If i enable RPCGSSDARGS="-vvv" in one of the servers i can't ssh to i get the 
following in /var/log/messages:

Feb 27 14:46:22 mail rpc.gssd[2210]: handling gssd upcall 
(/var/lib/nfs/rpc_pipefs/nfs/clnt0)
Feb 27 14:46:22 mail rpc.gssd[2210]: handle_gssd_upcall: 'mech=krb5 
uid=1644800003 enctypes=18,17,16,23,3,1,2 '
Feb 27 14:46:22 mail rpc.gssd[2210]: handling krb5 upcall 
(/var/lib/nfs/rpc_pipefs/nfs/clnt0)
Feb 27 14:46:22 mail rpc.gssd[2210]: process_krb5_upcall: service is '<null>'
Feb 27 14:46:22 mail rpc.gssd[2210]: getting credentials for client with uid 
1644800003 for server share.test.net
Feb 27 14:46:22 mail rpc.gssd[2210]: CC file '/tmp/krb5cc_machine_TEST.NET' 
being considered, with preferred realm 'TEST.NET'
Feb 27 14:46:22 mail rpc.gssd[2210]: CC file '/tmp/krb5cc_machine_TEST.NET' 
owned by 0, not 1644800003
Feb 27 14:46:22 mail rpc.gssd[2210]: CC file '/tmp/krb5cc_1644800003_8T4y9x' 
being considered, with preferred realm 'TEST.NET'
Feb 27 14:46:22 mail rpc.gssd[2210]: CC file '/tmp/krb5cc_1644800003_8T4y9x' is 
expired or corrupt
Feb 27 14:46:22 mail rpc.gssd[2210]: CC file '/tmp/krb5cc_0' being considered, 
with preferred realm 'TEST.NET'
Feb 27 14:46:22 mail rpc.gssd[2210]: CC file '/tmp/krb5cc_0' owned by 0, not 
1644800003
Feb 27 14:46:22 mail rpc.gssd[2210]: CC file '/tmp/krb5cc_1644800001_rNDIHA' 
being considered, with preferred realm 'TEST.NET'
Feb 27 14:46:22 mail rpc.gssd[2210]: CC file '/tmp/krb5cc_1644800001_rNDIHA' 
owned by 1644800001, not 1644800003
Feb 27 14:46:22 mail rpc.gssd[2210]: WARNING: Failed to create krb5 context for 
user with uid 1644800003 for server share.test.net
Feb 27 14:46:22 mail rpc.gssd[2210]: doing error downcall

Regards,
Johan.
________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Johan Petersson [johan.peters...@sscspace.com]
Sent: Wednesday, February 27, 2013 14:15
To: d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA,NFS4,krb5p Ticket expired error

I think you are right, ssh always works to the nfs server and i believe that is 
because the home directory is situated there.

All ssh/sshd configuration are default from IPA Client install.
Only things changed are the necessary autofs configuration and that is straight 
from the manual.

I use strict NFS4 with port 2049 only open. (tried all firewalls and selinux 
disabled, no difference)
Home directory is exported as:
/nethomes    192.168.1.0(rw,sync,sec=krb5p)

IPA autofs map
default/auto_nethome    *    -fstype=nfs4 -sec=krb5p,rw,soft, 
share.test.net:/nethomes/&

-fstype=nfs4 i had to use to get autofs working, through firewall and only port 
2049 open it got crazy otherwise rambling about nfs2 and3
-sec=krb5p i had to put in autofs map since otherwise autofs ignored settings 
in exports and tried empty -o when mounting and thus failed because no kerberos 
auth.

I have updated everything to RHEL 6.4 now but no change.

Thunderbird complains that my ticket was not accepted.

NFS server shows this in logs:
rpc.gssd[2060]: ERROR: failed to read service info
rpc.gssd[2060]: WARNING: can't create tcp rpc_clnt to server laptop1.test.net  
for user with uid 0: RPC: Remote system error - No route to host

Network is fine and all firewalls down.
Do you want any other logs beside debug autofs?

Thanks for the help.

Regards,
Johan.



________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Tuesday, February 26, 2013 20:30
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA,NFS4,krb5p Ticket expired error

On 02/26/2013 02:03 PM, Johan Petersson wrote:
Hi,

I have a IPA server, NFS4 Server sharing home directories with autofs and krb5p 
as only valid authentication.
Mail Postfix/Dovecot both with startTLS and GSSAPI.
All servers and clients are Red Hat 6.3 and updated with latest kernel and 
everything else.

If i start and log in locally as user1 on a IPA Client machine everything works 
perfect including mail and home directory initially.
I then start experience errors when trying to ssh other servers as ssh 
us...@mail.example.com<mailto:us...@mail.example.com>.
Nothing happens, no password question, nothing until i have to ctrl-c (tried 
leaving it overnight - still same).
Mail stops working, thunderbird complain about expired credentials.
If i use ssh as root to the server and then try either: su user1 or su - user1 
both get same result as ssh user1.
Sometimes a su have actually worked and i can browse to my mounted home 
directory but get permission denied when trying to access.
id works and permissions on home directory shows ok but can't access anyway.

The only thing i have found helping is to logout user1 on the client, login 
root and then ssh as user1.
In that case i get password question and it works with home directory.
If i logout root then, login user1 then mail, ssh and su works again for some 
time.

I guess the credential renewal works in that case.

Firewalls turned off, tried setenforce=0 and autofs on debug log mode but find 
nothing.

Even sshd logging on and verbose ssh shows nothing wrong.
It is like everything works but a expired ticket or something similar generate 
the error, tickets are new though and should be valid.

Only error messages i have been able to find is:

IPA server /var/log/messages show:
rpc.gssd[1116]: Error doing stat on file '/tmp/krb5cc_48'

automount[1197]: sasl_log_func:98: GSSAPI Error: Unspecified GSS failure. Minor 
code may provide more information (Ticket expired)

Anyone have a idea what this could be and how to solve it?

I am really thankful for any help.

Regards,
Johan.


This looks very much as if when you ssh into the remote system the home 
directory NFS mount fails.
Can you try to configure a local directory and see if the problem goes away? If 
this helps then I would see what is going on with the NFS client on the system.

Also I do not know how your SSH is configured. Does it actually delegate the 
ticket?
AFAIU the system you SSH into needs to have a TGT to be able to mount an NFS 
share on behalf of the user.
This is as far as I can go with what I know and what can be done without 
actually looking at the logs on the system.

HTH








_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to