home directory weirdness with Kerberos+NFSv4

OK. I am still working on this Kerberos+LDAP+NFSv4 transition. Now, I have started occasionally seeing some strange behavior when logging in via ssh.

Essentially, what happens is that when logging in via SSH, the user is sometimes prevented from accessing his home directory. Now, miami is my workstation into which I am physically logged in, while manta is a remote host (in this case, a CentOS machine, but I can reliably reproduce this will sshing in to a machine running Debian; all my Debian machines, servers and workstations, are running Etch). My user account is roberto, with uid 2000. Now, while I periodically get deinied access to my home directory while using ssh to log in, this has never happened when logging in at the console.

What I don't understand is:

1. Why the problem when logging in via ssh?
2. Why is kdestroy alone not sufficient (i.e., why do I also need to run kinit)?

roberto@miami:~$ ssh manta
Last login: Mon Oct 8 07:09:18 2007 from miami.connexer.com Could not chdir to home directory /network/home/roberto: Permission denied /usr/X11R6/bin/xauth: timeout in locking authority file /network/home/roberto/.Xauthority
-bash: /network/home/roberto/.bash_profile: Permission denied
-bash-3.00$ logout
-bash: /network/home/roberto/.bash_logout: Permission denied
Connection to manta closed.
roberto@miami:~$ ssh manta
Last login: Mon Oct 8 07:46:11 2007 from miami.connexer.com Could not chdir to home directory /network/home/roberto: Permission denied /usr/X11R6/bin/xauth: timeout in locking authority file /network/home/roberto/.Xauthority
-bash: /network/home/roberto/.bash_profile: Permission denied
-bash-3.00$ klist

Ticket cache: FILE:/tmp/krb5cc_2000
Default principal: roberto@CONNEXER.COM

Valid starting Expires Service principal 10/07/07 09:35:13 10/07/07 19:35:13 krbtgt/CONNEXER.COM@CONNEXER.COM

        renew until 10/08/07 09:35:12
10/07/07 09:35:14 10/07/07 19:35:13 nfs/miami.connexer.com@CONNEXER.COM

        renew until 10/08/07 09:35:12

Kerberos 4 ticket cache: /tmp/tkt2000
klist: You have no tickets cached
-bash-3.00$ kdestroy
-bash-3.00$ logout
-bash: /network/home/roberto/.bash_logout: Permission denied
Connection to manta closed.
roberto@miami:~$ ssh manta
Last login: Mon Oct 8 07:47:33 2007 from miami.connexer.com Could not chdir to home directory /network/home/roberto: Permission denied /usr/X11R6/bin/xauth: timeout in locking authority file /network/home/roberto/.Xauthority
-bash: /network/home/roberto/.bash_profile: Permission denied
-bash-3.00$ klist

klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_2000)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

Kerberos 4 ticket cache: /tmp/tkt2000
klist: You have no tickets cached
-bash-3.00$ kinit

Password for roberto@CONNEXER.COM:
-bash-3.00$ logout

Connection to manta closed.
roberto@miami:~$ ssh manta
Last login: Mon Oct 8 07:48:09 2007 from miami.connexer.com  07:48:49 up 1:07, 1 user, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT roberto pts/0 miami.connexer.c 07:48 1.00s 0.00s 0.00s -bash roberto@manta:~$ mount |grep \/network
miami:/ on /network type nfs4 (rw,sec=krb5p,addr=66.93.22.253) roberto@manta:~$

Oct 8 07:47:54 manta rpc.gssd[1948]: rpcsec_gss: gss_init_sec_context: (major) Miscellaneous failure - (minor) Unknown code krb5 32 Oct 8 07:47:54 manta rpc.gssd[1948]: WARNING: Failed to create krb5 context for user with uid 2000 for server miami.connexer.com

If anyone has even the faintest idea what is going on, I would appreciate to know your thoughts on this.

Regards,

-Roberto
--

Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

--

To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org