So I have two test machines that I set up because of this same problem on my secure offline network. One of the test machines is a server that has FreeIPA and NFS running on it, the other test machine is a client that mounts two NFS shares from the server using krb5i sec.

Upon initial install, everything works as it is supposed to. The domain users can log in just fine, the mount mounts perfectly.


If I remove the client from the domain using:

    ipa-client-automount --uninstall

    ipa-client-install --uninstall


And then on the server:

    ipa-client-automount --uninstall

    ipa-server-install --uninstall

then delete the ca.crt, run sss -E (to clear the sssd caches), rm /tmp/krb5*


and then reinstall the server:

    ipa-server-install

    service sshd restart

    kinit admin

    ipa service-add nfs/server.dar.lan

ipa-getkeytab -s server.dar.lan -p host/server.dar.lan -k /etc/krb5.keytab

ipa-getkeytab -s server.dar.lan -p nfs/server.dar.lan -k /etc/krb5.keytab

    ipa-client-automount


and reinstall on the client:

    ipa-client-install

    ipa-client-automount


I believe I now have the same setup as I had before.

I can kinit and get a ticket:

    Ticket cache: FILE:/tmp/krb5cc_615200000_TinxaO
    Default principal: ad...@dar.lan

    Valid starting     Expires            Service principal
    02/03/17 12:54:02  02/04/17 12:53:59 krbtgt/dar....@dar.lan

My domain users can log in to their desktops.

But I can't mount the shares.

I get:

    mount.nfs4: timeout set for Fri Feb  3 12:58:36 2017
mount.nfs4: trying text-based options 'sec=krb5i,proto=tcp,port=2049,rsize=8192,wsize=8192,timeo=14,intr,addr=137.67.205.1,clientaddr=137.67.205.11'
    mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting server:/NFS_SHARE/USERS
    mount.nfs4: timeout set for Fri Feb  3 12:58:36 2017
mount.nfs4: trying text-based options 'sec=krb5i,proto=tcp,port=2049,rsize=8192,wsize=8192,timeo=14,intr,addr=137.67.205.1,clientaddr=137.67.205.11'
    mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting server:/NFS_SHARE/admin


Originally I chased permissions, but when I started looking at /var/log/messages on the server, I noticed that rpcgssd was complaining about a wrong principal.

On the server I executed kadmin.local and then listprincs

K/m...@dar.lan
krbtgt/dar....@dar.lan
kadmin/server.dar....@dar.lan
kadmin/ad...@dar.lan
kadmin/chang...@dar.lan
ldap/server.dar....@dar.lan
host/server.dar....@dar.lan
HTTP/server.dar....@dar.lan
nfs/server.dar....@dar.lan
s_shar...@dar.lan
host/as1.dar....@dar.lan

and then a getprinc on nfs/server.dar....@dar.lan:

    Principal: nfs/server.dar....@dar.lan
    Expiration date: [never]
    Last password change: Thu Feb 02 15:31:24 EST 2017
    Password expiration date: [none]
    Maximum ticket life: 1 day 00:00:00
    Maximum renewable life: 7 days 00:00:00
Last modified: Thu Feb 02 15:31:24 EST 2017 (nfs/server.dar....@dar.lan)
    Last successful authentication: Thu Feb 02 16:52:16 EST 2017
    Last failed authentication: Fri Feb 03 12:09:14 EST 2017
    Failed password attempts: 1
    Number of keys: 4
    Key: vno 3, aes256-cts-hmac-sha1-96, no salt
    Key: vno 3, aes128-cts-hmac-sha1-96, no salt
    Key: vno 3, des3-cbc-sha1, no salt
    Key: vno 3, arcfour-hmac, no salt
    MKey: vno 1
    Attributes: REQUIRES_PRE_AUTH
    Policy: [none]

looking at my keytab, klist -ke /etc/krb5.keytab

       1    2 host/server.dar....@dar.lan
       2    1 nfs/server.dar....@dar.lan
       3    3 host/server.dar....@dar.lan
       4    3 host/server.dar....@dar.lan
       5    3 host/server.dar....@dar.lan
       6    3 host/server.dar....@dar.lan
       7    2 nfs/server.dar....@dar.lan
       8    2 nfs/server.dar....@dar.lan
       9    2 nfs/server.dar....@dar.lan
      10    2 nfs/server.dar....@dar.lan

I saw I had two extra older kt's so I used kadmin.local to remove them with modprinc. Not sure where they came from. . .

