A typo from me, it is 192.168.1/24 in exports.
From: Rob Townley [rob.town...@gmail.com]
Sent: Wednesday, February 27, 2013 18:12
To: Johan Petersson
Cc: d...@redhat.com; firstname.lastname@example.org
Subject: Re: [Freeipa-users] IPA,NFS4,krb5p Ticket expired error
/etc/exports does not look right.
or change to asterisk *
On Wednesday, February 27, 2013, Johan Petersson
> I think you are right, ssh always works to the nfs server and i believe that
> is because the home directory is situated there.
> All ssh/sshd configuration are default from IPA Client install.
> Only things changed are the necessary autofs configuration and that is
> straight from the manual.
> I use strict NFS4 with port 2049 only open. (tried all firewalls and selinux
> disabled, no difference)
> Home directory is exported as:
> /nethomes 192.168.1.0(rw,sync,sec=krb5p)
> IPA autofs map
> default/auto_nethome * -fstype=nfs4 -sec=krb5p,rw,soft,
> -fstype=nfs4 i had to use to get autofs working, through firewall and only
> port 2049 open it got crazy otherwise rambling about nfs2 and3
> -sec=krb5p i had to put in autofs map since otherwise autofs ignored settings
> in exports and tried empty -o when mounting and thus failed because no
> kerberos auth.
> I have updated everything to RHEL 6.4 now but no change.
> Thunderbird complains that my ticket was not accepted.
> NFS server shows this in logs:
> rpc.gssd: ERROR: failed to read service info
> rpc.gssd: WARNING: can't create tcp rpc_clnt to server
> laptop1.test.net<http://laptop1.test.net> for user with uid 0: RPC: Remote
> system error - No route to host
> Network is fine and all firewalls down.
> Do you want any other logs beside debug autofs?
> Thanks for the help.
> on behalf of Dmitri Pal [d...@redhat.com<mailto:d...@redhat.com>]
> Sent: Tuesday, February 26, 2013 20:30
> To: email@example.com<mailto:firstname.lastname@example.org>
> Subject: Re: [Freeipa-users] IPA,NFS4,krb5p Ticket expired error
> On 02/26/2013 02:03 PM, Johan Petersson wrote:
> I have a IPA server, NFS4 Server sharing home directories with autofs and
> krb5p as only valid authentication.
> Mail Postfix/Dovecot both with startTLS and GSSAPI.
> All servers and clients are Red Hat 6.3 and updated with latest kernel and
> everything else.
> If i start and log in locally as user1 on a IPA Client machine everything
> works perfect including mail and home directory initially.
> I then start experience errors when trying to ssh other servers as ssh
> Nothing happens, no password question, nothing until i have to ctrl-c (tried
> leaving it overnight - still same).
> Mail stops working, thunderbird complain about expired credentials.
> If i use ssh as root to the server and then try either: su user1 or su -
> user1 both get same result as ssh user1.
> Sometimes a su have actually worked and i can browse to my mounted home
> directory but get permission denied when trying to access.
> id works and permissions on home directory shows ok but can't access anyway.
> The only thing i have found helping is to logout user1 on the client, login
> root and then ssh as user1.
> In that case i get password question and it works with home directory.
> If i logout root then, login user1 then mail, ssh and su works again for some
> I guess the credential renewal works in that case.
> Firewalls turned off, tried setenforce=0 and autofs on debug log mode but
> find nothing.
> Even sshd logging on and verbose ssh shows nothing wrong.
> It is like everything works but a expired ticket or something similar
> generate the error, tickets are new though and should be valid.
> Only error messages i have been able to find is:
> IPA server /var/log/messages show:
> rpc.gssd: Error doing stat on file '/tmp/krb5cc_48'
> automount: sasl_log_func:98: GSSAPI Error: Unspecified GSS failure.
> Minor code may provide more information (Ticket expired)
> Anyone have a idea what this could be and how to solve it?
> I am really thankful for any help.
> This looks very much as if when you ssh into the remote system the home
> directory NFS mount fails.
> Can you try to configure a local directory and see if the problem goes away?
> If this helps then I would see what is going on with the NFS client on the
> Also I do not know how your SSH is configured. Does it actually delegate the
> AFAIU the system you SSH into needs to have a TGT to be able to mount an NFS
> share on behalf of the user.
> This is as far as I can go with what I know and what can be done without
> actually looking at the logs on the system.
> Freeipa-users mailing list
> Thank you,
> Dmitri Pal
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
> Looking to carve out IT co
Freeipa-users mailing list