I’m not sure if my problem is with IPA or Kerberized NFSv4 but I’m hoping the 
list may be able to help.

I’m trying to get a Kerberized NFSv4 client going on an Ubuntu 16.04LTS system 
that’s enrolled to IPA with an AD trust.  I can mount the filesystem 
successfully with:

  mount -o sec=krb5 -t nfs4 nfsserver.ipa.localdomain:/export/home /mnt

.. but when I try to access from my normal user account (uid: 1388813135, 
resolved from IPA via an AD trust) it fails:

  $ ls /mnt
  ls: cannot access '/mnt': Permission denied

I do have a TGT in LOCALDOMAIN, stored in a kernel keyring:

  $ klist
  Ticket cache: KEYRING:persistent:1388813135:krb_ccache_jU3s6mw
  Default principal: rns@LOCALDOMAIN

  Valid starting     Expires            Service principal
  10/08/17 15:34:30  11/08/17 01:34:30  krbtgt/LOCALDOMAIN@LOCALDOMAIN
          renew until 11/08/17 15:34:29

When I run ‘rpc.gssd -fvvv’ I see:

handling gssd upcall (/run/rpc_pipefs/nfs/clnt34)
handle_gssd_upcall: 'mech=krb5 uid=1388813135 enctypes=18,17,16,23,3,1,2 '
handling krb5 upcall (/run/rpc_pipefs/nfs/clnt34)
process_krb5_upcall: service is '<null>'
ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS 
failure.  Minor code may provide more information) - Can't find client   
principal rns@localdomain in cache collection
getting credentials for client with uid 1388813135 for server 
nfsserver.ipa.localdomain
CC '/tmp/krb5ccmachine_IPA.LOCALDOMAIN' being considered, with preferred realm 
'IPA.LOCALDOMAIN'
CC '/tmp/krb5ccmachine_IPA.LOCALDOMAIN' owned by 0, not 1388813135
getting credentials for client with uid 1388813135 for server 
nfsserver.ipa.localdomain
WARNING: Failed to create krb5 context for user with uid 1388813135 for server 
nfsserver.ipa.localdomain
doing error downcall

I’m a little unclear as to why it references client principal 
'rns@localdomain’, as I’d have expected my principal to be ‘rns@LOCALDOMAIN’.

However, an ‘strace’ on rpc.gssd does seem to indicate that it’s finding the 
credentials in the keyring:

21915 geteuid()                         = 0
21915 open("/etc/krb5/user/0/client.keytab", O_RDONLY) = -1 ENOENT (No such 
file or directory)
21915 write(17, "[21915] 1502322917.102061: Retrieving rns@localdomain from 
FILE:/etc/krb5/user/0/client.keytab (vno 0, enctype 0) with result"..., 190) = 
190
21915 getuid()                          = 0
21915 keyctl(KEYCTL_GET_PERSISTENT, 0, KEY_SPEC_PROCESS_KEYRING) = 310945083
21915 keyctl(KEYCTL_SEARCH, 310945083, "keyring", "_krb", 
KEY_SPEC_PROCESS_KEYRING) = 19783009
21915 keyctl(KEYCTL_SEARCH, 19783009, "user", "krb_ccache:primary", 0) = 
1046694120
21915 keyctl(KEYCTL_READ, 1046694120, NULL, 0) = 9
21915 keyctl(KEYCTL_READ, 1046694120, "", 9) = 9
21915 keyctl(KEYCTL_READ, 19783009, NULL, 0) = 4
21915 keyctl(KEYCTL_READ, 19783009, "\350Hc>", 4) = 4
21915 keyctl(KEYCTL_SEARCH, 19783009, "keyring", "0", 0) = -1 ENOKEY (Required 
key not available)
21915 keyctl(KEYCTL_DESCRIBE, 1046694120, NULL, 0) = 37
21915 keyctl(KEYCTL_DESCRIBE, 1046694120, 
"user;0;0;3f010000;krb_ccache:primary", 37) = 37

Later on, I see it looking in /run/user/1388813135, but immediately warns that 
it can’t create a krb5 context:

21915 write(2, "getting credentials for client with uid 1388813135 for server 
nfsserver.ipa.localdomain\n", 90) = 90
21915 open("/run/user/1388813135", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 
17
21915 fstat(17, {st_mode=S_IFDIR|0700, st_size=280, ...}) = 0
21915 getdents(17, /* 14 entries */, 32768) = 472
21915 getdents(17, /* 0 entries */, 32768) = 0
21915 close(17)                         = 0
21915 write(2, "WARNING: Failed to create krb5 context for user with uid 
1388813135 for server nfsserver.ipa.localdomain\n", 107) = 107

Any idea as to what the problem might be here, or where I should be focussing 
my debugging efforts?

(This is working from a RHEL7 client, but the configuration seems a little 
different there, as it’s using gssproxy.)

Regards,

Robert.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to