[Samba] nfs4 mounted homedir and kerberos tickets

Ritter, Marcel (RRZE) marcel.ritter at fau.de
Wed Sep 9 12:37:59 UTC 2015


Hi Louis,

sorry but I'm still having some trouble to unterstand your environment:

According to your previous mails here's what I put together:

The "member server" has local (not NFS mounted) home directories
that are exported to the printserver using sec=krb5, right?

The print server is one NFS client mounting this directory, right?

All further comments are based on these assumptions:


> When connection from my windows 7 pc to the print server, i dont get a password prompt, and i automatictly logged in but i get : 
> Could not chdir to home directory /home/users/someuser: Permission denied And cd /home/users
> -bash: cd: /home/users: Permission denied

Looks like you can successfully login, but you do not have a valid
kerberos ticket to access the NFS home directory.

Check output of "klist" - maybe windows ssh client (putty?) does not
forward ticket, and only uses it to authenticate?

> When i do the same on the server where the homedir exists,on the member server, I can login, without typing password, and the no errors and i am in my user homedir. 

For accessing a local filesystem you do not require a kerberos ticket,
so that's why it works here.

> >    3. cached krb5 credentials on server side
> Dont know, how can i see that, like ? 
> ( login in with someuser on the print server ) klist
> klist: Credentials cache file '/tmp/krb5cc_10002' not found

Looks like you don't have a kerberos ticket after login at all,
this may be caused by a passwordless login (without forwarding
ticket) or simply a broken pam_krb5/pam_winbind config.

You don't need to bother about the kernel, if you don't even have
a ticket in your cache (as "klist" tells you).

> now the magic.. im logged in the member server, in my home dir. 
> Here I type : 
> ssh printserver
> i must enter my password and im in my homedir.
> There where i before (from the windows 7 pc) got :
> Could not chdir to home directory /home/users/someuser: Permission denied

It's not magic: by entering your password the login host can request a
valid kerberos ticket, that is used to access the NFS home.
(Once again: "klist" is your friend if you're trying to figure out why
somehting works and something else doesn't)

> Now i logout of all servers, klik on putty to login on my print server again and now no errors, all fine, and im sure this is not a keyed. 

By logging in the last time (with password) a credential cache is
created for your user. If not erased on logout it will be valid for
a few hours and will be used to access the NFS home.
(And even if the cache was removed, it's copy within the kernel
might still be valid and used to access the NFS directory)

> Now i reboot the print server. Login again from the windows 7 pc. 
> Again : Could not chdir to home directory /home/users/someuser: Permission denied

Because usually during reboot /tmp get's cleaned. And that's
the localtion of the credential cache mentioned above
("/tmp/krb5cc_10002")

> Other trick to get access to my home dir.. 
> sudo su -
> [sudo] password for someuser:
>
> Now i exit (the sudo)
> Type cd ~
> And im allowed in my home dir. 

Depending on your pam config it's quite possible, that "su" uses your
password to create a new credential cache for "someuser". Just
check the output of "klist" (run as user "someuser") before and after
the sudo command ...

> Greetz, 
>
> Louis

Bye,
   Marcel


More information about the samba mailing list