Solved: Kerberised NFS
Edward Irvine
eirvine at tpg.com.au
Fri Feb 13 06:21:41 EST 2009
Hi Folks,
Thanks for the feedback everyone.
On 13/02/2009, at 3:52 AM, Douglas E. Engert wrote:
>
>
> Edward Irvine wrote:
>> Hi Folks,
>> Is there a ticket beween client and server that expires? If so,
>> how does it get renewed?
>> Kerberised NFS presumably requires authentication and
>> (optionally) encryption between client and server, so presumably
>> the client needs to get a ticket prior to contacting the server.
>
> Are you talking NFSv4 or NFSv3?
NFSv4: nothing was done to downgrade it to NFSv3
>> I appear to be successfully using sharing out /export/home from a
>> server with kerberos security options, and successfully
>> automounting user's home directories on client machines when they
>> log in. However, first thing in the morning the home directories
>> on client machines are inaccessable (i.e. when I ssh in my home
>> directory is unavaliable). Restarting automountd fixes things for
>> the rest of the day.
>
> First of all the sshd must get a kerberos ticket, either by
> delegated gssapi credentials( i.e. forwarded kerberos ticket),
> or by keyboard interactive. You will need to setup pam.conf for sshd-*
Yes and no. When I logged in with ssh I *thought* I got a ticket. But
now I suspect the TGT I saw yesterday was a stale one.
Turns out when I logged in directly to the machine using username/
password I got a TGT (via pam_krb5). Home directory mounting worked
as expected. However, when I logged in to the target via another
kerberised machine I authenticated "seamlessly" via GSSAPI. In which
case I did not have a TGT on the target as it was not being forwarded
by my workstation. Thus, my Kerberos protected home directory on the
target was not being automounted.
>
> On Solairs the sshd has multiple entries in pam.conf depending on
> which authentication method was used see the man page for sshd at
> the end
> for sshd-gssapi and sshd-kbdint.
>
> dtlogin can also call pam_krb5 see the man page on pam_krb5.
>
>> This is Solaris 10 u6 on client and server, and using the Solaris
>> 10 u6 Kerberos server. There is no NIS or LDAP naming going on
>> (yet) - nsswitch is to files and DNS. The mapid domain name is
>> set in /etc/ defaults/nfs.
>
> Solaris with NFSv4 will only use the default Kerberos ticket cache,
> for a user: /tmp/krb5cc_<uid> Even if you have KRB5CCNAME set.
> (Personally, I consider this a step backwards and have expressed this
> to Sun many times.)
>
> Having said all the above, we do get tickets at login, sshd and screen
> unlock, but use AFS (which uses Kerberos V5) for home directories,
> not NFS. I would expect that if pam is setup to get the tickets,
> the NFS code would use them for home directory access.
>
>
>> Any pointers greatly appreciated.
>> Eddie
On my workstation (and all kerberos clients) I have now inserted:
a) "GSSAPIDelegateCredentials yes" parameter into /etc/ssh/
ssh_config, and;
b) "forwardable = true" in the [libdefaults] section of /etc/krb/
krb5.conf, and;
c) Played around with /etc/krb5/warn.conf so that tickets are
automatically renewed.
The end result is that I now have a TGT on the target, even when I
log in to an intermediate machine first.
I also did a little experiment. After logging in to the target
machine, (with the GSSAPIDelegateCredentials working and all), I ran
the "kdestroy" command. As expected, my home directory became
immediately unreadable until I got a new TGT with the "kinit"
command. Cool...
>
More information about the Kerberos
mailing list