NFSv3 + krb5 home directory problem

Jim Davis jdavis at CS.Arizona.EDU
Thu Feb 8 15:33:13 EST 2007 

I've been trying to get NFSv3 home directory mounts with sec=krb5
working between a Netapp filer running OnTap 7.0.5 and a Fedora Core 6
client with the latest nfs-* RPMs installed and kernel version
2.6.18-1.2869.fc6.  Our KDCs run FreeBSD 6.1 with the MIT Kerberos
port installed.  Authentication seems to work okay,

Script started on Thu Feb  8 13:14:42 2007
bsod$ /bin/su - testacct
Password:

but the home directory isn't usable.

/bin/su: warning: cannot change directory to /home/testacct: Permission 
denied
-bash: /home/testacct/.bash_profile: Permission denied

The mount though did succeed:

-bash-3.1$ mount | grep testacct
sinagua:/vol/vol0/home/testacct on /home/testacct type nfs 
(rw,nfsvers=3,tcp,timeo=600,rsize=32768,wsize=32768,hard,intr,sec=krb5,addr=172.16.1.252)
-bash-3.1$ grep testacct /etc/auto.home
testacct 
-rw,bg,vers=3,tcp,timeo=600,rsize=32768,wsize=32768,hard,intr,sec=krb5 
sinagua:/vol/vol0/home/testacct

But

-bash-3.1$ klist -e
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500)


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached

Okay, I thought the PAM stack would provide the credentials.  But even
after running kinit...

-bash-3.1$ kinit
Password for testacct at CS.ARIZONA.EDU:
-bash-3.1$ klist -e
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: testacct at CS.ARIZONA.EDU

Valid starting     Expires            Service principal
02/08/07 13:15:42  02/09/07 13:15:42  krbtgt/CS.ARIZONA.EDU at CS.ARIZONA.EDU
         Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple 
DES cbc mode with HMAC/sha1


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached

...the directory still isn't usable.

-bash-3.1$ cd
-bash: cd: /home/testacct: Permission denied

Here's the PAM system-auth file (using Russ Allbery's pam_krb5-3.4):

-bash-3.1$ cat /etc/pam.d/system-auth
auth       sufficient  /usr/local/lib/security/pam_krb5.so minimum_uid=14
auth       required    pam_unix.so

account    required    /usr/local/lib/security/pam_krb5.so minimum_uid=14
account    required    pam_unix.so

password   requried    pam_cracklib.so retry=3
password   required    pam_unix.so use_authtok
password   required    /usr/local/lib/security/pam_krb5.so use_authtok 
minimum_uid=14

session    required    pam_limits.so
session    optional    /usr/local/lib/security/pam_krb5.so minimum_uid=14
session    required    pam_unix.so

What am I missing?

More information about the Kerberos mailing list