These lines come up on every server i try connecting to when using -vvv for 
rpcgssapi on the server:

Feb 27 14:46:22 mail rpc.gssd[2210]: CC file '/tmp/krb5cc_1644800003_8T4y9x' 
being considered, with preferred realm 'TEST.NET'
Feb 27 14:46:22 mail rpc.gssd[2210]: CC file '/tmp/krb5cc_1644800003_8T4y9x' is 
expired or corrupt
Feb 27 14:46:22 mail rpc.gssd[2210]: WARNING: Failed to create krb5 context for 
user with uid 1644800003 for server share.test.net
Feb 27 14:46:22 mail rpc.gssd[2210]: doing error downcall

the user with uid 1644800003 is the one i try connect with and are logged in 
locally on connecting client.

Also on the IPA server i get this line on every connection attempt to any 
server:

rpc.gssd[1116]: Error doing stat on file '/tmp/krb5cc_48' 

Regards,
Johan


________________________________________
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, February 27, 2013 21:10
To: Johan Petersson
Cc: rob.town...@gmail.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA,NFS4,krb5p Ticket expired error

Johan Petersson wrote:
>
> A typo from me, it is 192.168.1/24 in exports.

Do you have forwardable tickets?

$ klist -f

It should have F in the flags.

If so, try adding -o 'GSSAPIDelegateCredentials yes' into your
ssh/slogin line to see if that helps. This should forward your credentials.

rob

>
> Regards
> Johan
>
> ______________________________________
> From: Rob Townley [rob.town...@gmail.com]
> Sent: Wednesday, February 27, 2013 18:12
> To: Johan Petersson
> Cc: d...@redhat.com; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] IPA,NFS4,krb5p Ticket expired error
>
> /etc/exports does not look right.
> Try 192.168.1.0/24<http://192.168.1.0/24>
> or change to asterisk *
>
> On Wednesday, February 27, 2013, Johan Petersson 
> <johan.peters...@sscspace.com<mailto:johan.peters...@sscspace.com>> wrote:
>> I think you are right, ssh always works to the nfs server and i believe that 
>> is because the home directory is situated there.
>>
>> All ssh/sshd configuration are default from IPA Client install.
>> Only things changed are the necessary autofs configuration and that is 
>> straight from the manual.
>>
>> I use strict NFS4 with port 2049 only open. (tried all firewalls and selinux 
>> disabled, no difference)
>> Home directory is exported as:
>> /nethomes    192.168.1.0(rw,sync,sec=krb5p)
>>
>> IPA autofs map
>> default/auto_nethome    *    -fstype=nfs4 -sec=krb5p,rw,soft, 
>> share.test.net:/nethomes/&
>>
>> -fstype=nfs4 i had to use to get autofs working, through firewall and only 
>> port 2049 open it got crazy otherwise rambling about nfs2 and3
>> -sec=krb5p i had to put in autofs map since otherwise autofs ignored 
>> settings in exports and tried empty -o when mounting and thus failed because 
>> no kerberos auth.
>>
>> I have updated everything to RHEL 6.4 now but no change.
>>
>> Thunderbird complains that my ticket was not accepted.
>>
>> NFS server shows this in logs:
>> rpc.gssd[2060]: ERROR: failed to read service info
>> rpc.gssd[2060]: WARNING: can't create tcp rpc_clnt to server 
>> laptop1.test.net<http://laptop1.test.net>  for user with uid 0: RPC: Remote 
>> system error - No route to host
>>
>> Network is fine and all firewalls down.
>> Do you want any other logs beside debug autofs?
>>
>> Thanks for the help.
>>
>> Regards,
>> Johan.
>>
>>
>>
>> ________________________________
>> From: 
>> freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> 
>> [freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] 
>> on behalf of Dmitri Pal [d...@redhat.com<mailto:d...@redhat.com>]
>> Sent: Tuesday, February 26, 2013 20:30
>> To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
>> Subject: Re: [Freeipa-users] IPA,NFS4,krb5p Ticket expired error
>>
>> On 02/26/2013 02:03 PM, Johan Petersson wrote:
>>
>> Hi,
>> I have a IPA server, NFS4 Server sharing home directories with autofs and 
>> krb5p as only valid authentication.
>> Mail Postfix/Dovecot both with startTLS and GSSAPI.
>> All servers and clients are Red Hat 6.3 and updated with latest kernel and 
>> everything else.
>> If i start and log in locally as user1 on a IPA Client machine everything 
>> works perfect including mail and home directory initially.
>> I then start experience errors when trying to ssh other servers as ssh 
>> us...@mail.example.com<mailto:us...@mail.example.com>.
>> Nothing happens, no password question, nothing until i have to ctrl-c (tried 
>> leaving it overnight - still same).
>> Mail stops working, thunderbird complain about expired credentials.
>> If i use ssh as root to the server and then try either: su user1 or su - 
>> user1 both get same result as ssh user1.
>> Sometimes a su have actually worked and i can browse to my mounted home 
>> directory but get permission denied when trying to access.
>> id works and permissions on home directory shows ok but can't access anyway.
>> The only thing i have found helping is to logout user1 on the client, login 
>> root and then ssh as user1.
>> In that case i get password question and it works with home directory.
>> If i logout root then, login user1 then mail, ssh and su works again for 
>> some time.
>> I guess the credential renewal works in that case.
>> Firewalls turned off, tried setenforce=0 and autofs on debug log mode but 
>> find nothing.
>> Even sshd logging on and verbose ssh shows nothing wrong.
>> It is like everything works but a expired ticket or something similar 
>> generate the error, tickets are new though and should be valid.
>> Only error messages i have been able to find is:
>> IPA server /var/log/messages show:
>> rpc.gssd[1116]: Error doing stat on file '/tmp/krb5cc_48'
>> automount[1197]: sasl_log_func:98: GSSAPI Error: Unspecified GSS failure. 
>> Minor code may provide more information (Ticket expired)
>> Anyone have a idea what this could be and how to solve it?
>> I am really thankful for any help.
>> Regards,
>> Johan.
>>
>> This looks very much as if when you ssh into the remote system the home 
>> directory NFS mount fails.
>> Can you try to configure a local directory and see if the problem goes away? 
>> If this helps then I would see what is going on with the NFS client on the 
>> system.
>>
>> Also I do not know how your SSH is configured. Does it actually delegate the 
>> ticket?
>> AFAIU the system you SSH into needs to have a TGT to be able to mount an NFS 
>> share on behalf of the user.
>> This is as far as I can go with what I know and what can be done without 
>> actually looking at the logs on the system.
>>
>> HTH
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT co
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to