Date: Fri, 13 Mar 2015 23:20:35 -0400 From: Cary <lists@flederma.us> To: freebsd-questions@freebsd.org Subject: Kerberos + automountd issues Message-ID: <5503A903.8080601@flederma.us>
next in thread | raw e-mail | index | archive | help
Hello, I've been struggling with this issue for the past couple of weeks and I've hit a wall with the FreeBSD-related NFS content I can find via Google and Yahoo!. Apologies for the wall of text up front; I've tried to be as concise as possible while describing a complex issue. My goal is to let users authenticate with Kerberos, get a Kerberos ticket, then have the home directory auto-mounted over NFSv4 using krb[i|p] security. User information (e.g., UID, GID, home dir path) is stored in LDAP (which is working). Kerberos authentication works. I can kinit(1)/kdestroy(1) tickets without issue. If I stop the automount services, I can ssh into the host successfully (using the pam_mkhomedir.so module to make a home directory instead of using NFS). UID/GID mappings are pulled from LDAP successfully. When automount services are running, things work in inconsistent ways. As "user1", if I kinit(1) and get a ticket for "user2", then cd to user2's home directory, everything works: the home directory is mounted (the user's directory is created if necessary, and I can ls(1) the contents, touch(1) files, etc.) I see mount(8) report the directory has been automounted and I see the changes reflected on the NFS server, so I know things are working as desired. However, if I try to ssh(1) in as user2, after authenticating, I get dropped into the home directory (according to pwd(1)), but I cannot ls(1), touch(1), etc. the files in the directory. In trying to troubleshoot this, I've observed the following: 1. there is no Kerberos credentials cache (/tmp/krb5cc_<UID>) 2. the home directory is not mounted (running mount(1) on the client does not show the exported directory as having been mounted 3. Running a packet capture on the *NFS server* shows the *client* is using AUTH_UNIX credentials instead of RPCSEC_GSS. 4. The PAM debug logs seem to indicate that a credentials stash is created under the auth portion (pam_sm_authenticate()) of the pam_krb5.so module, but deleted after the pam_ldap.so account portion (pam_sm_acct_mgmt()) runs [Aside: why would the pam_sm_setcred() be run *AFTER* the pam_sm_acct_mgmt() function?] Additional troubleshooting steps: 1. Both the NFS server and client are running nfsuserd(8), gssd(8), and nslcd(8), as per relevant man pages 2. I've uploaded conf file contents for auto_master, auto_home, pam.d/sshd, and exports (all with line numbers) to pastebin (http://pastebin.com/RRCjfAvG) 3. I've uploaded a failed ssh session PAM logs (with line numbers) to pastebin (http://pastebin.com/wLm3Knws) 4. The NFS client is running FreeBSD 10.1-RELEASE #0 r274401 5. The NFS server is running FreeBSD 10.0-RELEASE-p12 #0 6. On the server, I've set the sysctl options vfs.nfs.debuglevel=3 and vfs.usermount=1 7. In the client, I've set the sysctl option vfs.usermount=1 8. My sshd_config has the following options set which may be applicable to the situation (GSSAPI* and Kerberos* options are disabled) : PasswordAuthentication no ChallengeResponseAuthentication yes UsePAM yes What steps, programs, or settings have I overlooked? What else do I need to automount home directories with sec=krb5 when ssh'ing into the host? Any help will be welcomed enthusiastically! If additional information or settings are needed, please let me know. Thank you in advance! -- Mr. Cary Mathews
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5503A903.8080601>