Hi,
I have a problem with my setup. In the end it should work like this:
- Users are in LDAP, including their passwords
- Homedirectories are mounted via NFSv4 on the clients
- client-machines are authenticated to the NFS-Server via MIT Kerberos
- Users are authenticated via libpam-ldap
Most of that is already working and IIRC i already had everything
working when i tried it some time ago, but now i can't figure out, what
i did wrong this time.
What I have:
- 1 machine running slapd, nfs-kernel-server and MIT Kerberos v5 (FQDN
is server.bws.example)
- 1 machine acting as client (FQDN is client.bws.example)
- 1 User in the ldap tree called 'testuser' with homedirectory set to
/home/nfs/testuser
- 1 export on the server:
/srv/nfs *(rw,sync,fsid=0,sec=krb5p)
- 1 nfs4 mount on the client
server.bws.example:/ /home/nfs nfs4 sec=krb5p 0 0
- 2 principals: nfs/server.bws.example and nfs/client.bws.example
each of those has been exported and put in the /etc/krb5.keytab on the
corresponding machine
- on both machines matching lines in /etc/hosts:
192.168.0.1 server.bws.example server
192.168.0.2 client.bws.example client
What works:
- testuser can log in on the client
- /home/nfs can be mounted on the client
- ls -ld /home/nfs/testuser as root shows the directory belonging to
testuser:testuser with permissions 755
What does not:
- testuser can't get to his own homedirectory. he gets a 'permission
denied' when trying to access /home/nfs
syslog on the client:
rpc.gssd: ERROR: GSS-API: error in gss_acquite_cred(): Unspecified GSS
failure. Minor code may provide more information - No credentials cache
found
rpc.gssd: WARNING: Failed to create krb5 context for user with uid 10000
for server server.bws.example
This looks to me like 'testuser' should have a principal in kerberos to
use the nfs-mount.
Is there a possibility to just make the machines authenticate each other
for the nfs mount and NOT need every single user in kerberos as well?
AFAIR i had a setup like this only some weeks ago, but i'm not able to
reproduce it.
Any help with this is appreciated. Since i am not subscribed to the list
(yet) please CC me.
If you need any more information please ask.
Thanks in advance!
Hendrik Jaeger
--
Slang is language that takes off its coat, spits on its hands, and goes to work.
By default, the machine credentials are used for mount (and any file
access done by root). The testuser needs to have their own Kerberos
credentials. I can't think of any work-around to that.
K.C.
On Tue, Jun 3, 2008 at 7:57 AM, Hendrik Jaeger <[email protected]> wrote:
> Hi,
>
> I have a problem with my setup. In the end it should work like this:
> - Users are in LDAP, including their passwords
> - Homedirectories are mounted via NFSv4 on the clients
> - client-machines are authenticated to the NFS-Server via MIT Kerberos
> - Users are authenticated via libpam-ldap
>
> Most of that is already working and IIRC i already had everything
> working when i tried it some time ago, but now i can't figure out, what
> i did wrong this time.
>
> What I have:
> - 1 machine running slapd, nfs-kernel-server and MIT Kerberos v5 (FQDN
> is server.bws.example)
> - 1 machine acting as client (FQDN is client.bws.example)
> - 1 User in the ldap tree called 'testuser' with homedirectory set to
> /home/nfs/testuser
> - 1 export on the server:
> /srv/nfs *(rw,sync,fsid=0,sec=krb5p)
> - 1 nfs4 mount on the client
> server.bws.example:/ /home/nfs nfs4 sec=krb5p 0 0
> - 2 principals: nfs/server.bws.example and nfs/client.bws.example
> each of those has been exported and put in the /etc/krb5.keytab on the
> corresponding machine
> - on both machines matching lines in /etc/hosts:
> 192.168.0.1 server.bws.example server
> 192.168.0.2 client.bws.example client
>
> What works:
> - testuser can log in on the client
> - /home/nfs can be mounted on the client
> - ls -ld /home/nfs/testuser as root shows the directory belonging to
> testuser:testuser with permissions 755
>
> What does not:
> - testuser can't get to his own homedirectory. he gets a 'permission
> denied' when trying to access /home/nfs
>
> syslog on the client:
> rpc.gssd: ERROR: GSS-API: error in gss_acquite_cred(): Unspecified GSS
> failure. Minor code may provide more information - No credentials cache
> found
> rpc.gssd: WARNING: Failed to create krb5 context for user with uid 10000
> for server server.bws.example
>
> This looks to me like 'testuser' should have a principal in kerberos to
> use the nfs-mount.
>
> Is there a possibility to just make the machines authenticate each other
> for the nfs mount and NOT need every single user in kerberos as well?
> AFAIR i had a setup like this only some weeks ago, but i'm not able to
> reproduce it.
>
> Any help with this is appreciated. Since i am not subscribed to the list
> (yet) please CC me.
>
> If you need any more information please ask.
>
> Thanks in advance!
>
> Hendrik Jaeger
>
>
>
> --
> Slang is language that takes off its coat, spits on its hands, and goes to work.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFIRTGh5PO/ypkUBC8RAhDfAKCsy/4gpaCcEnujr1sm1zEwDOJkkwCgjLu6
> +77cu93MYSruEItZRPwQztk=
> =L/jq
> -----END PGP SIGNATURE-----
>
>