Matthew Carter wrote:
> So I have two test machines that I set up because of this same problem
> on my secure offline network. One of the test machines is a server that
> has FreeIPA and NFS running on it, the other test machine is a client
> that mounts two NFS shares from the server using krb5i sec.
> 
> Upon initial install, everything works as it is supposed to. The domain
> users can log in just fine, the mount mounts perfectly.

It sounds to me like /etc/krb5.keytab isn't being cleaned up properly on
uninstall.

What I'd suggest is to re-fetch the service principal, perhaps several
times, to bump the KVNO to be sure you have the right one. Then restart
the NFS services and see if that helps. Conceivably you'd need to do
something similar on the client if that too has a mix of principals from
the old and new masters.

Getting some logging from the previous uninstall would be useful. IIRC
there is a separate uninstall log for the client.

rob


> If I remove the client from the domain using:
> 
>     ipa-client-automount --uninstall
> 
>     ipa-client-install --uninstall
> 
> 
> And then on the server:
> 
>     ipa-client-automount --uninstall
> 
>     ipa-server-install --uninstall
> 
>     then delete the ca.crt, run sss -E (to clear the sssd caches), rm
> /tmp/krb5*
> 
> 
> and then reinstall the server:
> 
>     ipa-server-install
> 
>     service sshd restart
> 
>     kinit admin
> 
>     ipa service-add nfs/server.dar.lan
> 
>     ipa-getkeytab -s server.dar.lan -p host/server.dar.lan -k
> /etc/krb5.keytab
> 
>     ipa-getkeytab -s server.dar.lan -p nfs/server.dar.lan -k
> /etc/krb5.keytab
> 
>     ipa-client-automount
> 
> 
> and reinstall on the client:
> 
>     ipa-client-install
> 
>     ipa-client-automount
> 
> 
> I believe I now have the same setup as I had before.
> 
> I can kinit and get a ticket:
> 
>     Ticket cache: FILE:/tmp/krb5cc_615200000_TinxaO
>     Default principal: ad...@dar.lan
> 
>     Valid starting     Expires            Service principal
>     02/03/17 12:54:02  02/04/17 12:53:59  krbtgt/dar....@dar.lan
> 
> My domain users can log in to their desktops.
> 
> But I can't mount the shares.
> 
> I get:
> 
>     mount.nfs4: timeout set for Fri Feb  3 12:58:36 2017
>     mount.nfs4: trying text-based options
> 'sec=krb5i,proto=tcp,port=2049,rsize=8192,wsize=8192,timeo=14,intr,addr=137.67.205.1,clientaddr=137.67.205.11'
>     mount.nfs4: mount(2): Permission denied
>     mount.nfs4: access denied by server while mounting
> server:/NFS_SHARE/USERS
>     mount.nfs4: timeout set for Fri Feb  3 12:58:36 2017
>     mount.nfs4: trying text-based options
> 'sec=krb5i,proto=tcp,port=2049,rsize=8192,wsize=8192,timeo=14,intr,addr=137.67.205.1,clientaddr=137.67.205.11'
>     mount.nfs4: mount(2): Permission denied
>     mount.nfs4: access denied by server while mounting
> server:/NFS_SHARE/admin
> 
> 
> Originally I chased permissions, but when I started looking at
> /var/log/messages on the server, I noticed that rpcgssd was complaining 
> about a wrong principal.
> 
> On the server I executed kadmin.local and then listprincs
> 
>     K/m...@dar.lan
>     krbtgt/dar....@dar.lan
>     kadmin/server.dar....@dar.lan
>     kadmin/ad...@dar.lan
>     kadmin/chang...@dar.lan
>     ldap/server.dar....@dar.lan
>     host/server.dar....@dar.lan
>     HTTP/server.dar....@dar.lan
>     nfs/server.dar....@dar.lan
>     s_shar...@dar.lan
>     host/as1.dar....@dar.lan
> 
> and then a getprinc on nfs/server.dar....@dar.lan:
> 
