I'm trying to set up a kerberized NFSv4 client to mount a share using a local ticket (obtained by PAM when the user logged into the shell) instead of a machine specific ticket (i.e. I'd like to do user-based authorization). I already managed to get machine based authentification/authorization working for a test but i can't (and i don't want to) use local keytab files for storing the machine keys on the client machines in my production environment. I'm running the rpc.gssd with the "-n -vvv -rrr" to make it consider user tickets too. Now, when I try to mount the share to "/mnt/net" (the according fstab-line looks like "dnsdhcp:/ /mnt/net nfs4 sec=krb5p,user 0 0") the credentials cache of the user which is doing the mount is not being used. The second log message reads "rpc.gssd[888]: getting credentials for client with uid 0 for server <srvname>" Googling around a bit i found out that some other people managed to make mount use the uid of the initiating user rather than 'root'(uid=0) (though they seem to have other problems...). I'm not quite sure what is wrong with my setup and therefore i tried to dig into the code of gssd. The only thing i found is that the uid (0 in my case) is read from a file "clntXX/krb5" (within a pipefs) which is obviously written by the kernel. A kernel update to 2.6.32-19 (i'm using ubuntu karmic on an amd64 machine) didn't make it any better. Complete Log (client): http://pastebin.com/s7B2W7ie The user ticket (i'm running the mount-command from an account of a user which is authenticated via kerberos (MIT Kerberos5)) resided in /tmp/krb5cc_10002_H6OYu0 Here's what klist said http://pastebin.com/Lrrs3AwM And this is the client's krb5.conf: http://pastebin.com/JChsVNJQ I'm really desperate now because i've been working on this problem for nearly two weeks now and i couldn't get by... Can you suggest me how to specify which user should be utilized to carry out the mount? (Did I misconfigure something?) By the way i've already downloaded the source-code of the nfs-utils (ver. 1.2.0) and modified void handle_krb5_upcall(struct clnt_info *clp) from gssd/gssd_proc.c to statically set uid to 10002 (just for testing what will happen) and it's pretty interesting what comes out: http://pastebin.com/Qi1rWMLC Thanks in advance! -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
