home directory weirdness with Kerberos+NFSv4 - Debian

This is a discussion on home directory weirdness with Kerberos+NFSv4 - Debian ; OK. I am still working on this Kerberos+LDAP+NFSv4 transition. Now, I have started occasionally seeing some strange behavior when logging in via ssh. Essentially, what happens is that when logging in via SSH, the user is sometimes prevented from accessing ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: home directory weirdness with Kerberos+NFSv4

  1. home directory weirdness with Kerberos+NFSv4

    OK. I am still working on this Kerberos+LDAP+NFSv4 transition. Now, I
    have started occasionally seeing some strange behavior when logging in
    via ssh.

    Essentially, what happens is that when logging in via SSH, the user is
    sometimes prevented from accessing his home directory. Now, miami is my
    workstation into which I am physically logged in, while manta is a
    remote host (in this case, a CentOS machine, but I can reliably
    reproduce this will sshing in to a machine running Debian; all my Debian
    machines, servers and workstations, are running Etch). My user account
    is roberto, with uid 2000. Now, while I periodically get deinied access
    to my home directory while using ssh to log in, this has never happened
    when logging in at the console.

    What I don't understand is:
    1) Why the problem when logging in via ssh?
    2) Why is kdestroy alone not sufficient (i.e., why do I also need to
    run kinit)?

    roberto@miami:~$ ssh manta
    Last login: Mon Oct 8 07:09:18 2007 from miami.connexer.com
    Could not chdir to home directory /network/home/roberto: Permission denied
    /usr/X11R6/bin/xauth: timeout in locking authority file /network/home/roberto/.Xauthority
    -bash: /network/home/roberto/.bash_profile: Permission denied
    -bash-3.00$ logout
    -bash: /network/home/roberto/.bash_logout: Permission denied
    Connection to manta closed.
    roberto@miami:~$ ssh manta
    Last login: Mon Oct 8 07:46:11 2007 from miami.connexer.com
    Could not chdir to home directory /network/home/roberto: Permission denied
    /usr/X11R6/bin/xauth: timeout in locking authority file /network/home/roberto/.Xauthority
    -bash: /network/home/roberto/.bash_profile: Permission denied
    -bash-3.00$ klist
    Ticket cache: FILE:/tmp/krb5cc_2000
    Default principal: roberto@CONNEXER.COM

    Valid starting Expires Service principal
    10/07/07 09:35:13 10/07/07 19:35:13 krbtgt/CONNEXER.COM@CONNEXER.COM
    renew until 10/08/07 09:35:12
    10/07/07 09:35:14 10/07/07 19:35:13 nfs/miami.connexer.com@CONNEXER.COM
    renew until 10/08/07 09:35:12


    Kerberos 4 ticket cache: /tmp/tkt2000
    klist: You have no tickets cached
    -bash-3.00$ kdestroy
    -bash-3.00$ logout
    -bash: /network/home/roberto/.bash_logout: Permission denied
    Connection to manta closed.
    roberto@miami:~$ ssh manta
    Last login: Mon Oct 8 07:47:33 2007 from miami.connexer.com
    Could not chdir to home directory /network/home/roberto: Permission denied
    /usr/X11R6/bin/xauth: timeout in locking authority file /network/home/roberto/.Xauthority
    -bash: /network/home/roberto/.bash_profile: Permission denied
    -bash-3.00$ klist
    klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_2000)


    Kerberos 4 ticket cache: /tmp/tkt2000
    klist: You have no tickets cached
    -bash-3.00$ kinit
    Password for roberto@CONNEXER.COM:
    -bash-3.00$ logout
    Connection to manta closed.
    roberto@miami:~$ ssh manta
    Last login: Mon Oct 8 07:48:09 2007 from miami.connexer.com
    07:48:49 up 1:07, 1 user, load average: 0.00, 0.00, 0.00
    USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
    roberto pts/0 miami.connexer.c 07:48 1.00s 0.00s 0.00s -bash
    roberto@manta:~$ mount |grep \/network
    miami:/ on /network type nfs4 (rw,sec=krb5p,addr=66.93.22.253)
    roberto@manta:~$


    Oct 8 07:47:54 manta rpc.gssd[1948]: rpcsec_gss: gss_init_sec_context: (major) Miscellaneous failure - (minor) Unknown code krb5 32
    Oct 8 07:47:54 manta rpc.gssd[1948]: WARNING: Failed to create krb5 context for user with uid 2000 for server miami.connexer.com

    If anyone has even the faintest idea what is going on, I would
    appreciate to know your thoughts on this.

