On Wed, Apr 7, 2010 at 10:37 AM, Tom <thomas.wunder@xxxxxxxxxxxxxx> wrote: > I'm trying to set up a kerberized NFSv4 client to mount a share using a local > ticket (obtained by PAM when the user logged into the shell) instead of a > machine specific ticket (i.e. I'd like to do user-based authorization). I > already managed to get machine based authentification/authorization working for > a test but i can't (and i don't want to) use local keytab files for storing the > machine keys on the client machines in my production environment. > > I'm running the rpc.gssd with the "-n -vvv -rrr" to make it consider user > tickets too. > Now, when I try to mount the share to "/mnt/net" (the according fstab-line > looks like "dnsdhcp:/ /mnt/net nfs4 sec=krb5p,user 0 0") the credentials > cache of the user which is doing the mount is not being used. The second > log message reads > "rpc.gssd[888]: getting credentials for client with uid 0 for server <srvname>" > Googling around a bit i found out that some other people managed to make mount > use the uid of the initiating user rather than 'root'(uid=0) (though they seem > to have other problems...). > > I'm not quite sure what is wrong with my setup and therefore i tried to dig > into the code of gssd. The only thing i found is that the uid (0 in my case) > is read from a file "clntXX/krb5" (within a pipefs) which is obviously > written by the kernel. > > A kernel update to 2.6.32-19 (i'm using ubuntu karmic on an amd64 machine) > didn't make it any better. > > Complete Log (client): http://pastebin.com/s7B2W7ie > The user ticket (i'm running the mount-command from an account of a user which > is authenticated via kerberos (MIT Kerberos5)) resided in > /tmp/krb5cc_10002_H6OYu0 > Here's what klist said http://pastebin.com/Lrrs3AwM > And this is the client's krb5.conf: http://pastebin.com/JChsVNJQ > > I'm really desperate now because i've been working on this problem for nearly > two weeks now and i couldn't get by... > > Can you suggest me how to specify which user should be utilized to carry out > the mount? (Did I misconfigure something?) > > > By the way i've already downloaded the source-code of the nfs-utils > (ver. 1.2.0) and modified > void handle_krb5_upcall(struct clnt_info *clp) > from > gssd/gssd_proc.c > to statically set uid to 10002 (just for testing what will happen) and it's > pretty interesting what comes out: > http://pastebin.com/Qi1rWMLC > > Thanks in advance! By the looks of your /etc/fstab entry, the system (root) will try to mount /mnt/net automatically. You could try adding the "noauto" option and then manually issuing the mount command as the user. (Or use automount?) K.C. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
