By default, the machine credentials are used for mount (and any file access done by root). The testuser needs to have their own Kerberos credentials. I can't think of any work-around to that. K.C. On Tue, Jun 3, 2008 at 7:57 AM, Hendrik Jaeger <hank@xxxxxxxxxxxxx> wrote: > Hi, > > I have a problem with my setup. In the end it should work like this: > - Users are in LDAP, including their passwords > - Homedirectories are mounted via NFSv4 on the clients > - client-machines are authenticated to the NFS-Server via MIT Kerberos > - Users are authenticated via libpam-ldap > > Most of that is already working and IIRC i already had everything > working when i tried it some time ago, but now i can't figure out, what > i did wrong this time. > > What I have: > - 1 machine running slapd, nfs-kernel-server and MIT Kerberos v5 (FQDN > is server.bws.example) > - 1 machine acting as client (FQDN is client.bws.example) > - 1 User in the ldap tree called 'testuser' with homedirectory set to > /home/nfs/testuser > - 1 export on the server: > /srv/nfs *(rw,sync,fsid=0,sec=krb5p) > - 1 nfs4 mount on the client > server.bws.example:/ /home/nfs nfs4 sec=krb5p 0 0 > - 2 principals: nfs/server.bws.example and nfs/client.bws.example > each of those has been exported and put in the /etc/krb5.keytab on the > corresponding machine > - on both machines matching lines in /etc/hosts: > 192.168.0.1 server.bws.example server > 192.168.0.2 client.bws.example client > > What works: > - testuser can log in on the client > - /home/nfs can be mounted on the client > - ls -ld /home/nfs/testuser as root shows the directory belonging to > testuser:testuser with permissions 755 > > What does not: > - testuser can't get to his own homedirectory. he gets a 'permission > denied' when trying to access /home/nfs > > syslog on the client: > rpc.gssd: ERROR: GSS-API: error in gss_acquite_cred(): Unspecified GSS > failure. Minor code may provide more information - No credentials cache > found > rpc.gssd: WARNING: Failed to create krb5 context for user with uid 10000 > for server server.bws.example > > This looks to me like 'testuser' should have a principal in kerberos to > use the nfs-mount. > > Is there a possibility to just make the machines authenticate each other > for the nfs mount and NOT need every single user in kerberos as well? > AFAIR i had a setup like this only some weeks ago, but i'm not able to > reproduce it. > > Any help with this is appreciated. Since i am not subscribed to the list > (yet) please CC me. > > If you need any more information please ask. > > Thanks in advance! > > Hendrik Jaeger > > > > -- > Slang is language that takes off its coat, spits on its hands, and goes to work. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFIRTGh5PO/ypkUBC8RAhDfAKCsy/4gpaCcEnujr1sm1zEwDOJkkwCgjLu6 > +77cu93MYSruEItZRPwQztk= > =L/jq > -----END PGP SIGNATURE----- > > -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
