NFSv3 + krb5 home directory problem

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jim Davis <jdavis@CS.Arizona.EDU>
To: nfs@lists.sourceforge.net
Subject: NFSv3 + krb5 home directory problem
Date: Thu, 08 Feb 2007 15:57:06 -0700	[thread overview]
Message-ID: <45CBAAC2.1090105@CS.Arizona.EDU> (raw)
In-Reply-To: <20070208222750.23464.34565.stgit@rock.citi.umich.edu>

I've been trying to get NFSv3 home directory mounts with sec=krb5
working between a Netapp filer running OnTap 7.0.5 and a Fedora Core 6
client with the latest nfs-* RPMs installed and kernel version
2.6.18-1.2869.fc6.  Our KDCs run FreeBSD 6.1 with the MIT Kerberos
port installed.  Authentication seems to work okay,

Script started on Thu Feb  8 15:31:23 2007
bsod$ /bin/su - testacct
Password:

but the home directory isn't usable.

/bin/su: warning: cannot change directory to /home/testacct: Permission 
denied
-bash: /home/testacct/.bash_profile: Permission denied

The mount though did succeed:

-bash-3.1$ mount | grep testacct
sinagua:/vol/vol0/home/testacct on /home/testacct type nfs 
(rw,nfsvers=3,tcp,timeo=600,rsize=32768,wsize=32768,hard,intr,sec=krb5,addr=172.16.1.252)
-bash-3.1$ grep testacct /etc/auto.home
testacct 
-rw,bg,vers=3,tcp,timeo=600,rsize=32768,wsize=32768,hard,intr,sec=krb5 
sinagua:/vol/vol0/home/testacct

But

-bash-3.1$ klist -e
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500_vZWPDb)


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached

Okay, I thought the PAM stack would provide the credentials.  But even 
after running kinit...

-bash-3.1$ kinit
Password for testacct@CS.ARIZONA.EDU:
-bash-3.1$ cd
-bash: cd: /home/testacct: Permission denied
-bash-3.1$ klist -e
Ticket cache: FILE:/tmp/krb5cc_500_vZWPDb
Default principal: testacct@CS.ARIZONA.EDU

Valid starting     Expires            Service principal
02/08/07 15:32:03  02/09/07 15:32:03  krbtgt/CS.ARIZONA.EDU@CS.ARIZONA.EDU
         renew until 02/08/07 15:32:03, Etype (skey, tkt): Triple DES 
cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
-bash-3.1$ exit
logout

...the directory isn't usable

-bash: /home/testacct/.bash_logout: Permission denied
bsod$ exit
exit

Script done on Thu Feb  8 15:32:39 2007

Running rpc.gssd in verbose mode produced

Script started on Thu Feb  8 15:30:29 2007
bsod$ /sbin/lsmod | grep sunrpc
sunrpc                158333  6 
nfs,lockd,nfs_acl,rpcsec_gss_krb5,auth_rpcgss
bsod$ mount | grep rpc_pipe
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
bsod$ sudo strace -o /tmp/rpc.gssd -f /usr/sbin/rpc.gssd -f -vvv
Using keytab file '/etc/krb5.keytab'
Processing keytab entry for principal 
'nfs/bsod.cs.arizona.edu@CS.ARIZONA.EDU'
We will use this entry (nfs/bsod.cs.arizona.edu@CS.ARIZONA.EDU)
Using (machine) credentials cache: 
'MEMORY:/tmp/krb5cc_machine_CS.ARIZONA.EDU'

That's the extent of output while the commands above ran.

And the (enormous) strace output file seems mostly to consist of polling
loops something like

2720  poll([{fd=6, events=POLLIN, revents=POLLERR|POLLHUP}, {fd=0, 
events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, 
events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, 
events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, 
events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, 
events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, 
events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, 
events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, 
events=0}, {fd=0, events=0}, {fd=0, events=0}], 32, 500) = 1
2720  chdir("/var/lib/nfs/rpc_pipefs/nfs") = 0
2720  open("/var/lib/nfs/rpc_pipefs/nfs", 
O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 7
2720  fstat64(7, {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
2720  fcntl64(7, F_SETFD, FD_CLOEXEC)   = 0
2720  getdents64(7, /* 3 entries */, 4096) = 80
2720  getdents64(7, /* 0 entries */, 4096) = 0
2720  close(7)                          = 0

Any ideas?




-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

next prev parent reply	other threads:[~2007-02-08 22:57 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-02-08 22:26 [PATCH 00/12] misc nfs-utils patches Kevin Coffman
2007-02-08 22:26 ` [PATCH 01/12] Touch up some of the autotools files Kevin Coffman
2007-02-08 22:26 ` [PATCH 02/12] Add AM_MAINTAINER_MODE to configure.in Kevin Coffman
2007-02-08 22:27 ` [PATCH 03/12] Extend the exportfs interface to pass fslocations info into the kernel Kevin Coffman
2007-02-09  0:39   ` Neil Brown
2007-02-09 14:19     ` Kevin Coffman
2007-02-22  5:17       ` Neil Brown
2007-02-08 22:27 ` [PATCH 04/12] Treat GSSAPI error codes as unsigned Kevin Coffman
2007-02-08 22:27 ` [PATCH 05/12] Fix memory leak in idmapd Kevin Coffman
2007-02-08 22:27 ` [PATCH 06/12] Stop using storage after free Kevin Coffman
2007-02-08 22:27 ` [PATCH 07/12] Use the gssglue version of gssapi.h for svcgssd_mech2file.c Kevin Coffman
2007-02-08 22:27 ` [PATCH 08/12] Various minor manpage fixes Kevin Coffman
2007-02-08 22:27 ` [PATCH 09/12] Use owner rather than filename format in choosing cred cache files Kevin Coffman
2007-02-08 22:27 ` [PATCH 10/12] Share handling of lucid_sec_context for Heimdal and MIT Kevin Coffman
2007-02-08 22:27 ` [PATCH 11/12] Remove duplicated code Kevin Coffman
2007-02-08 22:27 ` [PATCH 12/12] Add option to svcgssd to enable libnfsidmap debugging Kevin Coffman
2007-02-08 22:57   ` Jim Davis [this message]
2007-02-09  2:53     ` NFSv3 + krb5 home directory problem Kevin Coffman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=45CBAAC2.1090105@CS.Arizona.EDU \
    --to=jdavis@cs.arizona.edu \
    --cc=nfs@lists.sourceforge.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.