I have three testing FC2 boxes in a Kerb5 realm, with the following updates: kernel-smp-2.6.9-1.6_FC2 pam_krb5-2.1.2-1 nfs-utils-1.0.6-44 (note that the FC3 SRPM will only compile with gcc 3.4) I'm trying to setup centralized home directories securely shared with strong user authentication with integrity checking (aka krb5i) and moving adding encrypted NFS (aka krb5p) when supported. Something I've been wanting to do for years. I've run into a minor issue, and a show stopper. Minor issue: I had to insert a "modprobe rpcsec_gss_krb5" into /etc/init.d/rpcgssd on the client(s) and into /etc/init.d/rpcsvcgssd on the server. Show stopper: pam_krb5 creates per session ticket cache files as /tmp/krb5cc_p<digits>, while the NFS client's rpcsec_gss daemon expects the ticket cache file to be /tmp/krb5cc_$UID. This issue is mentioned briefly on: http://www.citi.umich.edu/projects/nfsv4/2.4-nfsv4/release1/install.html The solution on the page doesn't work (catch-22) in a krb5-secured- automounted-homedir scenario as, it says to add the following to your login script: # move kerberos cred file to a place where gssd can find it TMPNAME=`/bin/basename ${KRB5CCNAME:-unset}` if [ -f /tmp/${TMPNAME} ]; then mv /tmp/${TMPNAME} /tmp/krb5cc_${UID} KRB5CCNAME="FILE:/tmp/krb5cc_${UID}" fi The page also says: "The Kerberos PAM library creates a per-session ticket file in /tmp. This file must be moved to a per-UID location so that gssd can find it (this will be fixed in a future release)." What the current status? What's the solution? Has anyone approached Nalin about modifying pam_krb5? What's the impact of ditching per session ticket cache and going to per UID? Thanks, Dax Kelson Guru Labs
