On Thu, 2010-05-27 at 09:09 -0400, Rob Crittenden wrote:

> I assume the keytab is still valid since the mount succeeds and root 
> works. Kerberos otherwise works ok on this machine, you can kinit, etc?

Hm, the server didn't change, and on the client klist
-k /etc/krb5.keytab -e does not suggest anything changed, so yes the
keytab seems to be ok. Kerberos works as well.

> You might want to check the kdc log on and the 389-ds log, you might see 
> some querying to find the user for authentication.

Neither /var/log/krb5kdc.log nor /var/log/dirsrv/slapd-XXX-COM/errors
lists anything related to that client.

> Do things like 'getent passwd <someuser>' still work?


I don't think it's anything related to the server, or krb5 on the client
going wrong. At the time the non-root user does ls /tmp/z, there is no
network traffic, so the server cannot even know that some user tries to
ls the mount directory.

Also, I've monitored the network traffic with wireshark, the whole NFSv4
exchange seems to work as expected (unfortunately wireshark does not
seem to have a dissector for V4 composite RPC calls, so I don't know in
detail what server and client are talking about), I have not seen any
GSS related failures in the protocol exchange.

I've tried selective downgrade of the client. I've downgraded kernel,
nfs-utils*, cyrus-sasl*, libtirpc*, krb5*, so far without success.

I've also tried the opposite, i.e. selectively upgrading a working fc12
client, so far without any insight, it is still working. I've upgraded
the following packages:

I'm a bit at a loss...

Freeipa-users mailing list

Reply via email to