I again tried to mount, this time using -vvv in /etc/sysconfig/nfs for rpcgssd, rpcsvcgssd, and rpcbind and /var/log/messages output this on the server (I'll only paste the data from one mount attempt as there is two mounts and they're complaining identically.):

Feb  3 12:25:32 server rpc.svcgssd[4796]: leaving poll
Feb  3 12:25:32 server rpc.svcgssd[4796]: handling null request
Feb 3 12:25:32 server rpc.svcgssd[4796]: svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from the kernel Feb 3 12:25:32 server rpc.svcgssd[4796]: WARNING: gss_accept_sec_context failed Feb 3 12:25:32 server rpc.svcgssd[4796]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Wrong principal in request
Feb  3 12:25:32 server rpc.svcgssd[4796]: sending null reply
Feb 3 12:25:32 server rpc.svcgssd[4796]: writing message: \x \x6082025f06092a864886f71201020201006e82024e3082024aa003020105a10302010ea20703050020000000a382015a6182015630820152a003020105a1091b074441522e4c414ea220301ea003020103a11730151b036e66731b0e7365727665722e6461722e6c616ea382011c30820118a003020112a103020103a282010a048201063acb411e685126d45ffc67763e9d9fb3eaa42765e44ad17b924d930583f95f8169980758f7d7ac59b5668c40a6a4c0aadee0e4a655a29343e09b69922cf65e2bf639b30fa764d415d3e1207da584b0d3d4ffb668d0d6fbcf52a7eed73cf9f51dd777096647e13931c30a6929115f8d1244086a78fa35fbe4073c195be3f49ba34ffe04bd3ae0bba9f8d9713d931f129fa0087872514f5aa4b0f933549b27cd45bcda4460d562b9b9dec90e5d358d6824aad6e46f50bbd03b35ac80df8b65f771bacf3ab7c96336f3051833d11fe283506a20c3eeae9d7df743a634e9928443cafb088a2adb083d2fa32eec78934a27e7d3358a451dd5ba36a94a5fdeb255aa5e884230069bdda481d63081d3a003020112a281cb0481c802b37853075fe8f79de1d93289e493dd95e7724a050d44cc629521c0a1504d2a33589d4e13c4941a9451b4d2cfb74129ac2943664b9adb01b89d8746fd531c251fbe87660c9305d73a18fb3166907ac85a0c38fe59b475899f0f69b4193311cab6ed19ca0ce1f2a0dfc7b7a04d2bb1195406dc6d846f3535db5c083ade0a4dfa0c5d4466ee10fd04d72325192fd8473e05d0318b390d6c87c440ca5eabdc3017fec828c29543b3414fac312b597e0ea4726cb33fe825feef00527e14d5f426cc7781dcd3dd0a0969 1486142792 851968 2529639056 \x \x
REPEATED 3x . . .


