NFSv3 + krb5 home directory problem

Kevin Coffman kwc at citi.umich.edu
Thu Feb 8 16:45:17 EST 2007


Why pam is not getting you credentials may be applicable on this list.

However, the part about nfs access failing after getting credentials
is an nfs question.  Please send a follow-up to
nfs at lists.sourceforge.net with the output of running rpc.gssd with the
-vvv option.

K.C.

On 2/8/07, Jim Davis <jdavis at cs.arizona.edu> wrote:
> I've been trying to get NFSv3 home directory mounts with sec=krb5
> working between a Netapp filer running OnTap 7.0.5 and a Fedora Core 6
> client with the latest nfs-* RPMs installed and kernel version
> 2.6.18-1.2869.fc6.  Our KDCs run FreeBSD 6.1 with the MIT Kerberos
> port installed.  Authentication seems to work okay,
>
> Script started on Thu Feb  8 13:14:42 2007
> bsod$ /bin/su - testacct
> Password:
>
> but the home directory isn't usable.
>
> /bin/su: warning: cannot change directory to /home/testacct: Permission
> denied
> -bash: /home/testacct/.bash_profile: Permission denied
>
> The mount though did succeed:
>
> -bash-3.1$ mount | grep testacct
> sinagua:/vol/vol0/home/testacct on /home/testacct type nfs
> (rw,nfsvers=3,tcp,timeo=600,rsize=32768,wsize=32768,hard,intr,sec=krb5,addr=172.16.1.252)
> -bash-3.1$ grep testacct /etc/auto.home
> testacct
> -rw,bg,vers=3,tcp,timeo=600,rsize=32768,wsize=32768,hard,intr,sec=krb5
> sinagua:/vol/vol0/home/testacct
>
> But
>
> -bash-3.1$ klist -e
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500)
>
>
> Kerberos 4 ticket cache: /tmp/tkt500
> klist: You have no tickets cached
>
> Okay, I thought the PAM stack would provide the credentials.  But even
> after running kinit...
>
> -bash-3.1$ kinit
> Password for testacct at CS.ARIZONA.EDU:
> -bash-3.1$ klist -e
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: testacct at CS.ARIZONA.EDU
>
> Valid starting     Expires            Service principal
> 02/08/07 13:15:42  02/09/07 13:15:42  krbtgt/CS.ARIZONA.EDU at CS.ARIZONA.EDU
>          Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple
> DES cbc mode with HMAC/sha1
>
>
> Kerberos 4 ticket cache: /tmp/tkt500
> klist: You have no tickets cached
>
> ...the directory still isn't usable.
>
> -bash-3.1$ cd
> -bash: cd: /home/testacct: Permission denied
>
> Here's the PAM system-auth file (using Russ Allbery's pam_krb5-3.4):
>
> -bash-3.1$ cat /etc/pam.d/system-auth
> auth       sufficient  /usr/local/lib/security/pam_krb5.so minimum_uid=14
> auth       required    pam_unix.so
>
> account    required    /usr/local/lib/security/pam_krb5.so minimum_uid=14
> account    required    pam_unix.so
>
> password   requried    pam_cracklib.so retry=3
> password   required    pam_unix.so use_authtok
> password   required    /usr/local/lib/security/pam_krb5.so use_authtok
> minimum_uid=14
>
> session    required    pam_limits.so
> session    optional    /usr/local/lib/security/pam_krb5.so minimum_uid=14
> session    required    pam_unix.so
>
> What am I missing?
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>



More information about the Kerberos mailing list