I've been trying to get NFSv3 home directory mounts with sec=krb5 working between a Netapp filer running OnTap 7.0.5 and a Fedora Core 6 client with the latest nfs-* RPMs installed and kernel version 2.6.18-1.2869.fc6. Our KDCs run FreeBSD 6.1 with the MIT Kerberos port installed. Authentication seems to work okay,
Script started on Thu Feb 8 15:31:23 2007 bsod$ /bin/su - testacct Password:
but the home directory isn't usable.
/bin/su: warning: cannot change directory to /home/testacct: Permission denied -bash: /home/testacct/.bash_profile: Permission denied
The mount though did succeed:
-bash-3.1$ mount | grep testacct sinagua:/vol/vol0/home/testacct on /home/testacct type nfs (rw,nfsvers=3,tcp,timeo=600,rsize=32768,wsize=32768,hard,intr,sec=krb5,addr=172.16.1.252) -bash-3.1$ grep testacct /etc/auto.home testacct -rw,bg,vers=3,tcp,timeo=600,rsize=32768,wsize=32768,hard,intr,sec=krb5 sinagua:/vol/vol0/home/testacct
But
-bash-3.1$ klist -e klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500_vZWPDb)
Kerberos 4 ticket cache: /tmp/tkt500 klist: You have no tickets cached
Okay, I thought the PAM stack would provide the credentials. But even after running kinit...
-bash-3.1$ kinit Password for testacct@CS.ARIZONA.EDU: -bash-3.1$ cd -bash: cd: /home/testacct: Permission denied -bash-3.1$ klist -e Ticket cache: FILE:/tmp/krb5cc_500_vZWPDb Default principal: testacct@CS.ARIZONA.EDU
Valid starting Expires Service principal 02/08/07 15:32:03 02/09/07 15:32:03 krbtgt/CS.ARIZONA.EDU@CS.ARIZONA.EDU renew until 02/08/07 15:32:03, Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
Kerberos 4 ticket cache: /tmp/tkt500 klist: You have no tickets cached -bash-3.1$ exit logout
...the directory isn't usable
-bash: /home/testacct/.bash_logout: Permission denied bsod$ exit exit
Script done on Thu Feb 8 15:32:39 2007
Running rpc.gssd in verbose mode produced
Script started on Thu Feb 8 15:30:29 2007 bsod$ /sbin/lsmod | grep sunrpc sunrpc 158333 6 nfs,lockd,nfs_acl,rpcsec_gss_krb5,auth_rpcgss bsod$ mount | grep rpc_pipe sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) bsod$ sudo strace -o /tmp/rpc.gssd -f /usr/sbin/rpc.gssd -f -vvv Using keytab file '/etc/krb5.keytab' Processing keytab entry for principal 'nfs/bsod.cs.arizona.edu@CS.ARIZONA.EDU' We will use this entry (nfs/bsod.cs.arizona.edu@CS.ARIZONA.EDU) Using (machine) credentials cache: 'MEMORY:/tmp/krb5cc_machine_CS.ARIZONA.EDU'
That's the extent of output while the commands above ran.
And the (enormous) strace output file seems mostly to consist of polling loops something like
2720 poll([{fd=6, events=POLLIN, revents=POLLERR|POLLHUP}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}], 32, 500) = 1 2720 chdir("/var/lib/nfs/rpc_pipefs/nfs") = 0 2720 open("/var/lib/nfs/rpc_pipefs/nfs", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 7 2720 fstat64(7, {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0 2720 fcntl64(7, F_SETFD, FD_CLOEXEC) = 0 2720 getdents64(7, /* 3 entries */, 4096) = 80 2720 getdents64(7, /* 0 entries */, 4096) = 0 2720 close(7) = 0
Any ideas?