Kerberos + automountd issues
Cary
lists at flederma.us
Sat Mar 14 03:20:43 UTC 2015
Hello,
I've been struggling with this issue for the past couple of weeks and
I've hit a wall with the FreeBSD-related NFS content I can find via
Google and Yahoo!. Apologies for the wall of text up front; I've tried
to be as concise as possible while describing a complex issue.
My goal is to let users authenticate with Kerberos, get a Kerberos
ticket, then have the home directory auto-mounted over NFSv4 using
krb[i|p] security. User information (e.g., UID, GID, home dir path) is
stored in LDAP (which is working).
Kerberos authentication works. I can kinit(1)/kdestroy(1) tickets
without issue. If I stop the automount services, I can ssh into the host
successfully (using the pam_mkhomedir.so module to make a home directory
instead of using NFS). UID/GID mappings are pulled from LDAP successfully.
When automount services are running, things work in inconsistent ways.
As "user1", if I kinit(1) and get a ticket for "user2", then cd to
user2's home directory, everything works: the home directory is mounted
(the user's directory is created if necessary, and I can ls(1) the
contents, touch(1) files, etc.) I see mount(8) report the directory has
been automounted and I see the changes reflected on the NFS server, so I
know things are working as desired.
However, if I try to ssh(1) in as user2, after authenticating, I get
dropped into the home directory (according to pwd(1)), but I cannot
ls(1), touch(1), etc. the files in the directory. In trying to
troubleshoot this, I've observed the following:
1. there is no Kerberos credentials cache (/tmp/krb5cc_<UID>)
2. the home directory is not mounted (running mount(1) on the client
does not show the exported directory as having been mounted
3. Running a packet capture on the *NFS server* shows the *client*
is using AUTH_UNIX credentials instead of RPCSEC_GSS.
4. The PAM debug logs seem to indicate that a credentials stash is
created under the auth portion (pam_sm_authenticate()) of the
pam_krb5.so module, but deleted after the pam_ldap.so account portion
(pam_sm_acct_mgmt()) runs [Aside: why would the pam_sm_setcred() be run
*AFTER* the pam_sm_acct_mgmt() function?]
Additional troubleshooting steps:
1. Both the NFS server and client are running nfsuserd(8), gssd(8),
and nslcd(8), as per relevant man pages
2. I've uploaded conf file contents for auto_master, auto_home,
pam.d/sshd, and exports (all with line numbers) to pastebin
(http://pastebin.com/RRCjfAvG)
3. I've uploaded a failed ssh session PAM logs (with line numbers)
to pastebin (http://pastebin.com/wLm3Knws)
4. The NFS client is running FreeBSD 10.1-RELEASE #0 r274401
5. The NFS server is running FreeBSD 10.0-RELEASE-p12 #0
6. On the server, I've set the sysctl options vfs.nfs.debuglevel=3
and vfs.usermount=1
7. In the client, I've set the sysctl option vfs.usermount=1
8. My sshd_config has the following options set which may be
applicable to the situation (GSSAPI* and Kerberos* options are disabled) :
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
What steps, programs, or settings have I overlooked? What else do I need
to automount home directories with sec=krb5 when ssh'ing into the host?
Any help will be welcomed enthusiastically! If additional information or
settings are needed, please let me know.
Thank you in advance!
--
Mr. Cary Mathews
More information about the freebsd-questions
mailing list