Kerberos + automountd issues

Cary lists at flederma.us
Sat Mar 14 03:20:43 UTC 2015 

Hello,

I've been struggling with this issue for the past couple of weeks and 
I've hit a wall with the FreeBSD-related NFS content I can find via 
Google and Yahoo!. Apologies for the wall of text up front; I've tried 
to be as concise as possible while describing a complex issue.


My goal is to let users authenticate with Kerberos, get a Kerberos 
ticket, then have the home directory auto-mounted over NFSv4 using 
krb[i|p] security. User information (e.g., UID, GID, home dir path) is 
stored in LDAP (which is working).


Kerberos authentication works. I can kinit(1)/kdestroy(1) tickets 
without issue. If I stop the automount services, I can ssh into the host 
successfully (using the pam_mkhomedir.so module to make a home directory 
instead of using NFS). UID/GID mappings are pulled from LDAP successfully.


When automount services are running, things work in inconsistent ways. 
As "user1", if I kinit(1) and get a ticket for "user2", then cd to 
user2's home directory, everything works: the home directory is mounted 
(the user's directory is created if necessary, and I can ls(1) the 
contents, touch(1) files, etc.) I see mount(8) report the directory has 
been automounted and I see the changes reflected on the NFS server, so I 
know things are working as desired.


However, if I try to ssh(1) in as user2, after authenticating, I get 
dropped into the home directory (according to pwd(1)), but I cannot 
ls(1), touch(1), etc. the files in the directory. In trying to 
troubleshoot this, I've observed the following:
    1. there is no Kerberos credentials cache (/tmp/krb5cc_<UID>)
    2. the home directory is not mounted (running mount(1) on the client 
does not show the exported directory as having been mounted
    3. Running a packet capture on the *NFS server* shows the *client* 
is using AUTH_UNIX credentials instead of RPCSEC_GSS.
    4. The PAM debug logs seem to indicate that a credentials stash is 
created under the auth portion (pam_sm_authenticate()) of the 
pam_krb5.so module, but deleted after the pam_ldap.so account portion 
(pam_sm_acct_mgmt()) runs [Aside: why would the pam_sm_setcred() be run 
*AFTER* the pam_sm_acct_mgmt() function?]


Additional troubleshooting steps:
    1. Both the NFS server and client are running nfsuserd(8), gssd(8), 
and nslcd(8), as per relevant man pages
    2. I've uploaded conf file contents for auto_master, auto_home, 
pam.d/sshd, and exports (all with line numbers) to pastebin 
(http://pastebin.com/RRCjfAvG)
    3. I've uploaded a failed ssh session PAM logs (with line numbers) 
to pastebin (http://pastebin.com/wLm3Knws)
    4. The NFS client is running FreeBSD 10.1-RELEASE #0 r274401
    5. The NFS server is running FreeBSD 10.0-RELEASE-p12 #0
    6. On the server, I've set the sysctl options vfs.nfs.debuglevel=3 
and vfs.usermount=1
    7. In the client, I've set the sysctl option vfs.usermount=1
    8. My sshd_config has the following options set which may be 
applicable to the situation (GSSAPI* and Kerberos* options are disabled) :
	PasswordAuthentication no
	ChallengeResponseAuthentication yes
	UsePAM yes


What steps, programs, or settings have I overlooked? What else do I need 
to automount home directories with sec=krb5 when ssh'ing into the host?

Any help will be welcomed enthusiastically! If additional information or 
settings are needed, please let me know.

Thank you in advance!

-- 
Mr. Cary Mathews

More information about the freebsd-questions mailing list