I ran into that problem too [1]. The only way I got it to work was to place
the credential cache in /tmp. Like so:

    $ KRB5CCNAME=/tmp/krb5cc_keesb kinit

I think the file name does not matter, but I'm not quite sure.

[1] https://www.redhat.com/archives/freeipa-users/2017-March/msg00049.html

On 10-08-17 08:46, Robert Sturrock via FreeIPA-users wrote:
> I’m not sure if my problem is with IPA or Kerberized NFSv4 but I’m hoping the 
> list may be able to help.
>
> I’m trying to get a Kerberized NFSv4 client going on an Ubuntu 16.04LTS 
> system that’s enrolled to IPA with an AD trust.  I can mount the filesystem 
> successfully with:
>
>   mount -o sec=krb5 -t nfs4 nfsserver.ipa.localdomain:/export/home /mnt
>
> .. but when I try to access from my normal user account (uid: 1388813135, 
> resolved from IPA via an AD trust) it fails:
>
>   $ ls /mnt
>   ls: cannot access '/mnt': Permission denied
>
> I do have a TGT in LOCALDOMAIN, stored in a kernel keyring:
>
>   $ klist
>   Ticket cache: KEYRING:persistent:1388813135:krb_ccache_jU3s6mw
>   Default principal: rns@LOCALDOMAIN
>
>   Valid starting     Expires            Service principal
>   10/08/17 15:34:30  11/08/17 01:34:30  krbtgt/LOCALDOMAIN@LOCALDOMAIN
>           renew until 11/08/17 15:34:29
>
> When I run ‘rpc.gssd -fvvv’ I see:
>
> handling gssd upcall (/run/rpc_pipefs/nfs/clnt34)
> handle_gssd_upcall: 'mech=krb5 uid=1388813135 enctypes=18,17,16,23,3,1,2 '
> handling krb5 upcall (/run/rpc_pipefs/nfs/clnt34)
> process_krb5_upcall: service is '<null>'
> ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS 
> failure.  Minor code may provide more information) - Can't find client   
> principal rns@localdomain in cache collection
> getting credentials for client with uid 1388813135 for server 
> nfsserver.ipa.localdomain
> CC '/tmp/krb5ccmachine_IPA.LOCALDOMAIN' being considered, with preferred 
> realm 'IPA.LOCALDOMAIN'
> CC '/tmp/krb5ccmachine_IPA.LOCALDOMAIN' owned by 0, not 1388813135
> getting credentials for client with uid 1388813135 for server 
> nfsserver.ipa.localdomain
> WARNING: Failed to create krb5 context for user with uid 1388813135 for 
> server nfsserver.ipa.localdomain
> doing error downcall
>
> I’m a little unclear as to why it references client principal 
> 'rns@localdomain’, as I’d have expected my principal to be ‘rns@LOCALDOMAIN’.
>
> However, an ‘strace’ on rpc.gssd does seem to indicate that it’s finding the 
> credentials in the keyring:
>
> 21915 geteuid()                         = 0
> 21915 open("/etc/krb5/user/0/client.keytab", O_RDONLY) = -1 ENOENT (No such 
> file or directory)
> 21915 write(17, "[21915] 1502322917.102061: Retrieving rns@localdomain from 
> FILE:/etc/krb5/user/0/client.keytab (vno 0, enctype 0) with result"..., 190) 
> = 190
> 21915 getuid()                          = 0
> 21915 keyctl(KEYCTL_GET_PERSISTENT, 0, KEY_SPEC_PROCESS_KEYRING) = 310945083
> 21915 keyctl(KEYCTL_SEARCH, 310945083, "keyring", "_krb", 
> KEY_SPEC_PROCESS_KEYRING) = 19783009
> 21915 keyctl(KEYCTL_SEARCH, 19783009, "user", "krb_ccache:primary", 0) = 
> 1046694120
> 21915 keyctl(KEYCTL_READ, 1046694120, NULL, 0) = 9
> 21915 keyctl(KEYCTL_READ, 1046694120, "", 9) = 9
> 21915 keyctl(KEYCTL_READ, 19783009, NULL, 0) = 4
> 21915 keyctl(KEYCTL_READ, 19783009, "\350Hc>", 4) = 4
> 21915 keyctl(KEYCTL_SEARCH, 19783009, "keyring", "0", 0) = -1 ENOKEY 
> (Required key not available)
> 21915 keyctl(KEYCTL_DESCRIBE, 1046694120, NULL, 0) = 37
> 21915 keyctl(KEYCTL_DESCRIBE, 1046694120, 
> "user;0;0;3f010000;krb_ccache:primary", 37) = 37
>
> Later on, I see it looking in /run/user/1388813135, but immediately warns 
> that it can’t create a krb5 context:
>
> 21915 write(2, "getting credentials for client with uid 1388813135 for server 
> nfsserver.ipa.localdomain\n", 90) = 90
> 21915 open("/run/user/1388813135", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) 
> = 17
> 21915 fstat(17, {st_mode=S_IFDIR|0700, st_size=280, ...}) = 0
> 21915 getdents(17, /* 14 entries */, 32768) = 472
> 21915 getdents(17, /* 0 entries */, 32768) = 0
> 21915 close(17)                         = 0
> 21915 write(2, "WARNING: Failed to create krb5 context for user with uid 
> 1388813135 for server nfsserver.ipa.localdomain\n", 107) = 107
>
> Any idea as to what the problem might be here, or where I should be focussing 
> my debugging efforts?
>
> (This is working from a RHEL7 client, but the configuration seems a little 
> different there, as it’s using gssproxy.)
>
> Regards,
>
> Robert.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to