On Wed, Nov 09, 2016 at 02:45:56PM +0000, Longina Przybyszewska wrote:
Hi again,
I still hang on that problem.
Client and server are configured in AD trust realm environment.
Client and server are joind to a.c.domain;
User is from n.c.domain.
During login sequence NFS-share (sec=krb5) homedir is mounted with right nfsidmapping .
User can't login because of access denied to the homedir.
If I change mount parameter to sec=sys, user can successfully login.
Machine's and user's credentials *are* valid ;
==
Ticket cache: FILE:/tmp/krb5cc_332405654_B4r6Sy
Default principal: longina(a)N.C.DOMAIN
Valid starting Expires Service principal
11/09/2016 15:00:43 11/10/2016 01:00:43 krbtgt/N.C.DOMAIN(a)N.C.DOMAIN
renew until 11/10/2016 01:00:43
11/09/2016 15:00:45 11/10/2016 01:00:43 krbtgt/C.SDU.DK(a)N.C.DOMAIN
renew until 11/10/2016 01:00:43
11/09/2016 15:00:45 11/10/2016 01:00:43 nfs/adm-lptest.a.c.domain@
renew until 11/10/2016 01:00:43
11/09/2016 15:00:45 11/10/2016 01:00:43 nfs/adm-lptest.a.c.domain(a)A.C.DOMAIN
renew until 11/10/2016 01:00:43
==
Kerberos sequence for login ends with (krb5_child.log) :
==[sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed:
[-1765328243][Can't find client principal longina(a)N.C.DOMAIN in cache collection]=
You can ignore this, since you are using the FILE: ccache which is
doesn't support collections, this error is harmless.
It looks like the krb5_child itself finished fine, according to:
(Wed Nov 9 15:00:44 2016) [[sssd[krb5_child[1563]]]] [k5c_send_data]
(0x0200): Received error code 0
(Wed Nov 9 15:00:44 2016) [[sssd[krb5_child[1563]]]] [pack_response_packet] (0x2000):
response packet size: [142]
(Wed Nov 9 15:00:44 2016) [[sssd[krb5_child[1563]]]] [k5c_send_data] (0x4000): Response
sent.
(Wed Nov 9 15:00:44 2016) [[sssd[krb5_child[1563]]]] [main] (0x0400): krb5_child
completed successfully
So I would suggest to look into the domain logs as well. Chances are
some other part (maybe the access control later?) is failing.