Kerberos + automountd issues
lists at flederma.us
Sat Mar 14 03:20:43 UTC 2015
I've been struggling with this issue for the past couple of weeks and
I've hit a wall with the FreeBSD-related NFS content I can find via
Google and Yahoo!. Apologies for the wall of text up front; I've tried
to be as concise as possible while describing a complex issue.
My goal is to let users authenticate with Kerberos, get a Kerberos
ticket, then have the home directory auto-mounted over NFSv4 using
krb[i|p] security. User information (e.g., UID, GID, home dir path) is
stored in LDAP (which is working).
Kerberos authentication works. I can kinit(1)/kdestroy(1) tickets
without issue. If I stop the automount services, I can ssh into the host
successfully (using the pam_mkhomedir.so module to make a home directory
instead of using NFS). UID/GID mappings are pulled from LDAP successfully.
When automount services are running, things work in inconsistent ways.
As "user1", if I kinit(1) and get a ticket for "user2", then cd to
user2's home directory, everything works: the home directory is mounted
(the user's directory is created if necessary, and I can ls(1) the
contents, touch(1) files, etc.) I see mount(8) report the directory has
been automounted and I see the changes reflected on the NFS server, so I
know things are working as desired.
However, if I try to ssh(1) in as user2, after authenticating, I get
dropped into the home directory (according to pwd(1)), but I cannot
ls(1), touch(1), etc. the files in the directory. In trying to
troubleshoot this, I've observed the following:
1. there is no Kerberos credentials cache (/tmp/krb5cc_<UID>)
2. the home directory is not mounted (running mount(1) on the client
does not show the exported directory as having been mounted
3. Running a packet capture on the *NFS server* shows the *client*
is using AUTH_UNIX credentials instead of RPCSEC_GSS.
4. The PAM debug logs seem to indicate that a credentials stash is
created under the auth portion (pam_sm_authenticate()) of the
pam_krb5.so module, but deleted after the pam_ldap.so account portion
(pam_sm_acct_mgmt()) runs [Aside: why would the pam_sm_setcred() be run
*AFTER* the pam_sm_acct_mgmt() function?]
Additional troubleshooting steps:
1. Both the NFS server and client are running nfsuserd(8), gssd(8),
and nslcd(8), as per relevant man pages
2. I've uploaded conf file contents for auto_master, auto_home,
pam.d/sshd, and exports (all with line numbers) to pastebin
3. I've uploaded a failed ssh session PAM logs (with line numbers)
to pastebin (http://pastebin.com/wLm3Knws)
4. The NFS client is running FreeBSD 10.1-RELEASE #0 r274401
5. The NFS server is running FreeBSD 10.0-RELEASE-p12 #0
6. On the server, I've set the sysctl options vfs.nfs.debuglevel=3
7. In the client, I've set the sysctl option vfs.usermount=1
8. My sshd_config has the following options set which may be
applicable to the situation (GSSAPI* and Kerberos* options are disabled) :
What steps, programs, or settings have I overlooked? What else do I need
to automount home directories with sec=krb5 when ssh'ing into the host?
Any help will be welcomed enthusiastically! If additional information or
settings are needed, please let me know.
Thank you in advance!
Mr. Cary Mathews
More information about the freebsd-questions