From: Tom <thomas.wunder@swt-bamberg.de>
To: linux-nfs@vger.kernel.org
Subject: NFS-Mount with MIT-Kerberos5 doesn't use user tickets...
Date: Wed, 7 Apr 2010 14:37:24 +0000 (UTC) [thread overview]
Message-ID: <loom.20100407T160936-119@post.gmane.org> (raw)
I'm trying to set up a kerberized NFSv4 client to mount a share using a local
ticket (obtained by PAM when the user logged into the shell) instead of a
machine specific ticket (i.e. I'd like to do user-based authorization). I
already managed to get machine based authentification/authorization working for
a test but i can't (and i don't want to) use local keytab files for storing the
machine keys on the client machines in my production environment.
I'm running the rpc.gssd with the "-n -vvv -rrr" to make it consider user
tickets too.
Now, when I try to mount the share to "/mnt/net" (the according fstab-line
looks like "dnsdhcp:/ /mnt/net nfs4 sec=krb5p,user 0 0") the credentials
cache of the user which is doing the mount is not being used. The second
log message reads
"rpc.gssd[888]: getting credentials for client with uid 0 for server <srvname>"
Googling around a bit i found out that some other people managed to make mount
use the uid of the initiating user rather than 'root'(uid=0) (though they seem
to have other problems...).
I'm not quite sure what is wrong with my setup and therefore i tried to dig
into the code of gssd. The only thing i found is that the uid (0 in my case)
is read from a file "clntXX/krb5" (within a pipefs) which is obviously
written by the kernel.
A kernel update to 2.6.32-19 (i'm using ubuntu karmic on an amd64 machine)
didn't make it any better.
Complete Log (client): http://pastebin.com/s7B2W7ie
The user ticket (i'm running the mount-command from an account of a user which
is authenticated via kerberos (MIT Kerberos5)) resided in
/tmp/krb5cc_10002_H6OYu0
Here's what klist said http://pastebin.com/Lrrs3AwM
And this is the client's krb5.conf: http://pastebin.com/JChsVNJQ
I'm really desperate now because i've been working on this problem for nearly
two weeks now and i couldn't get by...
Can you suggest me how to specify which user should be utilized to carry out
the mount? (Did I misconfigure something?)
By the way i've already downloaded the source-code of the nfs-utils
(ver. 1.2.0) and modified
void handle_krb5_upcall(struct clnt_info *clp)
from
gssd/gssd_proc.c
to statically set uid to 10002 (just for testing what will happen) and it's
pretty interesting what comes out:
http://pastebin.com/Qi1rWMLC
Thanks in advance!
next reply other threads:[~2010-04-07 15:15 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-07 14:37 Tom [this message]
2010-04-07 15:29 ` NFS-Mount with MIT-Kerberos5 doesn't use user tickets Kevin Coffman
2010-04-07 23:11 ` thomas.wunder
2010-04-08 14:18 ` Kevin Coffman
2010-04-08 15:39 ` Thomas Wunder
2010-04-08 18:58 ` Kevin Coffman
2010-04-09 9:15 ` Thomas Wunder
2010-04-09 14:50 ` Kevin Coffman
[not found] ` <y2o4d569c331004090750zeb56bf58udb7bbfb3277832c-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-04-09 15:00 ` William A. (Andy) Adamson
2010-04-09 16:37 ` Chuck Lever
2010-04-10 16:13 ` Thomas Wunder
2010-04-07 15:32 ` Andy Adamson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=loom.20100407T160936-119@post.gmane.org \
--to=thomas.wunder@swt-bamberg.de \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.