    Regards,

    -Roberto
    --
    Roberto C. Sánchez
    http://people.connexer.com/~roberto
    http://www.connexer.com

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQFHChx35SXWIKfIlGQRAlKNAKDKXX/Gvr8Xpm+15Q2RF7RWyM80AgCgrJiQ
    /+p2CjUPC4bmutQ8VbPCYFY=
    =Jaaa
    -----END PGP SIGNATURE-----


  2. Re: home directory weirdness with Kerberos+NFSv4

    On Mon, Oct 08, 2007 at 08:03:03AM -0400, Roberto C. Sánchez wrote:
    >
    > roberto@miami:~$ ssh manta
    > Last login: Mon Oct 8 07:09:18 2007 from miami.connexer.com
    > Could not chdir to home directory /network/home/roberto: Permission denied
    > /usr/X11R6/bin/xauth: timeout in locking authority file /network/home/roberto/.Xauthority
    > -bash: /network/home/roberto/.bash_profile: Permission denied
    > -bash-3.00$ logout
    > -bash: /network/home/roberto/.bash_logout: Permission denied
    > Connection to manta closed.


    Apologies for the self reply, but I seem to have found a work around.
    Hopefully someone coming across this in the archives will be able to use
    this information.

    The problem is that sshd's use of processes (instead of threads) means
    that when pam_krb53.so is invoked to setup the tickets, it is done in a
    process that the client (or user) never touches. So, the tickets are
    generated and promptly lost. In the case of NFSv4 mounted home
    directories this is a real problem, as the xauth and bash processes that
    are run as the user now cannot access the user's home directory. I also
    think that my use of key-based logins (i.e., all password logins for ssh
    on my network are disabled) also contributes to the problem.
    Additionally, it appears that sshd in Sarge linked against pthreads, so
    this may not have been a problem then. But Etch's sshd is not threaded.

    A posting by Russ Alberry on one of the OpenAFS sites mentioned using
    the -K option to ssh on the client. The configuration file equivalent
    is to add "GSSAPIDelegateCredentials yes" to /etc/ssh/ssh_config (for
    system-wide) or to ~/.ssh/config (for per-user) credential delegation.

    So, now with that directive in my ~/.ssh/config I no longer receive the
    permission denied, as the current ticket from my current session is
    forwarded along properly.

    Regards,

    -Roberto

    --
    Roberto C. Sánchez
    http://people.connexer.com/~roberto
    http://www.connexer.com

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQFHDD/45SXWIKfIlGQRAsLUAJ9V26Od/2BQkyAA2aoQC0Uzo6PamwCguP9C
    ivtk0vxszYnZlrqbzgJN260=
    =fVGN
    -----END PGP SIGNATURE-----


  3. Re: home directory weirdness with Kerberos+NFSv4

    On Tue, Oct 09, 2007 at 10:59:04PM -0400, Roberto C. Sánchez wrote:
    >
    > A posting by Russ Alberry on one of the OpenAFS sites mentioned using
    > the -K option to ssh on the client. The configuration file equivalent
    > is to add "GSSAPIDelegateCredentials yes" to /etc/ssh/ssh_config (for
    > system-wide) or to ~/.ssh/config (for per-user) credential delegation.
    >
    > So, now with that directive in my ~/.ssh/config I no longer receive the
    > permission denied, as the current ticket from my current session is
    > forwarded along properly.
    >

    Of course, if you are starting out on a host that is not in your
    Kerberos realm and then you ssh into a host that is in your Kerberos
    realm, then there is no ticket to delegate and you are sort of stuck.

    Regards,

    -Roberto


    --
    Roberto C. Sánchez
    http://people.connexer.com/~roberto
    http://www.connexer.com

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQFHDEOf5SXWIKfIlGQRAodhAJ9L6CfCiEHFwbnrAlt8V7 Iwn/bhJwCaAzOB
    I7kYfyWjCsK4B38w5pZf5tU=
    =+/iX
    -----END PGP SIGNATURE-----


+ Reply to Thread