Ubuntu
nfs-utils package

  1. Bug #368153
  2. Comment #4

Comment 4 for bug 368153

Revision history for this message
maxjos (magne-fortytwo) wrote :

Yes, the ticket is /tmp/krb5cc_<uid>_<randstring> and the only difference in these two scenarios I describe is that when $HOME is NFS mounted `klist` show that I have the "nfs/<hostname>@REALM" service ticket whilst it does not in the second scenario.

From what I could see in the nfs-utils docs though, RPCGSSDOPTS="-n" means you have to acquire the NFS service ticket as root manually before the user is able to mount any kerberized exports. This leads me to believe something is triggered in the login process (as root) making kerberos able to get the service ticket and insert into my credentials *IF* my home is NFS mounted. Plausible?

I have tried logging in through both gdm and terminal and the behaviour is exactly the same. pam_krb5.so issue?

Here is some proof of concept, first with autofs mouting my home under /net/home/user1:

Ubuntu 9.04 tty1

hostname login: user1
Password:
[ .. snip .. ]

user1@hostname:~# klist
Ticket cache: FILE:/tmp/krb5cc_1001_F4RoT
Default principal: user1@REALM

Valid starting Expires Service principal
04/28/09 17:31:12 04/29/09 03:31:12 krbtgt/REALM@RELAM
    renew until 04/29/09 17:31:12

Kerberos 4 ticket cache: /tmp/tkt1001
klist: You have no tickets cached

user1@hostname:~# ls -l /net/home/user1
ls: cannot access /net/home/user1: No such file or directory
user1@hostname:~# logout

In syslog I see rpc.gssd complain about 'CC file '/tmp/krb5cc_1001_F4RoT owned by 1001, no 0' and automount 'access denied by server while mounting ....'.

Now I log in as root and modify autofs to mount my home at /home/user1 then restart autofs daemon and log in as user1 again:

Ubuntu 9.04 tty1

hostname login: user1
Password:
[ .. snip .. ]

user1@hostname:~# klist
Ticket cache: FILE:/tmp/krb5cc_1001_Ru4r3l
Default principal: user1@REALM

Valid starting Expires Service principal
04/28/09 17:36:12 04/29/09 03:36:12 krbtgt/REALM@RELAM
    renew until 04/29/09 17:36:12
04/28/09 17:36:12 04/29/09 03:36:12 nfs/nfs-server.example.com@RELAM
    renew until 04/29/09 17:36:12

Kerberos 4 ticket cache: /tmp/tkt1001
klist: You have no tickets cached

user1@hostname:~# logout

Magically I now have an NFS service ticket apparently because my $HOME is pointing at the NFS server and I can easily browse my NFS home folder....

In syslog I see something that might explain the behaviour. rpc.gssd says: 'CC file '/tmp/krb5cc_pam_<randstring>' (user1@REALM) passed all checks and has mtime of <unixtime>' and 'using FILE:/tmp/krb5cc_pam_<randstring> as credentials cache for client with uid 0 for server nfs-server.example.com'. Apparently PAM does some magic if it sees your home folder lives on NFS and creates a temporary credentials cache? Does this help to figure out what is causing this and how to fix it?

Thanks
Max

PS: I couldn't copy/paste the above console output so it might have some typos