/roberto/.bash_logout: Permission denied
Connection to manta closed.
roberto@miami:~$ ssh manta
Last login: Mon Oct 8 07:46:11 2007 from miami.connexer.com
Could not chdir to home directory /network/home/roberto: Permission denied
/usr/X11R6/bin/xauth: timeout in locking authority file /network/home/roberto/.Xauthority
-bash: /network/home/roberto/.bash_profile: Permission denied
-bash-3.00$ klist
Ticket cache: FILE:/tmp/krb5cc_2000
Default principal: roberto@CONNEXER.COM
Valid starting Expires Service principal
10/07/07 09:35:13 10/07/07 19:35:13 krbtgt/CONNEXER.COM@CONNEXER.COM
renew until 10/08/07 09:35:12
10/07/07 09:35:14 10/07/07 19:35:13 nfs/miami.connexer.com@CONNEXER.COM
renew until 10/08/07 09:35:12
Kerberos 4 ticket cache: /tmp/tkt2000
klist: You have no tickets cached
-bash-3.00$ kdestroy
-bash-3.00$ logout
-bash: /network/home/roberto/.bash_logout: Permission denied
Connection to manta closed.
roberto@miami:~$ ssh manta
Last login: Mon Oct 8 07:47:33 2007 from miami.connexer.com
Could not chdir to home directory /network/home/roberto: Permission denied
/usr/X11R6/bin/xauth: timeout in locking authority file /network/home/roberto/.Xauthority
-bash: /network/home/roberto/.bash_profile: Permission denied
-bash-3.00$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_2000)
Kerberos 4 ticket cache: /tmp/tkt2000
klist: You have no tickets cached
-bash-3.00$ kinit
Password for roberto@CONNEXER.COM:
-bash-3.00$ logout
Connection to manta closed.
roberto@miami:~$ ssh manta
Last login: Mon Oct 8 07:48:09 2007 from miami.connexer.com
07:48:49 up 1:07, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
roberto pts/0 miami.connexer.c 07:48 1.00s 0.00s 0.00s -bash
roberto@manta:~$ mount |grep \/network
miami:/ on /network type nfs4 (rw,sec=krb5p,addr=66.93.22.253)
roberto@manta:~$
Oct 8 07:47:54 manta rpc.gssd[1948]: rpcsec_gss: gss_init_sec_context: (major) Miscellaneous failure - (minor) Unknown code krb5 32
Oct 8 07:47:54 manta rpc.gssd[1948]: WARNING: Failed to create krb5 context for user with uid 2000 for server miami.connexer.com
If anyone has even the faintest idea what is going on, I would
appreciate to know your thoughts on this.
Regards,
-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
Attachment:
signature.asc
Description: Digital signature