Kerberos, NFS4 and autofs issue
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nfs-utils (Debian) |
New
|
Undecided
|
Unassigned | ||
nfs-utils (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Ubuntu 9.04 latest update.
When mounting the users home folder over NFS4 using Kerberos with RPCGSSDOPTS="-n" set in /etc/defaults/
$ sudo kinit
$ sudo ls -l /mountpoint
At this point the automount will still fail as now the kerberos ticket is owned by root, however, if you change the owner of the ticket back to the original user, automount will be able to mount/access the kerberized NFS export. As mentioned at the beginning, this is not the case if the users home is NFS mounted as it seems to trigger a function that will automatically make Ubuntu acquire NFS kerberos ticket (machine credentials?). Note I'm not using client keytabs in this setup.
I've added some verbose logging to this to try and figure out what the issue could be but the strange thing is the logs say the same even if it is able to mount: rpc.gssd access denied errors and failed to create krb5 context for uid 0.
Is the mounting process by design? What triggers the mounts to work when $HOME is mounted over NFS and why do they fail if it is not?
PS: this should be pretty easy to replicate if you have a working krb5/nfs4/autofs setup, simply point the /home autofs to somewhere else like e.g. /tmphome. Add RPCGSSDOPTS="-n" in /etc/defaults/
affects: | ubuntu → kerberos-configs (Ubuntu) |
I'm not sure what package this is a problem with, but I can say with some certainty that it isn't kerberos-configs. This package only provides the krb5.conf configuration to find the KDCs and do other library initialization.
This sounds like a bug in the NFS v4 userspace processes, if I understand your bug report properly. Am I correct in thinking you already have a Kerberos ticket but no service ticket for NFS is acquired to access the NFS mount? If so, that means the GSS daemon isn't doing what it should.
If the problem is that you have no Kerberos ticket at all, then I don't think there's any bug here, just a configuration error on your system. In order to let the user access directories in Kerberos- authenticated NFS, you need to ensure that a Kerberos ticket is acquired for the user before they try. This will require pam-krb5 be installed and configured so they get a ticket at login.