These lines come up on every server i try connecting to when using -vvv for 
rpcgssapi on the server:

Feb 27 14:46:22 mail rpc.gssd[2210]: CC file '/tmp/krb5cc_1644800003_8T4y9x' 
being considered, with preferred realm 'TEST.NET'
Feb 27 14:46:22 mail rpc.gssd[2210]: CC file '/tmp/krb5cc_1644800003_8T4y9x' is 
expired or corrupt
Feb 27 14:46:22 mail rpc.gssd[2210]: WARNING: Failed to create krb5 context for 
user with uid 1644800003 for server
Feb 27 14:46:22 mail rpc.gssd[2210]: doing error downcall

the user with uid 1644800003 is the one i try connect with and are logged in 
locally on connecting client.

Also on the IPA server i get this line on every connection attempt to any 

rpc.gssd[1116]: Error doing stat on file '/tmp/krb5cc_48' 


From: Rob Crittenden []
Sent: Wednesday, February 27, 2013 21:10
To: Johan Petersson
Subject: Re: [Freeipa-users] IPA,NFS4,krb5p Ticket expired error

Johan Petersson wrote:
> A typo from me, it is 192.168.1/24 in exports.

Do you have forwardable tickets?

$ klist -f

It should have F in the flags.

If so, try adding -o 'GSSAPIDelegateCredentials yes' into your
ssh/slogin line to see if that helps. This should forward your credentials.


> Regards
> Johan
> ______________________________________
> From: Rob Townley []
> Sent: Wednesday, February 27, 2013 18:12
> To: Johan Petersson
> Cc:;
> Subject: Re: [Freeipa-users] IPA,NFS4,krb5p Ticket expired error
> /etc/exports does not look right.
> Try<>
> or change to asterisk *
> On Wednesday, February 27, 2013, Johan Petersson 
> <<>> wrote:
>> I think you are right, ssh always works to the nfs server and i believe that 
>> is because the home directory is situated there.
>> All ssh/sshd configuration are default from IPA Client install.
>> Only things changed are the necessary autofs configuration and that is 
>> straight from the manual.
>> I use strict NFS4 with port 2049 only open. (tried all firewalls and selinux 
>> disabled, no difference)
>> Home directory is exported as:
>> /nethomes,sync,sec=krb5p)
>> IPA autofs map
>> default/auto_nethome    *    -fstype=nfs4 -sec=krb5p,rw,soft, 
>> -fstype=nfs4 i had to use to get autofs working, through firewall and only 
>> port 2049 open it got crazy otherwise rambling about nfs2 and3
>> -sec=krb5p i had to put in autofs map since otherwise autofs ignored 
>> settings in exports and tried empty -o when mounting and thus failed because 
>> no kerberos auth.
>> I have updated everything to RHEL 6.4 now but no change.
>> Thunderbird complains that my ticket was not accepted.
>> NFS server shows this in logs:
>> rpc.gssd[2060]: ERROR: failed to read service info
>> rpc.gssd[2060]: WARNING: can't create tcp rpc_clnt to server 
>><>  for user with uid 0: RPC: Remote 
>> system error - No route to host
>> Network is fine and all firewalls down.
>> Do you want any other logs beside debug autofs?
>> Thanks for the help.
>> Regards,
>> Johan.
>> ________________________________
>> From: 
>> [<>] 
>> on behalf of Dmitri Pal [<>]
>> Sent: Tuesday, February 26, 2013 20:30
>> To:<>
>> Subject: Re: [Freeipa-users] IPA,NFS4,krb5p Ticket expired error
>> On 02/26/2013 02:03 PM, Johan Petersson wrote:
>> Hi,
>> I have a IPA server, NFS4 Server sharing home directories with autofs and 
>> krb5p as only valid authentication.
>> Mail Postfix/Dovecot both with startTLS and GSSAPI.
>> All servers and clients are Red Hat 6.3 and updated with latest kernel and 
>> everything else.
>> If i start and log in locally as user1 on a IPA Client machine everything 
>> works perfect including mail and home directory initially.
>> I then start experience errors when trying to ssh other servers as ssh 
>> Nothing happens, no password question, nothing until i have to ctrl-c (tried 
>> leaving it overnight - still same).
>> Mail stops working, thunderbird complain about expired credentials.
>> If i use ssh as root to the server and then try either: su user1 or su - 
>> user1 both get same result as ssh user1.
>> Sometimes a su have actually worked and i can browse to my mounted home 
>> directory but get permission denied when trying to access.
>> id works and permissions on home directory shows ok but can't access anyway.
>> The only thing i have found helping is to logout user1 on the client, login 
>> root and then ssh as user1.
>> In that case i get password question and it works with home directory.
>> If i logout root then, login user1 then mail, ssh and su works again for 
>> some time.
>> I guess the credential renewal works in that case.
>> Firewalls turned off, tried setenforce=0 and autofs on debug log mode but 
>> find nothing.
>> Even sshd logging on and verbose ssh shows nothing wrong.
>> It is like everything works but a expired ticket or something similar 
>> generate the error, tickets are new though and should be valid.
>> Only error messages i have been able to find is:
>> IPA server /var/log/messages show:
>> rpc.gssd[1116]: Error doing stat on file '/tmp/krb5cc_48'
>> automount[1197]: sasl_log_func:98: GSSAPI Error: Unspecified GSS failure. 
>> Minor code may provide more information (Ticket expired)
>> Anyone have a idea what this could be and how to solve it?
>> I am really thankful for any help.
>> Regards,
>> Johan.
>> This looks very much as if when you ssh into the remote system the home 
>> directory NFS mount fails.
>> Can you try to configure a local directory and see if the problem goes away? 
>> If this helps then I would see what is going on with the NFS client on the 
>> system.
>> Also I do not know how your SSH is configured. Does it actually delegate the 
>> ticket?
>> AFAIU the system you SSH into needs to have a TGT to be able to mount an NFS 
>> share on behalf of the user.
>> This is as far as I can go with what I know and what can be done without 
>> actually looking at the logs on the system.
>> HTH
>> _______________________________________________
>> Freeipa-users mailing list
>> --
>> Thank you,
>> Dmitri Pal
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>> -------------------------------
>> Looking to carve out IT co
> _______________________________________________
> Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to