Help: User login problems in NFS4 + Kerberos integration

Rohit Mehta rohitm at engr.uconn.edu
Sun Oct 16 11:16:55 EDT 2011 

As I know next to nothing about AFS, I don't fully understand what is 
going on.

However, I have had some mountpoints come -t nfs and others come -t 
nfs4, and autofs will let you do this.  We mount different users' home 
directories from different filesystems via autofs as well.

Have you tried a manual nfs4 mount? ie:
mkdir /tmp/testmount
mount nfs4server:/userhomedirectories/amy /tmp/testmount -t nfs4
su amy
kinit amy
cd /tmp/testmount


On 10/16/2011 08:20 AM, Lee Eric wrote:
> Hey mate,
>
> No. I don't use autofs here. However, I noticed a very strange
> phenomemon here. In the client side I can use ksu to login by user
> amy.
>
> [root at submit ~]# kinit amy
> Password for amy at HERDINGCAT.INTERNAL:
> [root at submit ~]# ksu amy
> Changing uid to amy (502)
> [amy at submit root]$ klist
> Ticket cache: FILE:/tmp/krb5cc_502.1
> Default principal: amy at HERDINGCAT.INTERNAL
>
> Valid starting     Expires            Service principal
> 10/16/11 02:25:54  10/17/11 02:25:44
> krbtgt/HERDINGCAT.INTERNAL at HERDINGCAT.INTERNAL
> renew until 10/16/11 02:25:54
> 10/16/11 02:26:01  10/17/11 02:25:44
> afs/herdingcat.internal at HERDINGCAT.INTERNAL
> renew until 10/16/11 02:25:54
> [amy at submit root]$ cd ~
> [amy at submit ~]$ pwd
> /pool/home/amy
> [amy at submit ~]$
>
> But I don't think it makes sense to get afs TGS. In server side, I saw
> following information.
>
> Oct 16 02:25:44 server.herdingcat.internal krb5kdc[4522](info): AS_REQ
> (4 etypes {18 17 16 23}) 192.168.122.17: NEEDED_PREAUTH:
> amy at HERDINGCAT.INTERNAL for
> krbtgt/HERDINGCAT.INTERNAL at HERDINGCAT.INTERNAL, Additional
> pre-authentication required
> Oct 16 02:25:54 server.herdingcat.internal krb5kdc[4522](info): AS_REQ
> (4 etypes {18 17 16 23}) 192.168.122.17: ISSUE: authtime 1318746354,
> etypes {rep=18 tkt=18 ses=18}, amy at HERDINGCAT.INTERNAL for
> krbtgt/HERDINGCAT.INTERNAL at HERDINGCAT.INTERNAL
> Oct 16 02:26:01 server.herdingcat.internal krb5kdc[4522](info):
> TGS_REQ (1 etypes {1}) 192.168.122.17: ISSUE: authtime 1318746354,
> etypes {rep=18 tkt=1 ses=1}, amy at HERDINGCAT.INTERNAL for
> afs/herdingcat.internal at HERDINGCAT.INTERNAL
>
> Why it will try to get OpenAFS stuff? That really makes me confused.
>
> Thanks.
>
> Eric
>
> On Sun, Oct 16, 2011 at 7:48 PM, Mehta, Rohit<rohitm at engr.uconn.edu>  wrote:
>> Hi eric have you configured auto.home for -t nfs4?
>>
>> Lee Eric<openlinuxsource at gmail.com>  wrote:
>>
>>
>> Hi all,
>>
>> I integrated NFS4 and Kerberos properly. However, I noticed the users
>> cannot login which users' home dirs are in NFS4 shares. In my
>> environment, some users are using OpenAFS, others using NFS4 as home
>> dirs.
>>
>> Here's the client side(host name: submit) /var/log/secure partial log
>> as the user amy login.
>>
>> Oct 16 01:59:19 submit unix_chkpwd[1272]: password check failed for user (amy)
>> Oct 16 01:59:19 submit login: pam_unix(login:auth): authentication
>> failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=  user=amy
>>
>> And here's the client side /etc/pam.d/system-auth contents.
>>
>> auth        required      pam_env.so
>> auth        sufficient    pam_unix.so nullok try_first_pass
>> auth        requisite     pam_succeed_if.so uid>= 500 quiet
>> auth        sufficient    pam_krb5.so use_first_pass
>> auth        optional      pam_afs_session.so
>> auth        required      pam_deny.so
>>
>> account     required      pam_unix.so broken_shadow
>> account     sufficient    pam_succeed_if.so uid<  500 quiet
>> account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
>> account     required      pam_permit.so
>>
>> password    requisite     pam_cracklib.so try_first_pass retry=3 type=
>> password    sufficient    pam_unix.so sha512 shadow nullok
>> try_first_pass use_authtok
>> password    sufficient    pam_krb5.so use_authtok
>> password    required      pam_deny.so
>>
>> session     optional      pam_keyinit.so revoke
>> session     required      pam_limits.so
>> -session     optional      pam_systemd.so
>> session     [success=1 default=ignore] pam_succeed_if.so service in
>> crond quiet use_uid
>> session     required      pam_unix.so
>> session     optional      pam_krb5.so
>> session     required      pam_afs_session.so
>>
>> Here's the partial log of /var/log/krb5kdc.log in server side(host
>> name: server) as user amy login.
>>
>> Oct 16 02:01:50 server.herdingcat.internal krb5kdc[4522](info): AS_REQ
>> (4 etypes {18 17 16 23}) 192.168.122.17: NEEDED_PREAUTH:
>> amy at HERDINGCAT.INTERNAL for
>> krbtgt/HERDINGCAT.INTERNAL at HERDINGCAT.INTERNAL, Additional
>> pre-authentication required
>> Oct 16 02:01:50 server.herdingcat.internal krb5kdc[4522](info): AS_REQ
>> (4 etypes {18 17 16 23}) 192.168.122.17: ISSUE: authtime 1318744910,
>> etypes {rep=18 tkt=18 ses=18}, amy at HERDINGCAT.INTERNAL for
>> krbtgt/HERDINGCAT.INTERNAL at HERDINGCAT.INTERNAL
>> Oct 16 02:01:51 server.herdingcat.internal krb5kdc[4522](info):
>> TGS_REQ (1 etypes {1}) 192.168.122.17: ISSUE: authtime 1318744910,
>> etypes {rep=18 tkt=1 ses=1}, amy at HERDINGCAT.INTERNAL for
>> afs/herdingcat.internal at HERDINGCAT.INTERNAL
>>
>> I'm very curious why the system is going to try afs there. I have
>> defined the home dirs in NFS shares.
>>
>> Could anyone help me to figure it out?
>>
>> Thanks very much.
>>
>> Eric
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>


-- 
Rohit Mehta
Computer Engineer
University of Connecticut
Engineering Computing Services
371 Fairfield Road Unit 2031
Storrs, CT 06269-2031

More information about the Kerberos mailing list