>     Principal: nfs/server.dar....@dar.lan
>     Expiration date: [never]
>     Last password change: Thu Feb 02 15:31:24 EST 2017
>     Password expiration date: [none]
>     Maximum ticket life: 1 day 00:00:00
>     Maximum renewable life: 7 days 00:00:00
>     Last modified: Thu Feb 02 15:31:24 EST 2017
> (nfs/server.dar....@dar.lan)
>     Last successful authentication: Thu Feb 02 16:52:16 EST 2017
>     Last failed authentication: Fri Feb 03 12:09:14 EST 2017
>     Failed password attempts: 1
>     Number of keys: 4
>     Key: vno 3, aes256-cts-hmac-sha1-96, no salt
>     Key: vno 3, aes128-cts-hmac-sha1-96, no salt
>     Key: vno 3, des3-cbc-sha1, no salt
>     Key: vno 3, arcfour-hmac, no salt
>     MKey: vno 1
>     Attributes: REQUIRES_PRE_AUTH
>     Policy: [none]
> 
> looking at my keytab, klist -ke /etc/krb5.keytab
> 
>        1    2              host/server.dar....@dar.lan
>        2    1               nfs/server.dar....@dar.lan
>        3    3              host/server.dar....@dar.lan
>        4    3              host/server.dar....@dar.lan
>        5    3              host/server.dar....@dar.lan
>        6    3              host/server.dar....@dar.lan
>        7    2               nfs/server.dar....@dar.lan
>        8    2               nfs/server.dar....@dar.lan
>        9    2               nfs/server.dar....@dar.lan
>       10    2               nfs/server.dar....@dar.lan
> 
> I saw I had two extra older kt's so I used kadmin.local to remove them
> with modprinc. Not sure where they came from. . .
> 
> I again tried to mount, this time using -vvv in /etc/sysconfig/nfs for
> rpcgssd, rpcsvcgssd, and rpcbind and /var/log/messages output this on
> the server (I'll only paste the data from one mount attempt as there is
> two mounts and they're complaining identically.):
> 
> Feb  3 12:25:32 server rpc.svcgssd[4796]: leaving poll
> Feb  3 12:25:32 server rpc.svcgssd[4796]: handling null request
> Feb  3 12:25:32 server rpc.svcgssd[4796]: svcgssd_limit_krb5_enctypes:
> Calling gss_set_allowable_enctypes with 7 enctypes from the kernel
> Feb  3 12:25:32 server rpc.svcgssd[4796]: WARNING:
> gss_accept_sec_context failed
> Feb  3 12:25:32 server rpc.svcgssd[4796]: ERROR: GSS-API: error in
> handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
> failure.  Minor code may provide more information) - Wrong principal in
> request
> Feb  3 12:25:32 server rpc.svcgssd[4796]: sending null reply
> Feb  3 12:25:32 server rpc.svcgssd[4796]: writing message: \x
> \x6082025f06092a864886f71201020201006e82024e3082024aa003020105a10302010ea20703050020000000a382015a6182015630820152a003020105a1091b074441522e4c414ea220301ea003020103a11730151b036e66731b0e7365727665722e6461722e6c616ea382011c30820118a003020112a103020103a282010a048201063acb411e685126d45ffc67763e9d9fb3eaa42765e44ad17b924d930583f95f8169980758f7d7ac59b5668c40a6a4c0aadee0e4a655a29343e09b69922cf65e2bf639b30fa764d415d3e1207da584b0d3d4ffb668d0d6fbcf52a7eed73cf9f51dd777096647e13931c30a6929115f8d1244086a78fa35fbe4073c195be3f49ba34ffe04bd3ae0bba9f8d9713d931f129fa0087872514f5aa4b0f933549b27cd45bcda4460d562b9b9dec90e5d358d6824aad6e46f50bbd03b35ac80df8b65f771bacf3ab7c96336f3051833d11fe283506a20c3eeae9d7df743a634e9928443cafb088a2adb083d2fa32eec78934a27e7d3358a451dd5ba36a94a5fdeb255aa5e884230069bdda481d63081d3a003020112a281cb0481c802b37853075fe8f79de1d93289e493dd95e7724a050d44cc629521c0a1504d2a33589d4e13c4941a9451b4d2cfb74129ac2943664b9adb01b89d8746fd531c251fbe87660c9305d73a18fb3166907ac85a0!
 
c38fe59b475899f0f69b4193311cab6ed19ca0ce1f2a0dfc7b7a04d2bb1195406dc6d846f3535db5c083ade0a4dfa0c5d4466ee10fd04d72325192fd8473e05d0318b390d6c87c440ca5eabdc3017fec828c29543b3414fac312b597e0ea4726cb33fe825feef00527e14d5f426cc7781dcd3dd0a0969
> 1486142792 851968 2529639056 \x \x
> REPEATED 3x . . .
> 
> 
> Feb  3 12:25:32 server rpc.svcgssd[4796]: finished handling null request
> Feb  3 12:25:32 server audispd: node=server type=SYSCALL
> msg=audit(1486142732.066:592): arch=c000003e syscall=87 success=yes
> exit=0 a0=2110480 a1=c2 a2=1a a3=f items=2 ppid=1 pid=4525 auid=500
> uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
> tty=(none) ses=1 comm="gnome-terminal" exe="/usr/bin/gnome-terminal"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="delete"
> Feb  3 12:25:32 server audispd: node=server type=CWD
> msg=audit(1486142732.066:592):  cwd="/home/adminnt"
> Feb  3 12:25:32 server rpc.svcgssd[4796]: entering poll
> Feb  3 12:25:34 as1 audispd: node=as1 type=SYSCALL
> msg=audit(1486142734.451:79839): arch=c000003e syscall=165 success=no
> exit=-13 a0=7ffcb5014564 a1=7f00d8823ea0 a2=7f00d72133f6 a3=0 items=17
> ppid=7132 pid=7133 auid=615200000 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="mount.nfs4"
> exe="/sbin/mount.nfs"
> subj=unconfined_u:unconfined_r:unconfined_mount_t:s0-s0:c0.c1023
> key="export"
> Feb  3 12:25:34 as1 audispd: node=as1 type=CWD
> msg=audit(1486142734.451:79839):  cwd="/usr"
> Feb  3 12:25:34 as1 audispd: node=as1 type=PATH
> msg=audit(1486142734.451:79839): item=0 name="/NFS_SHARE" inode=654083
> dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
> obj=unconfined_u:object_r:default_t:s0 nametype=NORMAL
> Feb  3 12:25:34 as1 audispd: node=as1 type=PATH
> msg=audit(1486142734.451:79839): item=1 name=(null) inode=103 dev=00:12
> mode=040555 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:rpc_pipefs_t:s0 nametype=NORMAL
> Feb  3 12:25:34 as1 audispd: node=as1 type=PATH
> msg=audit(1486142734.451:79839): item=2 name=(null) inode=103 dev=00:12
> mode=040555 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
> Feb  3 12:25:34 as1 audispd: node=as1 type=PATH
> msg=audit(1486142734.451:79839): item=3 name=(null) inode=280 dev=00:12
> mode=040555 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
> Feb  3 12:25:34 as1 audispd: node=as1 type=PATH
> msg=audit(1486142734.451:79839): item=4 name=(null) inode=280 dev=00:12
> mode=040555 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
> Feb  3 12:25:34 as1 audispd: node=as1 type=PATH
> msg=audit(1486142734.451:79839): item=5 name=(null) inode=281 dev=00:12
> mode=0100400 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
> Feb  3 12:25:34 as1 audispd: node=as1 type=PATH
> msg=audit(1486142734.451:79839): item=6 name=(null) inode=280 dev=00:12
> mode=040555 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
> Feb  3 12:25:34 as1 audispd: node=as1 type=PATH
> msg=audit(1486142734.451:79839): item=7 name=(null) inode=282 dev=00:12
> mode=010600 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
> Feb  3 12:25:34 as1 audispd: node=as1 type=PATH
> msg=audit(1486142734.451:79839): item=8 name=(null) inode=280 dev=00:12
> mode=040555 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
> Feb  3 12:25:34 as1 audispd: node=as1 type=PATH
> msg=audit(1486142734.451:79839): item=9 name=(null) inode=283 dev=00:12
> mode=010600 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
> Feb  3 12:25:34 as1 audispd: node=as1 type=PATH
> msg=audit(1486142734.451:79839): item=10 name=(null) inode=280 dev=00:12
> mode=040555 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
> Feb  3 12:25:34 as1 audispd: node=as1 type=PATH
> msg=audit(1486142734.451:79839): item=11 name=(null) inode=284 dev=00:12
> mode=010600 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
> Feb  3 12:25:34 as1 audispd: node=as1 type=PATH
> msg=audit(1486142734.451:79839): item=12 name=(null) inode=103 dev=00:12
> mode=040555 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:rpc_pipefs_t:s0 nametype=NORMAL
> Feb  3 12:25:34 as1 audispd: node=as1 type=PATH
> msg=audit(1486142734.451:79839): item=13 name=(null) inode=103 dev=00:12
> mode=040555 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
> Feb  3 12:25:34 as1 audispd: node=as1 type=PATH
> msg=audit(1486142734.451:79839): item=14 name=(null) inode=285 dev=00:12
> mode=040555 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
> Feb  3 12:25:34 as1 audispd: node=as1 type=PATH
> msg=audit(1486142734.451:79839): item=15 name=(null) inode=285 dev=00:12
> mode=040555 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
> Feb  3 12:25:34 as1 audispd: node=as1 type=PATH
> msg=audit(1486142734.451:79839): item=16 name=(null) inode=286 dev=00:12
> mode=0100400 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
> 
> 
> I apoligize for the wall o' words, but you know how log files can be.
> 
> So my setup naming conventions is exactly as during the initial install
> which worked. The config files shouldn't have changed. It seems as if
> the principal name, KVNO, and the keytab match up. Did something not get
> cleaned properly?
> 
> Currently I can mount just fine without krb5i security, but my Govt STIG
> requires it for NFS mounts and I'm stuck.
> 
> 
> Thanks for any help!
> 
> 
> Matt
> 
> 
> 
> 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to