From owner-freebsd-questions@FreeBSD.ORG Sat Mar 14 03:20:43 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 83FFC62E for ; Sat, 14 Mar 2015 03:20:43 +0000 (UTC) Received: from mout.perfora.net (mout.perfora.net [74.208.4.196]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mout.perfora.net", Issuer "Thawte SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4675DFD0 for ; Sat, 14 Mar 2015 03:20:42 +0000 (UTC) Received: from neon.local ([73.207.230.118]) by mrelay.perfora.net (mreueus002) with ESMTPSA (Nemesis) id 0MYuNZ-1Z0eFb1oRf-00VibP for ; Sat, 14 Mar 2015 04:20:36 +0100 Message-ID: <5503A903.8080601@flederma.us> Date: Fri, 13 Mar 2015 23:20:35 -0400 From: Cary User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Kerberos + automountd issues Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:q4EahtcZ0wKHXOMdycSBQHyLlxFKwmRWLEcAk+0f9B8R6kFJVji S9fwaP/0RSjQQfrxZV+Ntdw41K3s6596QulinVqm9AL0b8Ei2tqirvqQECqyL6w86uyjQmc fw3AEkqwv4p/ajh0NTGQsv0uJLkIGw84v50jlJr8EglHjMC/T0XK5yZ4jq9QkTm13ux8aE8 ZwJkMAmE2YbJjAtAF+bpA== X-UI-Out-Filterresults: notjunk:1; X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Mar 2015 03:20:43 -0000 Hello, I've been struggling with this issue for the past couple of weeks and I've hit a wall with the FreeBSD-related NFS content I can find via Google and Yahoo!. Apologies for the wall of text up front; I've tried to be as concise as possible while describing a complex issue. My goal is to let users authenticate with Kerberos, get a Kerberos ticket, then have the home directory auto-mounted over NFSv4 using krb[i|p] security. User information (e.g., UID, GID, home dir path) is stored in LDAP (which is working). Kerberos authentication works. I can kinit(1)/kdestroy(1) tickets without issue. If I stop the automount services, I can ssh into the host successfully (using the pam_mkhomedir.so module to make a home directory instead of using NFS). UID/GID mappings are pulled from LDAP successfully. When automount services are running, things work in inconsistent ways. As "user1", if I kinit(1) and get a ticket for "user2", then cd to user2's home directory, everything works: the home directory is mounted (the user's directory is created if necessary, and I can ls(1) the contents, touch(1) files, etc.) I see mount(8) report the directory has been automounted and I see the changes reflected on the NFS server, so I know things are working as desired. However, if I try to ssh(1) in as user2, after authenticating, I get dropped into the home directory (according to pwd(1)), but I cannot ls(1), touch(1), etc. the files in the directory. In trying to troubleshoot this, I've observed the following: 1. there is no Kerberos credentials cache (/tmp/krb5cc_) 2. the home directory is not mounted (running mount(1) on the client does not show the exported directory as having been mounted 3. Running a packet capture on the *NFS server* shows the *client* is using AUTH_UNIX credentials instead of RPCSEC_GSS. 4. The PAM debug logs seem to indicate that a credentials stash is created under the auth portion (pam_sm_authenticate()) of the pam_krb5.so module, but deleted after the pam_ldap.so account portion (pam_sm_acct_mgmt()) runs [Aside: why would the pam_sm_setcred() be run *AFTER* the pam_sm_acct_mgmt() function?] Additional troubleshooting steps: 1. Both the NFS server and client are running nfsuserd(8), gssd(8), and nslcd(8), as per relevant man pages 2. I've uploaded conf file contents for auto_master, auto_home, pam.d/sshd, and exports (all with line numbers) to pastebin (http://pastebin.com/RRCjfAvG) 3. I've uploaded a failed ssh session PAM logs (with line numbers) to pastebin (http://pastebin.com/wLm3Knws) 4. The NFS client is running FreeBSD 10.1-RELEASE #0 r274401 5. The NFS server is running FreeBSD 10.0-RELEASE-p12 #0 6. On the server, I've set the sysctl options vfs.nfs.debuglevel=3 and vfs.usermount=1 7. In the client, I've set the sysctl option vfs.usermount=1 8. My sshd_config has the following options set which may be applicable to the situation (GSSAPI* and Kerberos* options are disabled) : PasswordAuthentication no ChallengeResponseAuthentication yes UsePAM yes What steps, programs, or settings have I overlooked? What else do I need to automount home directories with sec=krb5 when ssh'ing into the host? Any help will be welcomed enthusiastically! If additional information or settings are needed, please let me know. Thank you in advance! -- Mr. Cary Mathews