We have some Ubuntu clients here which shall mount kerberos protected NFS homes. The server works nicely with the existing clients, so we can assume that ldap and kerberos are ok.
We managed to configure ldap on the ubuntu clients and kinit is able to get us tickets for ldap users. When root gets a root ticket with kinit, we can mount the nfs shares.
To allow users to mount their homes we set up autofs. However this does not work since autofs seems to performs the mount as 'root'. However, root does not have any tickets so the mount fails - see the attached log excerpt from rpc.gssd. Note that our kerberos setup does not use machine principals but user principals. How can we get autofs to pass the correct uid to gssd?
handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt10)
handle_gssd_upcall: 'mech=krb5 uid=0 '
handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt10)
process_krb5_upcall: service is '<null>'
getting credentials for client with uid 0 for server purple.physcip.uni-stuttgart.de
CC file '/tmp/krb5cc_554' being considered, with preferred realm 'PURPLE.PHYSCIP.UNI-STUTTGART.DE'
CC file '/tmp/krb5cc_554' owned by 554, not 0
WARNING: Failed to create krb5 context for user with uid 0 for server purple.physcip.uni-stuttgart.de
Ubuntu 11.10 Desktop Autofs5
The output of kinit. The user id is 65678. Realm and username has been altered to respect privacy.
usr01@ubuntuclnt01:/$ klist
Ticket cache: FILE:/tmp/krb5cc_65678_ed3816
Default principal: usr01@REALM
Valid starting Expires Service principal
11/18/11 17:18:57 11/19/11 03:18:57 krbtgt/REALM
renew until 11/19/11 17:18:57
Update: If found a 2,5 year old bug report describing exactly this phenomena. https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/368153#5
It seems that (ubuntu) linux cannot get along with kerberos secured home volumes by design - while virtually any other os can do that - even Mac OSX!
0 Answers