Return-Path: Received: from urz32.uni-bamberg.de ([141.13.240.32]:3470 "EHLO urz32.UNI-BAMBERG.DE" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758823Ab0DHPjH convert rfc822-to-8bit (ORCPT ); Thu, 8 Apr 2010 11:39:07 -0400 From: Thomas Wunder To: Kevin Coffman , linux-nfs@vger.kernel.org Subject: Re: NFS-Mount with MIT-Kerberos5 doesn't use user tickets... Date: Thu, 8 Apr 2010 17:39:21 +0200 References: <201004080111.29452.thomas.wunder@swt-bamberg.de> In-Reply-To: Message-Id: <201004081739.21853.thomas.wunder@swt-bamberg.de> Content-Type: Text/Plain; charset="iso-8859-1" Sender: linux-nfs-owner@vger.kernel.org List-ID: MIME-Version: 1.0 On Thursday 08 April 2010 16:18:11 you wrote: > On Wed, Apr 7, 2010 at 7:11 PM, wrote: > >> By the looks of your /etc/fstab entry, the system (root) will try to > >> mount /mnt/net automatically. You could try adding the "noauto" > >> option and then manually issuing the mount command as the user. (Or > >> use automount?) > >> K.C. > > > > I'm pretty sure that it doesn't try to automatically mount the share on > > startup since there is no log entry that would indicate such an attempt. > > I already tried to do the mount as a user (which is authenticated via > > kerberos such that there is a valid ticket for that user) the logs (that > > i have posted) are showing what comes out of it. If I try to do the mount > > without the fstab- entry (i.e. mount -t nfs4 -o sec=krb5p dnsdhcp:/ > > /mnt/net) it is being rejected on the grounds that only root can perform > > a mount. 'sudo' doesn't work currently (i've got some problems with my > > PAM config for sudo) so I haven't had any chance to try it out... > > > > I've already set up automount but it actually does exactly the same as if > > I ran mount manually as described above. > > > > I'm totally confused because I don't understand what people like > > http://thread.gmane.org/gmane.linux.nfsv4/5893 > > might have done to perform a mount with normal user privileges. If it was > > really mandatory to be root (as stated by Andy Adamson in the other > > message) then I wouldn't really understand why they should have > > implemented the uid passing using that pipefs file.... > > Hello Tom, > > To allow non-root users to do the mount, add the "user" option to the > entry in /etc/fstab. Then the user with uid 10002 should be able to > kinit and then mount. (Note that in this case, there is no need for > the "-n" option to rpc.gssd.) > > K.C. > I've already added have the "user"-option in my fstab (I also reported that in my very first message) such that the entry looks like: dnsdhcp:/ /mnt/net nfs4 sec=krb5p,user 0 0 To express it more clearly: The user with uid=10002 (username = tomkrb) can do a kinit but i guess it doesn't need to if it is already logged into a bash-console using pam_krb5- authentication-module. A ticket already exists for that session in the /tmp directory and if i modify the "void handle_krb5_upcall(struct clnt_info *clp)"-function in gssd_proc.c to not use the uid which is passed by the kernel but rather use 10002 (statically) that ticket is also accepted. Meanwhile i succeeded in getting sudo working. Performing sudo mount -t nfs4 -o sec=krb5p dnsdhcp:/ /mnt/net from a (physical) console where tomkrb (uid=10002) is logged in also results in uid=0 being passed instead of uid=10002. Is it possible to understand what i'd like to do at all? -- Lehrstuhl f?r Softwaretechnik und Programmiersprachen Fakult?t WIAI, Universit?t Bamberg, 96045 Bamberg Email: thomas.wunder@swt-bamberg.de Web: http://www.swt-bamberg.de/ Tel.: 0951 863-3852 / Fax: 0951 863-3855