pam_krb5, NFSv4, AutoFS mounted home dirs

Dax Kelson dax at gurulabs.com
Tue Dec 7 07:18:39 UTC 2004


I have three testing FC2 boxes in a Kerb5 realm, with the following
updates:

kernel-smp-2.6.9-1.6_FC2
pam_krb5-2.1.2-1
nfs-utils-1.0.6-44 (note that the FC3 SRPM will only compile with gcc
3.4)

I'm trying to setup centralized home directories securely shared with
strong user authentication with integrity checking (aka krb5i) and
moving adding encrypted NFS (aka krb5p) when supported. Something I've
been wanting to do for years.

I've run into a minor issue, and a show stopper.

Minor issue: 

I had to insert a "modprobe rpcsec_gss_krb5" into /etc/init.d/rpcgssd on
the client(s) and into /etc/init.d/rpcsvcgssd on the server.

Show stopper:

pam_krb5 creates per session ticket cache files
as /tmp/krb5cc_p<digits>, while the NFS client's rpcsec_gss daemon
expects the ticket cache file to be /tmp/krb5cc_$UID.

This issue is mentioned briefly on:
http://www.citi.umich.edu/projects/nfsv4/2.4-nfsv4/release1/install.html

The solution on the page doesn't work (catch-22) in a krb5-secured-
automounted-homedir scenario as, it says to add the following to your
login script:

    # move kerberos cred file to a place where gssd can find it
    TMPNAME=`/bin/basename ${KRB5CCNAME:-unset}`
    if [ -f /tmp/${TMPNAME} ]; then
      mv /tmp/${TMPNAME} /tmp/krb5cc_${UID}
      KRB5CCNAME="FILE:/tmp/krb5cc_${UID}"
    fi

The page also says:

"The Kerberos PAM library creates a per-session ticket file in /tmp.
This file must be moved to a per-UID location so that gssd can find it
(this will be fixed in a future release)."

What the current status?
What's the solution? 
Has anyone approached Nalin about modifying pam_krb5?
What's the impact of ditching per session ticket cache and going to per
UID?

Thanks,
Dax Kelson
Guru Labs




More information about the fedora-devel-list mailing list