On 24-02-17 14:38, Brendan Kearney wrote: > On 02/24/2017 03:33 AM, Kees Bakker wrote: >> On 23-02-17 15:39, Brendan Kearney wrote: >>> On 02/23/2017 09:11 AM, Kees Bakker wrote: >>>> On 23-02-17 13:51, Brendan Kearney wrote: >>>>> On 02/23/2017 07:32 AM, Kees Bakker wrote: >>>>>> On 22-02-17 17:33, Brendan Kearney wrote: >>>>>>> On 02/22/2017 10:26 AM, Kees Bakker wrote: >>>>>>>> On 22-02-17 14:05, Brendan Kearney wrote: >>>>>>>>> On 02/22/2017 05:23 AM, Kees Bakker wrote: >>>>>>>>>> On 21-02-17 19:49, Brendan Kearney wrote: >>>>>>>>>>> On 02/21/2017 10:57 AM, Kees Bakker wrote: >>>>>>>>>>>> Hey, >>>>>>>>>>>> >>>>>>>>>>>> Maybe one of the NFS users on this list could give me a hint what >>>>>>>>>>>> could be wrong. I'm not sure if it has any relation with >>>>>>>>>>>> FreeIPA/Kerberos. >>>>>>>>>>>> >>>>>>>>>>>> I've set up an NFS server and I can mount the NFS directory on my >>>>>>>>>>>> client. So, I'm >>>>>>>>>>>> guessing that setting up Kerberos principal was done correctly. >>>>>>>>>>>> >>>>>>>>>>>> However, only root can actually access the mounted contents. Any >>>>>>>>>>>> other user >>>>>>>>>>>> only sees question marks as shown below. >>>>>>>>>>>> >>>>>>>>>>>> The mount command is simple. >>>>>>>>>>>> $ sudo mount -v -t nfs srv1.example.com:/home /nfshome >>>>>>>>>>>> mount.nfs: timeout set for Tue Feb 21 16:36:39 2017 >>>>>>>>>>>> mount.nfs: trying text-based options >>>>>>>>>>>> 'vers=4,addr=172.16.16.45,clientaddr=172.16.16.30' >>>>>>>>>>>> >>>>>>>>>>>> On the server side /etc/exports looks like this. >>>>>>>>>>>> /home *(rw,sync,sec=krb5i,no_subtree_check) >>>>>>>>>>>> >>>>>>>>>>>> $ sudo mount |grep nfs >>>>>>>>>>>> srv1.example.com:/home on /nfshome type nfs4 >>>>>>>>>>>> (rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5i,clientaddr=172.16.16.30,local_lock=none,addr=172.16.16.45) >>>>>>>>>>>> >>>>>>>>>>>> $ sudo ls -ld /nfshome >>>>>>>>>>>> drwxr-xr-x 1 root root 72 feb 21 04:22 /nfshome >>>>>>>>>>>> $ sudo ls -l /nfshome >>>>>>>>>>>> total 0 >>>>>>>>>>>> drwxr-xr-x 1 keesb keesb 116 jan 27 12:56 keesb >>>>>>>>>>>> >>>>>>>>>>>> $ ls -l /nfshome >>>>>>>>>>>> ls: cannot access '/nfshome': Permission denied >>>>>>>>>>>> $ ls -l / | grep nfshome >>>>>>>>>>>> ls: cannot access '/nfshome': Permission denied >>>>>>>>>>>> d????????? ? ? ? ? ? nfshome >>>>>>>>>>>> >>>>>>>>>>> [...]
Continuing story... I've tried various things in the meantime. I've set up two test environments with virtual machines (virtualbox). * with Fedora 25; this works. * with Ubuntu 16.04; I'm getting the same problem (permission denied and question marks). I also looked at the verbose output of rpc.gssd, it gives ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Can't find client principal keesb@REALM in cache collection getting credentials for client with uid 60001 for server srv1.example.com getting credentials for client with uid 60001 for server srv1.example.com WARNING: Failed to create krb5 context for user with uid 60001 for server srv1.example.com But the user really did get a TGT. $ klist Ticket cache: KEYRING:persistent:60001:60001 Default principal: [email protected] Valid starting Expires Service principal 02-03-17 10:25:25 03-03-17 10:25:22 krbtgt/[email protected] So, still no solution for Ubuntu + freeipa + nfs. BTW. I've enabled verbosity in /etc/idmapd.conf. The logging tells me it is OK. However, there is only any output when root (uid 0) does a NFS directory lookup. When a regular user tries to stat the NFS directory it does not even get to the point where id mapping is done. -- Kees -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
