home directory weirdness with Kerberos+NFSv4 - Debian
This is a discussion on home directory weirdness with Kerberos+NFSv4 - Debian ; OK. I am still working on this Kerberos+LDAP+NFSv4 transition. Now, I
have started occasionally seeing some strange behavior when logging in
via ssh.
Essentially, what happens is that when logging in via SSH, the user is
sometimes prevented from accessing ...
-
home directory weirdness with Kerberos+NFSv4
OK. I am still working on this Kerberos+LDAP+NFSv4 transition. Now, I
have started occasionally seeing some strange behavior when logging in
via ssh.
Essentially, what happens is that when logging in via SSH, the user is
sometimes prevented from accessing his home directory. Now, miami is my
workstation into which I am physically logged in, while manta is a
remote host (in this case, a CentOS machine, but I can reliably
reproduce this will sshing in to a machine running Debian; all my Debian
machines, servers and workstations, are running Etch). My user account
is roberto, with uid 2000. Now, while I periodically get deinied access
to my home directory while using ssh to log in, this has never happened
when logging in at the console.
What I don't understand is:
1) Why the problem when logging in via ssh?
2) Why is kdestroy alone not sufficient (i.e., why do I also need to
run kinit)?
roberto@miami:~$ ssh manta
Last login: Mon Oct 8 07:09:18 2007 from miami.connexer.com
Could not chdir to home directory /network/home/roberto: Permission denied
/usr/X11R6/bin/xauth: timeout in locking authority file /network/home/roberto/.Xauthority
-bash: /network/home/roberto/.bash_profile: Permission denied
-bash-3.00$ logout
-bash: /network/home/roberto/.bash_logout: Permission denied
Connection to manta closed.
roberto@miami:~$ ssh manta
Last login: Mon Oct 8 07:46:11 2007 from miami.connexer.com
Could not chdir to home directory /network/home/roberto: Permission denied
/usr/X11R6/bin/xauth: timeout in locking authority file /network/home/roberto/.Xauthority
-bash: /network/home/roberto/.bash_profile: Permission denied
-bash-3.00$ klist
Ticket cache: FILE:/tmp/krb5cc_2000
Default principal: roberto@CONNEXER.COM
Valid starting Expires Service principal
10/07/07 09:35:13 10/07/07 19:35:13 krbtgt/CONNEXER.COM@CONNEXER.COM
renew until 10/08/07 09:35:12
10/07/07 09:35:14 10/07/07 19:35:13 nfs/miami.connexer.com@CONNEXER.COM
renew until 10/08/07 09:35:12
Kerberos 4 ticket cache: /tmp/tkt2000
klist: You have no tickets cached
-bash-3.00$ kdestroy
-bash-3.00$ logout
-bash: /network/home/roberto/.bash_logout: Permission denied
Connection to manta closed.
roberto@miami:~$ ssh manta
Last login: Mon Oct 8 07:47:33 2007 from miami.connexer.com
Could not chdir to home directory /network/home/roberto: Permission denied
/usr/X11R6/bin/xauth: timeout in locking authority file /network/home/roberto/.Xauthority
-bash: /network/home/roberto/.bash_profile: Permission denied
-bash-3.00$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_2000)
Kerberos 4 ticket cache: /tmp/tkt2000
klist: You have no tickets cached
-bash-3.00$ kinit
Password for roberto@CONNEXER.COM:
-bash-3.00$ logout
Connection to manta closed.
roberto@miami:~$ ssh manta
Last login: Mon Oct 8 07:48:09 2007 from miami.connexer.com
07:48:49 up 1:07, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
roberto pts/0 miami.connexer.c 07:48 1.00s 0.00s 0.00s -bash
roberto@manta:~$ mount |grep \/network
miami:/ on /network type nfs4 (rw,sec=krb5p,addr=66.93.22.253)
roberto@manta:~$
Oct 8 07:47:54 manta rpc.gssd[1948]: rpcsec_gss: gss_init_sec_context: (major) Miscellaneous failure - (minor) Unknown code krb5 32
Oct 8 07:47:54 manta rpc.gssd[1948]: WARNING: Failed to create krb5 context for user with uid 2000 for server miami.connexer.com
If anyone has even the faintest idea what is going on, I would
appreciate to know your thoughts on this.
Regards,
-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHChx35SXWIKfIlGQRAlKNAKDKXX/Gvr8Xpm+15Q2RF7RWyM80AgCgrJiQ
/+p2CjUPC4bmutQ8VbPCYFY=
=Jaaa
-----END PGP SIGNATURE-----
-
Re: home directory weirdness with Kerberos+NFSv4
On Mon, Oct 08, 2007 at 08:03:03AM -0400, Roberto C. Sánchez wrote:
>
> roberto@miami:~$ ssh manta
> Last login: Mon Oct 8 07:09:18 2007 from miami.connexer.com
> Could not chdir to home directory /network/home/roberto: Permission denied
> /usr/X11R6/bin/xauth: timeout in locking authority file /network/home/roberto/.Xauthority
> -bash: /network/home/roberto/.bash_profile: Permission denied
> -bash-3.00$ logout
> -bash: /network/home/roberto/.bash_logout: Permission denied
> Connection to manta closed.
Apologies for the self reply, but I seem to have found a work around.
Hopefully someone coming across this in the archives will be able to use
this information.
The problem is that sshd's use of processes (instead of threads) means
that when pam_krb53.so is invoked to setup the tickets, it is done in a
process that the client (or user) never touches. So, the tickets are
generated and promptly lost. In the case of NFSv4 mounted home
directories this is a real problem, as the xauth and bash processes that
are run as the user now cannot access the user's home directory. I also
think that my use of key-based logins (i.e., all password logins for ssh
on my network are disabled) also contributes to the problem.
Additionally, it appears that sshd in Sarge linked against pthreads, so
this may not have been a problem then. But Etch's sshd is not threaded.
A posting by Russ Alberry on one of the OpenAFS sites mentioned using
the -K option to ssh on the client. The configuration file equivalent
is to add "GSSAPIDelegateCredentials yes" to /etc/ssh/ssh_config (for
system-wide) or to ~/.ssh/config (for per-user) credential delegation.
So, now with that directive in my ~/.ssh/config I no longer receive the
permission denied, as the current ticket from my current session is
forwarded along properly.
Regards,
-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHDD/45SXWIKfIlGQRAsLUAJ9V26Od/2BQkyAA2aoQC0Uzo6PamwCguP9C
ivtk0vxszYnZlrqbzgJN260=
=fVGN
-----END PGP SIGNATURE-----
-
Re: home directory weirdness with Kerberos+NFSv4
On Tue, Oct 09, 2007 at 10:59:04PM -0400, Roberto C. Sánchez wrote:
>
> A posting by Russ Alberry on one of the OpenAFS sites mentioned using
> the -K option to ssh on the client. The configuration file equivalent
> is to add "GSSAPIDelegateCredentials yes" to /etc/ssh/ssh_config (for
> system-wide) or to ~/.ssh/config (for per-user) credential delegation.
>
> So, now with that directive in my ~/.ssh/config I no longer receive the
> permission denied, as the current ticket from my current session is
> forwarded along properly.
>
Of course, if you are starting out on a host that is not in your
Kerberos realm and then you ssh into a host that is in your Kerberos
realm, then there is no ticket to delegate and you are sort of stuck.
Regards,
-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHDEOf5SXWIKfIlGQRAodhAJ9L6CfCiEHFwbnrAlt8V7 Iwn/bhJwCaAzOB
I7kYfyWjCsK4B38w5pZf5tU=
=+/iX
-----END PGP SIGNATURE-----
