Kerberos + automountd issues

Cary lists at
Sat Mar 14 03:20:43 UTC 2015


I've been struggling with this issue for the past couple of weeks and 
I've hit a wall with the FreeBSD-related NFS content I can find via 
Google and Yahoo!. Apologies for the wall of text up front; I've tried 
to be as concise as possible while describing a complex issue.

My goal is to let users authenticate with Kerberos, get a Kerberos 
ticket, then have the home directory auto-mounted over NFSv4 using 
krb[i|p] security. User information (e.g., UID, GID, home dir path) is 
stored in LDAP (which is working).

Kerberos authentication works. I can kinit(1)/kdestroy(1) tickets 
without issue. If I stop the automount services, I can ssh into the host 
successfully (using the module to make a home directory 
instead of using NFS). UID/GID mappings are pulled from LDAP successfully.

When automount services are running, things work in inconsistent ways. 
As "user1", if I kinit(1) and get a ticket for "user2", then cd to 
user2's home directory, everything works: the home directory is mounted 
(the user's directory is created if necessary, and I can ls(1) the 
contents, touch(1) files, etc.) I see mount(8) report the directory has 
been automounted and I see the changes reflected on the NFS server, so I 
know things are working as desired.

However, if I try to ssh(1) in as user2, after authenticating, I get 
dropped into the home directory (according to pwd(1)), but I cannot 
ls(1), touch(1), etc. the files in the directory. In trying to 
troubleshoot this, I've observed the following:
    1. there is no Kerberos credentials cache (/tmp/krb5cc_<UID>)
    2. the home directory is not mounted (running mount(1) on the client 
does not show the exported directory as having been mounted
    3. Running a packet capture on the *NFS server* shows the *client* 
is using AUTH_UNIX credentials instead of RPCSEC_GSS.
    4. The PAM debug logs seem to indicate that a credentials stash is 
created under the auth portion (pam_sm_authenticate()) of the module, but deleted after the account portion 
(pam_sm_acct_mgmt()) runs [Aside: why would the pam_sm_setcred() be run 
*AFTER* the pam_sm_acct_mgmt() function?]

Additional troubleshooting steps:
    1. Both the NFS server and client are running nfsuserd(8), gssd(8), 
and nslcd(8), as per relevant man pages
    2. I've uploaded conf file contents for auto_master, auto_home, 
pam.d/sshd, and exports (all with line numbers) to pastebin 
    3. I've uploaded a failed ssh session PAM logs (with line numbers) 
to pastebin (
    4. The NFS client is running FreeBSD 10.1-RELEASE #0 r274401
    5. The NFS server is running FreeBSD 10.0-RELEASE-p12 #0
    6. On the server, I've set the sysctl options vfs.nfs.debuglevel=3 
and vfs.usermount=1
    7. In the client, I've set the sysctl option vfs.usermount=1
    8. My sshd_config has the following options set which may be 
applicable to the situation (GSSAPI* and Kerberos* options are disabled) :
	PasswordAuthentication no
	ChallengeResponseAuthentication yes
	UsePAM yes

What steps, programs, or settings have I overlooked? What else do I need 
to automount home directories with sec=krb5 when ssh'ing into the host?

Any help will be welcomed enthusiastically! If additional information or 
settings are needed, please let me know.

Thank you in advance!

Mr. Cary Mathews

More information about the freebsd-questions mailing list