Yes, the ticket is /tmp/krb5cc_<uid>_<randstring> and the only difference in these two scenarios I describe is that when $HOME is NFS mounted `klist` show that I have the "nfs/<hostname>@REALM" service ticket whilst it does not in the second scenario.
From what I could see in the nfs-utils docs though, RPCGSSDOPTS="-n" means you have to acquire the NFS service ticket as root manually before the user is able to mount any kerberized exports. This leads me to believe something is triggered in the login process (as root) making kerberos able to get the service ticket and insert into my credentials *IF* my home is NFS mounted. Plausible?
I have tried logging in through both gdm and terminal and the behaviour is exactly the same. pam_krb5.so issue?
Here is some proof of concept, first with autofs mouting my home under /net/home/user1:
Valid starting Expires Service principal
04/28/09 17:31:12 04/29/09 03:31:12 krbtgt/REALM@RELAM
renew until 04/29/09 17:31:12
Kerberos 4 ticket cache: /tmp/tkt1001
klist: You have no tickets cached
user1@hostname:~# ls -l /net/home/user1
ls: cannot access /net/home/user1: No such file or directory
user1@hostname:~# logout
In syslog I see rpc.gssd complain about 'CC file '/tmp/krb5cc_1001_F4RoT owned by 1001, no 0' and automount 'access denied by server while mounting ....'.
Now I log in as root and modify autofs to mount my home at /home/user1 then restart autofs daemon and log in as user1 again:
Valid starting Expires Service principal
04/28/09 17:36:12 04/29/09 03:36:12 krbtgt/REALM@RELAM
renew until 04/29/09 17:36:12
04/28/09 17:36:12 04/29/09 03:36:12 nfs/nfs-server.example.com@RELAM
renew until 04/29/09 17:36:12
Kerberos 4 ticket cache: /tmp/tkt1001
klist: You have no tickets cached
user1@hostname:~# logout
Magically I now have an NFS service ticket apparently because my $HOME is pointing at the NFS server and I can easily browse my NFS home folder....
In syslog I see something that might explain the behaviour. rpc.gssd says: 'CC file '/tmp/krb5cc_pam_<randstring>' (user1@REALM) passed all checks and has mtime of <unixtime>' and 'using FILE:/tmp/krb5cc_pam_<randstring> as credentials cache for client with uid 0 for server nfs-server.example.com'. Apparently PAM does some magic if it sees your home folder lives on NFS and creates a temporary credentials cache? Does this help to figure out what is causing this and how to fix it?
Thanks
Max
PS: I couldn't copy/paste the above console output so it might have some typos
Yes, the ticket is /tmp/krb5cc_ <uid>_< randstring> and the only difference in these two scenarios I describe is that when $HOME is NFS mounted `klist` show that I have the "nfs/<hostname> @REALM" service ticket whilst it does not in the second scenario.
From what I could see in the nfs-utils docs though, RPCGSSDOPTS="-n" means you have to acquire the NFS service ticket as root manually before the user is able to mount any kerberized exports. This leads me to believe something is triggered in the login process (as root) making kerberos able to get the service ticket and insert into my credentials *IF* my home is NFS mounted. Plausible?
I have tried logging in through both gdm and terminal and the behaviour is exactly the same. pam_krb5.so issue?
Here is some proof of concept, first with autofs mouting my home under /net/home/user1:
Ubuntu 9.04 tty1
hostname login: user1
Password:
[ .. snip .. ]
user1@hostname:~# klist krb5cc_ 1001_F4RoT
Ticket cache: FILE:/tmp/
Default principal: user1@REALM
Valid starting Expires Service principal
04/28/09 17:31:12 04/29/09 03:31:12 krbtgt/REALM@RELAM
renew until 04/29/09 17:31:12
Kerberos 4 ticket cache: /tmp/tkt1001
klist: You have no tickets cached
user1@hostname:~# ls -l /net/home/user1
ls: cannot access /net/home/user1: No such file or directory
user1@hostname:~# logout
In syslog I see rpc.gssd complain about 'CC file '/tmp/krb5cc_ 1001_F4RoT owned by 1001, no 0' and automount 'access denied by server while mounting ....'.
Now I log in as root and modify autofs to mount my home at /home/user1 then restart autofs daemon and log in as user1 again:
Ubuntu 9.04 tty1
hostname login: user1
Password:
[ .. snip .. ]
user1@hostname:~# klist krb5cc_ 1001_Ru4r3l
Ticket cache: FILE:/tmp/
Default principal: user1@REALM
Valid starting Expires Service principal server. example. com@RELAM
04/28/09 17:36:12 04/29/09 03:36:12 krbtgt/REALM@RELAM
renew until 04/29/09 17:36:12
04/28/09 17:36:12 04/29/09 03:36:12 nfs/nfs-
renew until 04/29/09 17:36:12
Kerberos 4 ticket cache: /tmp/tkt1001
klist: You have no tickets cached
user1@hostname:~# logout
Magically I now have an NFS service ticket apparently because my $HOME is pointing at the NFS server and I can easily browse my NFS home folder....
In syslog I see something that might explain the behaviour. rpc.gssd says: 'CC file '/tmp/krb5cc_ pam_<randstring >' (user1@REALM) passed all checks and has mtime of <unixtime>' and 'using FILE:/tmp/ krb5cc_ pam_<randstring > as credentials cache for client with uid 0 for server nfs-server. example. com'. Apparently PAM does some magic if it sees your home folder lives on NFS and creates a temporary credentials cache? Does this help to figure out what is causing this and how to fix it?
Thanks
Max
PS: I couldn't copy/paste the above console output so it might have some typos