Solved: Kerberised NFS

Edward Irvine eirvine at tpg.com.au
Fri Feb 13 06:21:41 EST 2009 

Hi Folks,

Thanks for the feedback everyone.

On 13/02/2009, at 3:52 AM, Douglas E. Engert wrote:

>
>
> Edward Irvine wrote:
>> Hi Folks,
>> Is there a ticket beween client and server that expires? If so,  
>> how  does it get renewed?
>> Kerberised NFS presumably requires authentication and  
>> (optionally)  encryption between client and server, so presumably  
>> the client needs  to get a ticket prior to contacting the server.
>
> Are you talking NFSv4 or NFSv3?

NFSv4: nothing was done to downgrade it to NFSv3

>> I appear to be successfully using sharing out /export/home from a   
>> server with kerberos security options, and successfully  
>> automounting  user's home directories on client machines when they  
>> log in. However,  first thing in the morning the home directories  
>> on client machines  are inaccessable (i.e. when I ssh in my home  
>> directory is  unavaliable). Restarting automountd fixes things for  
>> the rest of the  day.
>
> First of all the sshd must get a kerberos ticket, either by
> delegated gssapi credentials( i.e. forwarded kerberos ticket),
> or by keyboard interactive. You will need to setup pam.conf for sshd-*

Yes and no. When I logged in with ssh I *thought* I got a ticket. But  
now I suspect the TGT I saw yesterday was a stale one.

Turns out when I logged in directly to the machine using username/ 
password I got a TGT (via pam_krb5). Home directory mounting worked  
as expected. However, when I logged in to the target via another  
kerberised machine I authenticated "seamlessly" via GSSAPI. In which  
case I did not have a TGT on the target as it was not being forwarded  
by my workstation. Thus, my Kerberos protected home directory on the  
target was not being automounted.

>
> On Solairs the sshd has multiple entries in pam.conf depending on
> which authentication method was used see the man page for sshd at  
> the end
> for sshd-gssapi and sshd-kbdint.
>
> dtlogin can also call pam_krb5  see the man page on pam_krb5.
>
>> This is Solaris 10 u6 on client and server, and using the Solaris  
>> 10  u6 Kerberos server. There is no NIS or LDAP naming going on  
>> (yet) -  nsswitch is to files and DNS. The mapid domain name is  
>> set in /etc/ defaults/nfs.
>
> Solaris with NFSv4 will only use the default Kerberos ticket cache,
> for a user: /tmp/krb5cc_<uid>  Even if you have KRB5CCNAME set.
> (Personally, I consider this a step backwards and have expressed this
> to Sun many times.)
>
> Having said all the above, we do get tickets at login, sshd and screen
> unlock, but use AFS (which uses Kerberos V5) for home directories,
> not NFS. I would expect that if pam is setup to get the tickets,
> the NFS code would use them for home directory access.
>
>
>> Any pointers greatly appreciated.
>> Eddie



On my workstation (and all kerberos clients) I have now inserted:

a)  "GSSAPIDelegateCredentials yes" parameter into /etc/ssh/ 
ssh_config, and;
b)  "forwardable = true" in the [libdefaults] section of /etc/krb/ 
krb5.conf, and;
c)  Played around with /etc/krb5/warn.conf so that tickets are  
automatically renewed.

The end result is that I now have a TGT on the target, even when I  
log in to an intermediate machine first.

I also did a little experiment. After logging in to the target  
machine, (with the GSSAPIDelegateCredentials working and all), I ran  
the "kdestroy" command. As expected, my home directory became  
immediately unreadable until I got a new TGT with the "kinit"  
command. Cool...


>

More information about the Kerberos mailing list