kerberos and remote job scheduling/dispatching/perl fork()

Booker Bense bbense at gmail.com
Wed Aug 22 11:07:33 EDT 2012


On Fri, Aug 17, 2012 at 11:21 AM, Matt Garman <matthew.garman at gmail.com> wrote:
> We have a simple, home-grown Perl-based job dispatching system.  It's
> basically a per-user daemon that listens on a socket for job requests.
>  When it gets a request, it calls fork() to dispatch the job.
>
> What we've found is that the fork()'ed jobs are getting "permission
> denied" on NFSv4 mounts using krb5p security.  Before the fork,
> though, permissions are OK.
>
> I wrote this simple Perl script to demonstrate the problem:
>

I think your script error is just the result of the differences between

ssh foo.host
> cmd

and

ssh foo.host cmd

In the first you have a tty and in the second you don't.

Your real problem is the hinky way that nfsv4 matches kerberos
credentials to processes. I haven't dinked around
with NFSv4 a lot, but there is a deamon that more or less sits and
watches for krb tgt files in /tmp and attempts
to match them to the appropriate process when the local nfsd needs a
users credentials.

I think what you want is to investigate idmapd or rpcidmapd on your system.

- Booker C. Bense


More information about the Kerberos mailing list