NFSv4, MIT KRB5, home-directory permissions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I have a problem with my setup. In the end it should work like this:
- Users are in LDAP, including their passwords
- Homedirectories are mounted via NFSv4 on the clients
- client-machines are authenticated to the NFS-Server via MIT Kerberos
- Users are authenticated via libpam-ldap

Most of that is already working and IIRC i already had everything
working when i tried it some time ago, but now i can't figure out, what
i did wrong this time.

What I have:
- 1 machine running slapd, nfs-kernel-server and MIT Kerberos v5 (FQDN
	is server.bws.example)
- 1 machine acting as client (FQDN is client.bws.example)
- 1 User in the ldap tree called 'testuser' with homedirectory set to
	/home/nfs/testuser
- 1 export on the server:
	/srv/nfs *(rw,sync,fsid=0,sec=krb5p)
- 1 nfs4 mount on the client
	server.bws.example:/ /home/nfs nfs4 sec=krb5p 0 0
- 2 principals: nfs/server.bws.example and nfs/client.bws.example
	each of those has been exported and put in the /etc/krb5.keytab on the
	corresponding machine
- on both machines matching lines in /etc/hosts:
	192.168.0.1 server.bws.example server
	192.168.0.2 client.bws.example client

What works:
- testuser can log in on the client
- /home/nfs can be mounted on the client
- ls -ld /home/nfs/testuser as root shows the directory belonging to
	testuser:testuser with permissions 755

What does not:
- testuser can't get to his own homedirectory. he gets a 'permission
	denied' when trying to access /home/nfs

syslog on the client:
rpc.gssd: ERROR: GSS-API: error in gss_acquite_cred(): Unspecified GSS
failure. Minor code may provide more information - No credentials cache
found
rpc.gssd: WARNING: Failed to create krb5 context for user with uid 10000
for server server.bws.example

This looks to me like 'testuser' should have a principal in kerberos to
use the nfs-mount.

Is there a possibility to just make the machines authenticate each other
for the nfs mount and NOT need every single user in kerberos as well?
AFAIR i had a setup like this only some weeks ago, but i'm not able to
reproduce it.

Any help with this is appreciated. Since i am not subscribed to the list
(yet) please CC me.

If you need any more information please ask.

Thanks in advance!

Hendrik Jaeger



-- 
Slang is language that takes off its coat, spits on its hands, and goes to work.

Attachment: signature.asc
Description: Digital signature

[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux