1:46 a.m.
I’m not sure if my problem is with IPA or Kerberized NFSv4 but I’m hoping the list may be
able to help.
I’m trying to get a Kerberized NFSv4 client going on an Ubuntu 16.04LTS system that’s
enrolled to IPA with an AD trust. I can mount the filesystem successfully with:
mount -o sec=krb5 -t nfs4 nfsserver.ipa.localdomain:/export/home /mnt
.. but when I try to access from my normal user account (uid: 1388813135, resolved from
IPA via an AD trust) it fails:
$ ls /mnt
ls: cannot access '/mnt': Permission denied
I do have a TGT in LOCALDOMAIN, stored in a kernel keyring:
$ klist
Ticket cache: KEYRING:persistent:1388813135:krb_ccache_jU3s6mw
Default principal: rns@LOCALDOMAIN
Valid starting Expires Service principal
10/08/17 15:34:30 11/08/17 01:34:30 krbtgt/LOCALDOMAIN@LOCALDOMAIN
renew until 11/08/17 15:34:29
When I run ‘rpc.gssd -fvvv’ I see:
handling gssd upcall (/run/rpc_pipefs/nfs/clnt34)
handle_gssd_upcall: 'mech=krb5 uid=1388813135 enctypes=18,17,16,23,3,1,2 '
handling krb5 upcall (/run/rpc_pipefs/nfs/clnt34)
process_krb5_upcall: service is '<null>'
ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure.
Minor code may provide more information) - Can't find client principal
rns@localdomain in cache collection
getting credentials for client with uid 1388813135 for server nfsserver.ipa.localdomain
CC '/tmp/krb5ccmachine_IPA.LOCALDOMAIN' being considered, with preferred realm
'IPA.LOCALDOMAIN'
CC '/tmp/krb5ccmachine_IPA.LOCALDOMAIN' owned by 0, not 1388813135
getting credentials for client with uid 1388813135 for server nfsserver.ipa.localdomain
WARNING: Failed to create krb5 context for user with uid 1388813135 for server
nfsserver.ipa.localdomain
doing error downcall
I’m a little unclear as to why it references client principal 'rns@localdomain’, as
I’d have expected my principal to be ‘rns@LOCALDOMAIN’.
However, an ‘strace’ on rpc.gssd does seem to indicate that it’s finding the credentials
in the keyring:
21915 geteuid() = 0
21915 open("/etc/krb5/user/0/client.keytab", O_RDONLY) = -1 ENOENT (No such file
or directory)
21915 write(17, "[21915] 1502322917.102061: Retrieving rns@localdomain from
FILE:/etc/krb5/user/0/client.keytab (vno 0, enctype 0) with result"..., 190) = 190
21915 getuid() = 0
21915 keyctl(KEYCTL_GET_PERSISTENT, 0, KEY_SPEC_PROCESS_KEYRING) = 310945083
21915 keyctl(KEYCTL_SEARCH, 310945083, "keyring", "_krb",
KEY_SPEC_PROCESS_KEYRING) = 19783009
21915 keyctl(KEYCTL_SEARCH, 19783009, "user", "krb_ccache:primary", 0)
= 1046694120
21915 keyctl(KEYCTL_READ, 1046694120, NULL, 0) = 9
21915 keyctl(KEYCTL_READ, 1046694120, "", 9) = 9
21915 keyctl(KEYCTL_READ, 19783009, NULL, 0) = 4
21915 keyctl(KEYCTL_READ, 19783009, "\350Hc>", 4) = 4
21915 keyctl(KEYCTL_SEARCH, 19783009, "keyring", "0", 0) = -1 ENOKEY
(Required key not available)
21915 keyctl(KEYCTL_DESCRIBE, 1046694120, NULL, 0) = 37
21915 keyctl(KEYCTL_DESCRIBE, 1046694120,
"user;0;0;3f010000;krb_ccache:primary", 37) = 37
Later on, I see it looking in /run/user/1388813135, but immediately warns that it can’t
create a krb5 context:
21915 write(2, "getting credentials for client with uid 1388813135 for server
nfsserver.ipa.localdomain\n", 90) = 90
21915 open("/run/user/1388813135", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) =
17
21915 fstat(17, {st_mode=S_IFDIR|0700, st_size=280, ...}) = 0
21915 getdents(17, /* 14 entries */, 32768) = 472
21915 getdents(17, /* 0 entries */, 32768) = 0
21915 close(17) = 0
21915 write(2, "WARNING: Failed to create krb5 context for user with uid 1388813135
for server nfsserver.ipa.localdomain\n", 107) = 107
Any idea as to what the problem might be here, or where I should be focussing my debugging
efforts?
(This is working from a RHEL7 client, but the configuration seems a little different
there, as it’s using gssproxy.)
Regards,
Robert.
2:20 a.m.
New subject: Issue with FreeIPA and Kerberized NFSv4 Client on Ubuntu 16.04LTS
I ran into that problem too [1]. The only way I got it to work was to place
the credential cache in /tmp. Like so:
$ KRB5CCNAME=/tmp/krb5cc_keesb kinit
I think the file name does not matter, but I'm not quite sure.
