10:35 a.m.
Hey all,
I am trying to get kerberized NFS home directories working in Ubuntu 18.04
with the mapping info coming from IPA. I can get them to mount on login in
a multi-user target (terminal only), but not a graphical one (using gdm for
login). The messages I am seeing in the syslog seem to indicate that it is
having issues communicating with the server hosting the NFS share and times
out. That doesn't make sense though since it works to mount in the
terminal like I would expect.
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
10:48 a.m.
On Fri, 2020-01-17 at 09:35 -0700, Kristian Petersen via FreeIPA-users
wrote:
Hey all,
I am trying to get kerberized NFS home directories working in Ubuntu 18.04
with the mapping info coming from IPA. I can get them to mount on login in
a multi-user target (terminal only), but not a graphical one (using gdm for
login). The messages I am seeing in the syslog seem to indicate that it is
having issues communicating with the server hosting the NFS share and times
out. That doesn't make sense though since it works to mount in the
terminal like I would expect.
Is GDM trying to mount or walk the home directory *before* performing
authentication?
Or are you tying to manually mount/walk in the home in a terminal and
failing?
A failure indicates that the rpc.gssd daemon cannot find kerberos
credentials of the user.
What kind of credential cache do you use? Is it the same between
graphical and console logins? Do you use rpc.gssd integrated with gss-
proxy or standalone?
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
11:16 a.m.
The host is enrolled in Red Hat IdM and (as I understand it) pulls a
kerberos key from the IdM server on login when the user in from IdM. From
looking at the syslog, it authenticates me, begins a session, and then the
failure occurs. I can see that it has pulled down info about my user
account in the syslog before it fails. Some of the lines I see in the
syslog are:
zorin systemd[1]: Started Session 4 of user sample(a)chem.byu.edu.
kernel: [ 134.496794] lockd: server fs2.chem.byu.edu not responding, still
trying
.
.and after some other normal stuff we eventually we get to...
.
Jan 16 12:17:11 zorin kernel: [ 153.305521] lockd: server fs2.chem.byu.edu
not responding, still trying
Jan 16 12:17:11 zorin gnome-session[1545]: gnome-session-binary[1545]:
WARNING: Application 'org.gnome.Shell.desktop' failed to register before
timeout
Jan 16 12:17:11 zorin gnome-session[1545]: gnome-session-binary[1545]:
CRITICAL: We failed, but the fail whale is dead. Sorry....
Jan 16 12:17:11 zorin gnome-session-binary[1545]: Unrecoverable failure in
required component org.gnome.Shell.desktop
Jan 16 12:17:11 zorin gnome-session-binary[1545]: WARNING: Application
'org.gnome.Shell.desktop' failed to register before timeout
Jan 16 12:17:11 zorin gnome-session-binary[1545]: CRITICAL: We failed, but
the fail whale is dead. Sorry....
Jan 16 12:17:11 zorin at-spi-bus-launcher[1649]: XIO: fatal IO error 11
(Resource temporarily unavailable) on X server ":0"
On Fri, Jan 17, 2020 at 9:48 AM Simo Sorce <simo(a)redhat.com> wrote:
On Fri, 2020-01-17 at 09:35 -0700, Kristian Petersen via
FreeIPA-users
wrote:
> Hey all,
>
> I am trying to get kerberized NFS home directories working in Ubuntu
18.04
> with the mapping info coming from IPA. I can get them to mount on login
in
> a multi-user target (terminal only), but not a graphical one (using gdm
for
> login). The messages I am seeing in the syslog seem to indicate that it
is
> having issues communicating with the server hosting the NFS share and
times
> out. That doesn't make sense though since it works to mount in the
> terminal like I would expect.
Is GDM trying to mount or walk the home directory *before* performing
authentication?
Or are you tying to manually mount/walk in the home in a terminal and
failing?
A failure indicates that the rpc.gssd daemon cannot find kerberos
credentials of the user.
What kind of credential cache do you use? Is it the same between
graphical and console logins? Do you use rpc.gssd integrated with gss-
proxy or standalone?
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
3:33 p.m.
If it works for one login type and not for the other, chances are there’s a different tin
the pam configuration files. Each service, which would include gdm and sshd, has a
configuration file in /etc/pam.d, which determines how authentication is done. If you are
using sssd for your authentication (which I recommend) authentication is done with an auth
entry using pam_sss. The file you want to look at it /var/log/auth.log.
You don’t want anything that relies on the user having a Kerberos ticket to come before
the pam_sss entry (which will likely be in common-auth, including from the sshd and gdm
files). You also don’t want anything that might need access to files, including config
files in the home directory, to come before the ticket is there.
On Jan 17, 2020, at 12:16 PM, Kristian Petersen via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
The host is enrolled in Red Hat IdM and (as I understand it) pulls a kerberos key from the
IdM server on login when the user in from IdM. From looking at the syslog, it
authenticates me, begins a session, and then the failure occurs. I can see that it has
pulled down info about my user account in the syslog before it fails. Some of the lines I
see in the syslog are:
zorin systemd[1]: Started Session 4 of user
sample@chem.byu.edu<mailto:sample@chem.byu.edu>.
kernel: [ 134.496794] lockd: server fs2.chem.byu.edu<http://fs2.chem.byu.edu/> not
responding, still trying
.
.and after some other normal stuff we eventually we get to...
.
Jan 16 12:17:11 zorin kernel: [ 153.305521] lockd: server
fs2.chem.byu.edu<http://fs2.chem.byu.edu/> not responding, still trying
Jan 16 12:17:11 zorin gnome-session[1545]: gnome-session-binary[1545]: WARNING:
Application 'org.gnome.Shell.desktop' failed to register before timeout
Jan 16 12:17:11 zorin gnome-session[1545]: gnome-session-binary[1545]: CRITICAL: We
failed, but the fail whale is dead. Sorry....
