NFS4 home directory is not mounted with ksu

Kevin Coffman kwc at citi.umich.edu
Mon Jan 14 09:18:23 EST 2008 

Amir,
What version of nfs-utils do you have?  The latest version (with
-vvvv) indicates why each ccache file being considered is rejecte --
if it is rejected.  Offhand, I don't remember exactly when the change
went in, but older versions used only the file's name, and did not
look at the file's ownership.

I see your other question about the .k5login file.  I'm sure you're
aware now that this file is used by ksu for authorization.  However,
if the home directory requires Kerberos access, the .k5login file
cannot be accessed before creating a GSS/Kerberos context.  So we have
a chicken and egg problem.

I can't think of a good work-around for this right now.  Eventually,
you should be able to define read-only access to a filesystem via
auth_sys, and read-write with Kerberos.  However, that (mounting the
same filesystem with two different security options) is not currently
possible.

K.C.

On Jan 13, 2008 6:35 AM, Amir Saad <eng__amir at hotmail.com> wrote:
>
>  Thanks Kevin, I tried gssd -vvvv but that did not give me more info, same
> as -vvv As you can see, it searches for a cache and always fails to find
> one. When I ksu from user2 to user1 and then klist, I can see a cache with
> permissions rw user1 user2, any ideas?
>
> Thanks Kevin
>
> Amir
>
> > Date: Thu, 10 Jan 2008 12:27:37 -0500
>
> > From: kwc at citi.umich.edu
> > To: eng__amir at hotmail.com
> > Subject: Re: NFS4 home directory is not mounted with ksu
> > CC: nfsv4 at linux-nfs.org
> >
> > I believe the issue is the ownership of the credentials cache file.
> > gssd looks for credentials cache files owned by the uid on whose
> > behalf it is running. In this case, 1001. I suspect that the
> > krb5cc_1001.1 file is owned by uid 1002. Running gssd with -vvvv will
> > show more details about the ccache selection.
> >
> > In my experimentation with ksu, the ccache file winds up being owned
> > by the right uid. We need to figure out why that is not happening for
> > you.
> >
> > K.C.
> >
> > On Jan 10, 2008 3:13 AM, Amir Saad <eng__amir at hotmail.com> wrote:
> > >
> > > Thanks Kevin. I executed the rpc.gssd -vvv and here is the log when I
> > > executed ksu:
> > >
> > > Jan 10 10:02:48 machine1 rpc.gssd[19083]: handling krb5 upcall
> > > Jan 10 10:02:48 machine1 rpc.gssd[19083]: getting credentials for client
> > > with uid 1001 for server nfs-server-machine
> > > Jan 10 10:02:48 machine1 rpc.gssd[19083]: CC file 'krb5cc_1001.1' being
> > > considered
> > > Jan 10 10:02:48 machine1 rpc.gssd[19083]: CC file
> 'krb5cc_1002_cfxLz28926'
> > > being considered
> > > Jan 10 10:02:48 machine1 rpc.gssd[19083]: CC file 'krb5cc_machine_REALM'
> > > being considered
> > > Jan 10 10:02:48 machine1 rpc.gssd[19083]: using FILE:/tmp/krb5cc_1001 as
> > > credentials cache for c lient with uid 1001 for server
> nfs-server-machine
>
> > > Jan 10 10:02:48 machine1 rpc.gssd[19083]: using environment variable to
> > > select krb5 ccache FILE:/tmp/krb5cc_1001
> > > Jan 10 10:02:48 machine1 rpc.gssd[19083]: creating context using fsuid
> 1001
> > > (save_uid 0)
> > > Jan 10 10:02:48 machine1 rpc.gssd[19083]: ERROR: GSS-API: error in
> > > gss_acquire_cre d(): Miscellaneous failure - Unknown code krb5 195
> > > Jan 10 10:02:48 machine1 rpc.gssd[19083]: WARNING: Failed while limiting
> > > krb5 encryption types for user with uid 1001
> > > Jan 10 10:02:48 machine1 rpc.gssd[19083]: WARNING: Failed to create krb5
> > > context for user with uid 1001 for server nfs-server-machine
> > > Jan 10 10:02:48 machine1 rpc.gssd[19083]: doing error downcall
> > >
> > > The use I used is user1 with a uid 1002 and I tried to ksu to user2 (uid
> > > 1001). I can login successfully u sing any of them, this is why I
> believe
>
> > > their kerberos principals and LDAP are set up correctly. Also, the home
> is
> > > mounted correctly at login not ksu.
> > >
> > > On NFS4 server:
> > > /export gss/krb5(sync,rw,fsid=0,root_squash,insecure,no_subtree_check)
> > > /export/home
> gss/krb5(sync,rw,nohide,root_squash,insecure,no_subtree_check)
> > >
> > > On machine1 (client):
> > > /etc/auto.home:
> > > /home -fstype=nfs4,sec=krb5,rw,exec nfs-server-machine:/home
> > >
> > > /etc/auto.master:< br>/home /etc/auto.home
> > >
> > > /etc/fstab:
> > > nfs-server-machine:/home /home nfs4 sec=krb5,rw,exec
> > >
> > > Thank you very much
> > >
> > > Amir
> > >
> > > > Date: Tue, 8 Jan 2008 09:39:17 -0500
> > > > From: kwc at citi.umich.edu
> > > > To: eng__amir at hotmail.com
> > > &g t; Subject: Re: NFS4 home directory is not mounted with ksu
>
> > > > CC: nfsv4 at linux-nfs.org
> > >
> > > >
> > > > On Jan 8, 2008 3:35 AM, Amir Saad <eng__amir at hotmail.com> wrote:
> > > > >
> > > > > I could successfully install Kerberos, OpenLDAP on my network; I
> changed
> > > > > the login and SSH to use the Kerberos tickets and this works
> correctly.
> > > Home
> > > > > directories are mounted successfully upon login, however; when ksu
> to
> > > > > another user I get 'Permission Denied' and I cannot access any home
> > > > > directory. Here is my log:
> > > > > Jan 8 10:23:30 machine1 rpc.gssd[17142]: ERROR: GSS-API: e rror in
> > >
> > > > > gss_acquire_cred(): Miscellaneous failure - Unknown code krb5 195
> > > > > Jan 8 10:23:30 machine1 rpc.gssd[17142]: WARNING: Failed to create
> krb5
> > > & gt; > context for user with uid 1001 for server nfs-server-machine
>
> > > > > Jan 8 10:23:30 machine1 rpc.gssd[17142]: ERROR: GSS-API: error in
> > > > > gss_acquire_cred(): Miscellaneous failure - Unknown code krb5 195
> > > > > Jan 8 10:23:30 machine1 rpc.gssd[17142]: WARNING: Failed to create
> krb5
> > > > > context for user with uid 1001 for server nfs-server-machine
> > > > >
> > > > > My platform:
> > > > > Debian 4, MIT Kerberos 5.
> > > > >
> > > > > Please note that NFS4 is mounted successfully upon login, the
> problems
> > > > > happens only with ksu.
> > > > >
> > > > > Any help?
> > > > >
> > > > > Thank you
> > > > >
> > > > > Amir
> > > >
> > > > Hi,
> > > > Could you run rpc.gssd with extra debugging (-vvv) and send its output
> > > & gt; when the failure occurs? Also, to be clear, you're using
> automount,
> > > > correct?
> > > >
> > > > K.C.
> > >
> > > ________________________________
> > > Express yourself instantly with MSN Messenger! MSN Messenger
>
> ________________________________
> Express yourself instantly with MSN Messenger! MSN Messenger

More information about the NFSv4 mailing list