[1] https://www.redhat.com/archives/freeipa-users/2017-March/msg00049.html
On 10-08-17 08:46, Robert Sturrock via FreeIPA-users wrote:
I’m not sure if my problem is with IPA or Kerberized NFSv4 but I’m
hoping the list may be able to help.
I’m trying to get a Kerberized NFSv4 client going on an Ubuntu 16.04LTS system that’s
enrolled to IPA with an AD trust. I can mount the filesystem successfully with:
mount -o sec=krb5 -t nfs4 nfsserver.ipa.localdomain:/export/home /mnt
.. but when I try to access from my normal user account (uid: 1388813135, resolved from
IPA via an AD trust) it fails:
$ ls /mnt
ls: cannot access '/mnt': Permission denied
I do have a TGT in LOCALDOMAIN, stored in a kernel keyring:
$ klist
Ticket cache: KEYRING:persistent:1388813135:krb_ccache_jU3s6mw
Default principal: rns@LOCALDOMAIN
Valid starting Expires Service principal
10/08/17 15:34:30 11/08/17 01:34:30 krbtgt/LOCALDOMAIN@LOCALDOMAIN
renew until 11/08/17 15:34:29
When I run ‘rpc.gssd -fvvv’ I see:
handling gssd upcall (/run/rpc_pipefs/nfs/clnt34)
handle_gssd_upcall: 'mech=krb5 uid=1388813135 enctypes=18,17,16,23,3,1,2 '
handling krb5 upcall (/run/rpc_pipefs/nfs/clnt34)
process_krb5_upcall: service is '<null>'
ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure.
Minor code may provide more information) - Can't find client principal
rns@localdomain in cache collection
getting credentials for client with uid 1388813135 for server nfsserver.ipa.localdomain
CC '/tmp/krb5ccmachine_IPA.LOCALDOMAIN' being considered, with preferred realm
'IPA.LOCALDOMAIN'
CC '/tmp/krb5ccmachine_IPA.LOCALDOMAIN' owned by 0, not 1388813135
getting credentials for client with uid 1388813135 for server nfsserver.ipa.localdomain
WARNING: Failed to create krb5 context for user with uid 1388813135 for server
nfsserver.ipa.localdomain
doing error downcall
I’m a little unclear as to why it references client principal 'rns@localdomain’, as
I’d have expected my principal to be ‘rns@LOCALDOMAIN’.
However, an ‘strace’ on rpc.gssd does seem to indicate that it’s finding the credentials
in the keyring:
21915 geteuid() = 0
21915 open("/etc/krb5/user/0/client.keytab", O_RDONLY) = -1 ENOENT (No such
file or directory)
21915 write(17, "[21915] 1502322917.102061: Retrieving rns@localdomain from
FILE:/etc/krb5/user/0/client.keytab (vno 0, enctype 0) with result"..., 190) = 190
21915 getuid() = 0
21915 keyctl(KEYCTL_GET_PERSISTENT, 0, KEY_SPEC_PROCESS_KEYRING) = 310945083
21915 keyctl(KEYCTL_SEARCH, 310945083, "keyring", "_krb",
KEY_SPEC_PROCESS_KEYRING) = 19783009
21915 keyctl(KEYCTL_SEARCH, 19783009, "user", "krb_ccache:primary",
0) = 1046694120
21915 keyctl(KEYCTL_READ, 1046694120, NULL, 0) = 9
21915 keyctl(KEYCTL_READ, 1046694120, "", 9) = 9
21915 keyctl(KEYCTL_READ, 19783009, NULL, 0) = 4
21915 keyctl(KEYCTL_READ, 19783009, "\350Hc>", 4) = 4
21915 keyctl(KEYCTL_SEARCH, 19783009, "keyring", "0", 0) = -1 ENOKEY
(Required key not available)
21915 keyctl(KEYCTL_DESCRIBE, 1046694120, NULL, 0) = 37
21915 keyctl(KEYCTL_DESCRIBE, 1046694120,
"user;0;0;3f010000;krb_ccache:primary", 37) = 37
Later on, I see it looking in /run/user/1388813135, but immediately warns that it can’t
create a krb5 context:
21915 write(2, "getting credentials for client with uid 1388813135 for server
nfsserver.ipa.localdomain\n", 90) = 90
21915 open("/run/user/1388813135", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) =
17
21915 fstat(17, {st_mode=S_IFDIR|0700, st_size=280, ...}) = 0
21915 getdents(17, /* 14 entries */, 32768) = 472
21915 getdents(17, /* 0 entries */, 32768) = 0
21915 close(17) = 0
21915 write(2, "WARNING: Failed to create krb5 context for user with uid 1388813135
for server nfsserver.ipa.localdomain\n", 107) = 107
Any idea as to what the problem might be here, or where I should be focussing my
debugging efforts?
(This is working from a RHEL7 client, but the configuration seems a little different
there, as it’s using gssproxy.)
Regards,
Robert.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
2492
days inactive
2492
days old
freeipa-users@lists.fedorahosted.org
1 comments
2 participants
participants (2)
-
Kees Bakker -
Robert Sturrock