Jan 16 12:17:11 zorin gnome-session-binary[1545]: Unrecoverable failure in required
component org.gnome.Shell.desktop
Jan 16 12:17:11 zorin gnome-session-binary[1545]: WARNING: Application
'org.gnome.Shell.desktop' failed to register before timeout
Jan 16 12:17:11 zorin gnome-session-binary[1545]: CRITICAL: We failed, but the fail whale
is dead. Sorry....
Jan 16 12:17:11 zorin at-spi-bus-launcher[1649]: XIO: fatal IO error 11 (Resource
temporarily unavailable) on X server ":0"
On Fri, Jan 17, 2020 at 9:48 AM Simo Sorce
<simo@redhat.com<mailto:simo@redhat.com>> wrote:
On Fri, 2020-01-17 at 09:35 -0700, Kristian Petersen via FreeIPA-users
wrote:
Hey all,
I am trying to get kerberized NFS home directories working in Ubuntu 18.04
with the mapping info coming from IPA. I can get them to mount on login in
a multi-user target (terminal only), but not a graphical one (using gdm for
login). The messages I am seeing in the syslog seem to indicate that it is
having issues communicating with the server hosting the NFS share and times
out. That doesn't make sense though since it works to mount in the
terminal like I would expect.
Is GDM trying to mount or walk the home directory *before* performing
authentication?
Or are you tying to manually mount/walk in the home in a terminal and
failing?
A failure indicates that the rpc.gssd daemon cannot find kerberos
credentials of the user.
What kind of credential cache do you use? Is it the same between
graphical and console logins? Do you use rpc.gssd integrated with gss-
proxy or standalone?
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
3:37 p.m.
another issue to beware of. In my copy of ubuntu 18, common-auth has pam_unix before
pam_sss, and its set so that if pam_unix succeeds, it skips pam_sss. That means that if
the user has an entry in /etc/passwd and they type a password matching that entry, it will
skip the Kerberos authentication, and you’ll end up without a Kerberos credential.
On Jan 17, 2020, at 4:33 PM, Charles Hedrick via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
If it works for one login type and not for the other, chances are there’s a different tin
the pam configuration files. Each service, which would include gdm and sshd, has a
configuration file in /etc/pam.d, which determines how authentication is done. If you are
using sssd for your authentication (which I recommend) authentication is done with an auth
entry using pam_sss. The file you want to look at it /var/log/auth.log.
You don’t want anything that relies on the user having a Kerberos ticket to come before
the pam_sss entry (which will likely be in common-auth, including from the sshd and gdm
files). You also don’t want anything that might need access to files, including config
files in the home directory, to come before the ticket is there.
On Jan 17, 2020, at 12:16 PM, Kristian Petersen via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
The host is enrolled in Red Hat IdM and (as I understand it) pulls a kerberos key from the
IdM server on login when the user in from IdM. From looking at the syslog, it
authenticates me, begins a session, and then the failure occurs. I can see that it has
pulled down info about my user account in the syslog before it fails. Some of the lines I
see in the syslog are:
zorin systemd[1]: Started Session 4 of user
sample@chem.byu.edu<mailto:sample@chem.byu.edu>.
kernel: [ 134.496794] lockd: server fs2.chem.byu.edu<http://fs2.chem.byu.edu/> not
responding, still trying
.
.and after some other normal stuff we eventually we get to...
.
Jan 16 12:17:11 zorin kernel: [ 153.305521] lockd: server
fs2.chem.byu.edu<http://fs2.chem.byu.edu/> not responding, still trying
Jan 16 12:17:11 zorin gnome-session[1545]: gnome-session-binary[1545]: WARNING:
Application 'org.gnome.Shell.desktop' failed to register before timeout
Jan 16 12:17:11 zorin gnome-session[1545]: gnome-session-binary[1545]: CRITICAL: We
failed, but the fail whale is dead. Sorry....
Jan 16 12:17:11 zorin gnome-session-binary[1545]: Unrecoverable failure in required
component org.gnome.Shell.desktop
Jan 16 12:17:11 zorin gnome-session-binary[1545]: WARNING: Application
'org.gnome.Shell.desktop' failed to register before timeout
Jan 16 12:17:11 zorin gnome-session-binary[1545]: CRITICAL: We failed, but the fail whale
is dead. Sorry....
Jan 16 12:17:11 zorin at-spi-bus-launcher[1649]: XIO: fatal IO error 11 (Resource
temporarily unavailable) on X server ":0"
On Fri, Jan 17, 2020 at 9:48 AM Simo Sorce
<simo@redhat.com<mailto:simo@redhat.com>> wrote:
On Fri, 2020-01-17 at 09:35 -0700, Kristian Petersen via FreeIPA-users
wrote:
Hey all,
I am trying to get kerberized NFS home directories working in Ubuntu 18.04
with the mapping info coming from IPA. I can get them to mount on login in
a multi-user target (terminal only), but not a graphical one (using gdm for
login). The messages I am seeing in the syslog seem to indicate that it is
having issues communicating with the server hosting the NFS share and times
out. That doesn't make sense though since it works to mount in the
terminal like I would expect.
Is GDM trying to mount or walk the home directory *before* performing
authentication?
Or are you tying to manually mount/walk in the home in a terminal and
failing?
A failure indicates that the rpc.gssd daemon cannot find kerberos
credentials of the user.
What kind of credential cache do you use? Is it the same between
graphical and console logins? Do you use rpc.gssd integrated with gss-
proxy or standalone?
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
1554
days inactive
1554
days old
freeipa-users@lists.fedorahosted.org
4 comments
3 participants
participants (3)
-
Charles Hedrick -
Kristian Petersen -
Simo Sorce