[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Kerberized NFSv4: rpc.idmapd only "sees" root principal

Hi everybody,

I've got an autofs5, OpenLDAP, MIT Kerberos, and NFSv4 setup running
on Debian Lenny. All required principals are present in the
krb5.keytab files on both client and server. PAM has been configured
accordingly for krb5.

Generally speaking, everything (kinit, passwordless ssh logins,
manually mounting the NFSv4 file system, automatically mounting and
unmounting the file system) works *except* for UID/GID mapping, i. e.
the mounted file system always belongs to root and I get "permission
denied" whenever I try to access files below the mounted home
directory. From the log I inferred that rpc.idmapd only "sees" the
root principal, even though the "regular" user principal is processed,
including determination of supplementary groups.

Also, "getent passwd" and "getent group" list all entries, both local
and LDAP ones.

Creating new files e.g. below /tmp is no problem, including group
changing using "newgrp". Every newly created file below /tmp has
correct ownerships and permissions.

Ok, I did the following in order to get "clean" (without references to
purely local uids except for root) NFS client and server logs:

- logged out as "user" and waited for /export/home/user to be
  automatically unmounted by autofs5.
  on the client (named "client" in the log files):
  - stopped autofs5: /etc/init.d/autofs stop
  - stopped nfs-common: /etc/init.d/nfs-common stop
  on the server (named "server" in the log files):
  - stopped nfs-kernel-server: /etc/init.d/nfs-kernel-server stop
  - stopped nfs-common: /etc/init.d/nfs-common stop
  - Became root and manually removed all /tmp/krb5* files (looked for
    these on both client and server; though I only found them on the
  on the server (named "server" in the log files):
    - started nfs-common: /etc/init.d/nfs-common start
    - started nfs-kernel-server: /etc/init.d/nfs-kernel-server start
  on the client (named "client" in the log files):
    - started nfs-common: /etc/init.d/nfs-common start
    - started autofs5: /etc/init.d/autofs start
- Switched to a serial console on the client host (ttyS0)
- logged in as user directly from the login: prompt on ttyS0
  ===> Unfortunately, the problem persists even though there' no
       error displayed anymore in /var/log/daemon.log on
       the client host

The interesting thing to note is that there seem to be no obvious
errors in the log files (the string "ERROR" doesn't appear).

Any idea what's going on? (I can provide config and/or log files if
requested; I just don't want this email to become too long without
asking for permission in advance).

Thanks in advance & kind regards,


Attachment: signature.asc
Description: Digital signature

Reply to: