[Bug 368153] [NEW] Kerberos, NFS4 and autofs issue

Launchpad Bug Tracker 368153 at bugs.launchpad.net
Tue Apr 28 03:40:04 BST 2009 

You have been subscribed to a public bug:

Ubuntu 9.04 latest update.

When mounting the users home folder over NFS4 using Kerberos with
RPCGSSDOPTS="-n" set in /etc/defaults/nfs-common a kerberos ticket is
acquired for the NFS service thus allowing for other autofs kerberized
mounts to work as well. However, if home is not on kerberos NFS (local)
and the user trying to access kerberized NFS exports after logging in, a
NFS kerberos ticket will fail to be acquired and the user must go
through several manual steps for kerberos to pick up an NFS ticket. This
is one way to do it:

$ sudo kinit
$ sudo ls -l /mountpoint

At this point the automount will still fail as now the kerberos ticket
is owned by root, however, if you change the owner of the ticket back to
the original user, automount will be able to mount/access the kerberized
NFS export. As mentioned at the beginning, this is not the case if the
users home is NFS mounted as it seems to trigger a function that will
automatically make Ubuntu acquire NFS kerberos ticket (machine
credentials?). Note I'm not using client keytabs in this setup.

I've added some verbose logging to this to try and figure out what the
issue could be but the strange thing is the logs say the same even if it
is able to mount: rpc.gssd access denied errors and failed to create
krb5 context for uid 0.

Is the mounting process by design? What triggers the mounts to work when
$HOME is mounted over NFS and why do they fail if it is not?

PS: this should be pretty easy to replicate if you have a working
krb5/nfs4/autofs setup, simply point the /home autofs to somewhere else
like e.g. /tmphome. Add RPCGSSDOPTS="-n" in /etc/defaults/nfs-common and
restart.

** Affects: kerberos-configs (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: autofs gssd krb5 nfs4
-- 
Kerberos, NFS4 and autofs issue
https://bugs.edge.launchpad.net/bugs/368153
You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu.

More information about the Ubuntu-server-bugs mailing list