On 08/12/16 08:57, Bjarne Blichfeldt wrote:
Anybody have any suggestion as how to continue debugging this? The nfs server 
resolves usernames by loopkup in free-ipa lda.

After a lot of digging, I see the 4.4 introduced "krbcanonicalname", no idea if 
that is relevant. Are there some update ldap procedure I am missing? Just in case I ran a 
ipa-server-upgrade, which did not resolve the issue.



Regards
Bjarne Blichfeldt.

From: Bjarne Blichfeldt
Sent: 6. december 2016 14:29
To: freeipa-users@redhat.com
Subject: nfsv4+kerberos: group ID not mapped on newly create users, however 
user id is correct

VERSION: 4.4.0, API_VERSION: 2.213  on rhel7.

ipa server was recently upgraded to version 4.4 from version 4.2 and it seems 
that we are having problems with users created after the upgrade. Of course, it 
could be
something I forgot.

Our environment consist of an hds nfs server, a couple of ipa servers - rhel7 
and a lot of clients - rhel6.  The NFS server is not part of the idm domain, 
i.e. not joined, but of course has a keytab created on the ipa server. The NFS 
server provides common shares, mounted as krb5p on the clients.

All this workes fine and the mapping is correct for all existing users. That 
is, if I log into a client, get a Kerberos ticket for myself and create a file 
on
one of the shares, uid and gid are set to my uid and gid.

But if I create a new user on the ipa server and do the same, the gid on the newly 
created file is "nobody(99)"  whereas the uid is correct.
I have tested with two different users - same result.

klist shows the default principal to be correct.
For user mqm uid=1414 gid=1414, rpc.gssd shows,that after finding the user 
credentials, for some reason there is a switch to machine credentials:


Dec  6 12:17:16 nfsclient rpc.gssd[1607]: handling gssd upcall 
(/var/lib/nfs/rpc_pipefs/nfs/clnt0)
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: handle_gssd_upcall: 'mech=krb5 
uid=1414 enctypes=18,17,16,23,3,1,2 '
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: handling krb5 upcall 
(/var/lib/nfs/rpc_pipefs/nfs/clnt0)
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: process_krb5_upcall: service is 
'<null>'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: getting credentials for client with 
uid 1414 for server jnsa-dnt2.domaine.com
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: CC file 
'/tmp/krb5cc_1622800027_u0vmh1' being considered, with preferred realm 
'DOMAINE.COM'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: CC file 
'/tmp/krb5cc_1622800027_u0vmh1' owned by 1622800027, not 1414
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_1414_bVlw8x' 
being considered, with preferred realm 'DOMAINE.COM'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: CC file 
'/tmp/krb5cc_1414_bVlw8x'(m...@domaine.com<mailto:m...@domaine.com>) passed all 
checks and has mtime of 1481022999
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: CC file 
'/tmp/krb5cc_machine_DOMAINE.COM' being considered, with preferred realm 
'DOMAINE.COM'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: CC file 
'/tmp/krb5cc_machine_DOMAINE.COM' owned by 0, not 1414
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_0' being 
considered, with preferred realm 'DOMAINE.COM'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_0' owned by 0, 
not 1414
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: using FILE:/tmp/krb5cc_1414_bVlw8x as 
credentials cache for client with uid 1414 for server jnsa-dnt2.domaine.com
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: using environment variable to select 
krb5 ccache FILE:/tmp/krb5cc_1414_bVlw8x
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: creating context using fsuid 1414 
(save_uid 0)
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: creating tcp client for server 
jnsa-dnt2.domaine.com
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: DEBUG: port already set to 2049
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: creating context with server 
n...@jnsa-dnt2.domaine.com<mailto:n...@jnsa-dnt2.domaine.com>
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: DEBUG: serialize_krb5_ctx: lucid 
version!
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: prepare_krb5_rfc4121_buffer: protocol 
1
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: prepare_krb5_rfc4121_buffer: 
serializing key with enctype 18 and size 32
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: doing downcall lifetime_rec 86363
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: handling gssd upcall 
(/var/lib/nfs/rpc_pipefs/nfs/clnt0)
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: handle_gssd_upcall: 'mech=krb5 uid=0 
service=* enctypes=18,17,16,23,3,1,2 '
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: handling krb5 upcall 
(/var/lib/nfs/rpc_pipefs/nfs/clnt0)
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: process_krb5_upcall: service is '*'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: Full hostname for 
'jnsa-dnt2.domaine.com' is 'jnsa-dnt2.domaine.com'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: Full hostname for 
'nfsclient.domaine.com' is 'nfsclient.domaine.com'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: No key table entry found for 
nfsclient$@DOMAINE.COM<mailto:nfsclient$@DOMAINE.COM> while getting keytab 
entry for 'nfsclient$@DOMAINE.COM'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: No key table entry found for 
nfsclient$@DOMAINE.COM<mailto:nfsclient$@DOMAINE.COM> while getting keytab 
entry for 'nfsclient$@DOMAINE.COM'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: No key table entry found for 
root/nfsclient.domaine....@domaine.com<mailto:root/nfsclient.domaine....@domaine.com>
 while getting keytab entry for 'root/nfsclient.domaine....@domaine.com'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: No key table entry found for 
nfs/nfsclient.domaine....@domaine.com<mailto:nfs/nfsclient.domaine....@domaine.com>
 while getting keytab entry for 'nfs/nfsclient.domaine....@domaine.com'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: Success getting keytab entry for 
'host/nfsclient.domaine....@domaine.com'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: INFO: Credentials in CC 
'FILE:/tmp/krb5cc_machine_DOMAINE.COM' are good until 1481109339
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: INFO: Credentials in CC 
'FILE:/tmp/krb5cc_machine_DOMAINE.COM' are good until 1481109339
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: using 
FILE:/tmp/krb5cc_machine_DOMAINE.COM as credentials cache for machine creds
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: using environment variable to select 
krb5 ccache FILE:/tmp/krb5cc_machine_DOMAINE.COM
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: creating context using fsuid 0 
(save_uid 0)
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: creating tcp client for server 
jnsa-dnt2.domaine.com
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: DEBUG: port already set to 2049
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: creating context with server 
n...@jnsa-dnt2.domaine.com<mailto:n...@jnsa-dnt2.domaine.com>
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: DEBUG: serialize_krb5_ctx: lucid 
version!
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: prepare_krb5_rfc4121_buffer: protocol 
1
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: prepare_krb5_rfc4121_buffer: 
serializing key with enctype 18 and size 32
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: doing downcall lifetime_rec 86303

Regards
Bjarne Blichfeldt.





Hello,
I'm almost sure that 'krbcanonicalname' has nothing to do with this. Adding krbcanonicalname attribute was done to allow principal aliases (multiple kerberos principals for one user/host/service), see [1] for details.

Unfortunately, I don't know what's wrong. SSSD is taking care of resolving users and groups on enrolled systems. "id mgm" should output something like "id=1414(mgm) gid=1414(mgm) groups=1414(mgm)" if it works properly.

[1] http://www.freeipa.org/page/V4/Kerberos_principal_aliases

--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
  • ... List dedicated to discussions about use, configuration and deployment of the IPA server.
    • ... Bjarne Blichfeldt
      • ... David Kupka
        • ... Bjarne Blichfeldt
          • ... Lukas Slebodnik

Reply via email to