A typo from me, it is 192.168.1/24 in exports.

Regards
Johan

______________________________________
From: Rob Townley [rob.town...@gmail.com]
Sent: Wednesday, February 27, 2013 18:12
To: Johan Petersson
Cc: d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA,NFS4,krb5p Ticket expired error

/etc/exports does not look right.
Try 192.168.1.0/24<http://192.168.1.0/24>
or change to asterisk *

On Wednesday, February 27, 2013, Johan Petersson 
<johan.peters...@sscspace.com<mailto:johan.peters...@sscspace.com>> wrote:
> I think you are right, ssh always works to the nfs server and i believe that 
> is because the home directory is situated there.
>
> All ssh/sshd configuration are default from IPA Client install.
> Only things changed are the necessary autofs configuration and that is 
> straight from the manual.
>
> I use strict NFS4 with port 2049 only open. (tried all firewalls and selinux 
> disabled, no difference)
> Home directory is exported as:
> /nethomes    192.168.1.0(rw,sync,sec=krb5p)
>
> IPA autofs map
> default/auto_nethome    *    -fstype=nfs4 -sec=krb5p,rw,soft, 
> share.test.net:/nethomes/&
>
> -fstype=nfs4 i had to use to get autofs working, through firewall and only 
> port 2049 open it got crazy otherwise rambling about nfs2 and3
> -sec=krb5p i had to put in autofs map since otherwise autofs ignored settings 
> in exports and tried empty -o when mounting and thus failed because no 
> kerberos auth.
>
> I have updated everything to RHEL 6.4 now but no change.
>
> Thunderbird complains that my ticket was not accepted.
>
> NFS server shows this in logs:
> rpc.gssd[2060]: ERROR: failed to read service info
> rpc.gssd[2060]: WARNING: can't create tcp rpc_clnt to server 
> laptop1.test.net<http://laptop1.test.net>  for user with uid 0: RPC: Remote 
> system error - No route to host
>
> Network is fine and all firewalls down.
> Do you want any other logs beside debug autofs?
>
> Thanks for the help.
>
> Regards,
> Johan.
>
>
>
> ________________________________
> From: 
> freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> 
> [freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] 
> on behalf of Dmitri Pal [d...@redhat.com<mailto:d...@redhat.com>]
> Sent: Tuesday, February 26, 2013 20:30
> To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
> Subject: Re: [Freeipa-users] IPA,NFS4,krb5p Ticket expired error
>
> On 02/26/2013 02:03 PM, Johan Petersson wrote:
>
> Hi,
> I have a IPA server, NFS4 Server sharing home directories with autofs and 
> krb5p as only valid authentication.
> Mail Postfix/Dovecot both with startTLS and GSSAPI.
> All servers and clients are Red Hat 6.3 and updated with latest kernel and 
> everything else.
> If i start and log in locally as user1 on a IPA Client machine everything 
> works perfect including mail and home directory initially.
> I then start experience errors when trying to ssh other servers as ssh 
> us...@mail.example.com<mailto:us...@mail.example.com>.
> Nothing happens, no password question, nothing until i have to ctrl-c (tried 
> leaving it overnight - still same).
> Mail stops working, thunderbird complain about expired credentials.
> If i use ssh as root to the server and then try either: su user1 or su - 
> user1 both get same result as ssh user1.
> Sometimes a su have actually worked and i can browse to my mounted home 
> directory but get permission denied when trying to access.
> id works and permissions on home directory shows ok but can't access anyway.
> The only thing i have found helping is to logout user1 on the client, login 
> root and then ssh as user1.
> In that case i get password question and it works with home directory.
> If i logout root then, login user1 then mail, ssh and su works again for some 
> time.
> I guess the credential renewal works in that case.
> Firewalls turned off, tried setenforce=0 and autofs on debug log mode but 
> find nothing.
> Even sshd logging on and verbose ssh shows nothing wrong.
> It is like everything works but a expired ticket or something similar 
> generate the error, tickets are new though and should be valid.
> Only error messages i have been able to find is:
> IPA server /var/log/messages show:
> rpc.gssd[1116]: Error doing stat on file '/tmp/krb5cc_48'
> automount[1197]: sasl_log_func:98: GSSAPI Error: Unspecified GSS failure. 
> Minor code may provide more information (Ticket expired)
> Anyone have a idea what this could be and how to solve it?
> I am really thankful for any help.
> Regards,
> Johan.
>
> This looks very much as if when you ssh into the remote system the home 
> directory NFS mount fails.
> Can you try to configure a local directory and see if the problem goes away? 
> If this helps then I would see what is going on with the NFS client on the 
> system.
>
> Also I do not know how your SSH is configured. Does it actually delegate the 
> ticket?
> AFAIU the system you SSH into needs to have a TGT to be able to mount an NFS 
> share on behalf of the user.
> This is as far as I can go with what I know and what can be done without 
> actually looking at the logs on the system.
>
> HTH
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT co

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to