Feb  3 12:25:32 server rpc.svcgssd[4796]: finished handling null request
Feb 3 12:25:32 server audispd: node=server type=SYSCALL msg=audit(1486142732.066:592): arch=c000003e syscall=87 success=yes exit=0 a0=2110480 a1=c2 a2=1a a3=f items=2 ppid=1 pid=4525 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gnome-terminal" exe="/usr/bin/gnome-terminal" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="delete" Feb 3 12:25:32 server audispd: node=server type=CWD msg=audit(1486142732.066:592): cwd="/home/adminnt"
Feb  3 12:25:32 server rpc.svcgssd[4796]: entering poll
Feb 3 12:25:34 as1 audispd: node=as1 type=SYSCALL msg=audit(1486142734.451:79839): arch=c000003e syscall=165 success=no exit=-13 a0=7ffcb5014564 a1=7f00d8823ea0 a2=7f00d72133f6 a3=0 items=17 ppid=7132 pid=7133 auid=615200000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="mount.nfs4" exe="/sbin/mount.nfs" subj=unconfined_u:unconfined_r:unconfined_mount_t:s0-s0:c0.c1023 key="export" Feb 3 12:25:34 as1 audispd: node=as1 type=CWD msg=audit(1486142734.451:79839): cwd="/usr" Feb 3 12:25:34 as1 audispd: node=as1 type=PATH msg=audit(1486142734.451:79839): item=0 name="/NFS_SHARE" inode=654083 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0 nametype=NORMAL Feb 3 12:25:34 as1 audispd: node=as1 type=PATH msg=audit(1486142734.451:79839): item=1 name=(null) inode=103 dev=00:12 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpc_pipefs_t:s0 nametype=NORMAL Feb 3 12:25:34 as1 audispd: node=as1 type=PATH msg=audit(1486142734.451:79839): item=2 name=(null) inode=103 dev=00:12 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT Feb 3 12:25:34 as1 audispd: node=as1 type=PATH msg=audit(1486142734.451:79839): item=3 name=(null) inode=280 dev=00:12 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE Feb 3 12:25:34 as1 audispd: node=as1 type=PATH msg=audit(1486142734.451:79839): item=4 name=(null) inode=280 dev=00:12 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT Feb 3 12:25:34 as1 audispd: node=as1 type=PATH msg=audit(1486142734.451:79839): item=5 name=(null) inode=281 dev=00:12 mode=0100400 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE Feb 3 12:25:34 as1 audispd: node=as1 type=PATH msg=audit(1486142734.451:79839): item=6 name=(null) inode=280 dev=00:12 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT Feb 3 12:25:34 as1 audispd: node=as1 type=PATH msg=audit(1486142734.451:79839): item=7 name=(null) inode=282 dev=00:12 mode=010600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE Feb 3 12:25:34 as1 audispd: node=as1 type=PATH msg=audit(1486142734.451:79839): item=8 name=(null) inode=280 dev=00:12 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT Feb 3 12:25:34 as1 audispd: node=as1 type=PATH msg=audit(1486142734.451:79839): item=9 name=(null) inode=283 dev=00:12 mode=010600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE Feb 3 12:25:34 as1 audispd: node=as1 type=PATH msg=audit(1486142734.451:79839): item=10 name=(null) inode=280 dev=00:12 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT Feb 3 12:25:34 as1 audispd: node=as1 type=PATH msg=audit(1486142734.451:79839): item=11 name=(null) inode=284 dev=00:12 mode=010600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE Feb 3 12:25:34 as1 audispd: node=as1 type=PATH msg=audit(1486142734.451:79839): item=12 name=(null) inode=103 dev=00:12 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpc_pipefs_t:s0 nametype=NORMAL Feb 3 12:25:34 as1 audispd: node=as1 type=PATH msg=audit(1486142734.451:79839): item=13 name=(null) inode=103 dev=00:12 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT Feb 3 12:25:34 as1 audispd: node=as1 type=PATH msg=audit(1486142734.451:79839): item=14 name=(null) inode=285 dev=00:12 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE Feb 3 12:25:34 as1 audispd: node=as1 type=PATH msg=audit(1486142734.451:79839): item=15 name=(null) inode=285 dev=00:12 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT Feb 3 12:25:34 as1 audispd: node=as1 type=PATH msg=audit(1486142734.451:79839): item=16 name=(null) inode=286 dev=00:12 mode=0100400 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE


I apoligize for the wall o' words, but you know how log files can be.

So my setup naming conventions is exactly as during the initial install which worked. The config files shouldn't have changed. It seems as if the principal name, KVNO, and the keytab match up. Did something not get cleaned properly?

Currently I can mount just fine without krb5i security, but my Govt STIG requires it for NFS mounts and I'm stuck.


Thanks for any help!


Matt


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to