On 24-02-17 14:38, Brendan Kearney wrote:
> On 02/24/2017 03:33 AM, Kees Bakker wrote:
>> On 23-02-17 15:39, Brendan Kearney wrote:
>>> On 02/23/2017 09:11 AM, Kees Bakker wrote:
>>>> On 23-02-17 13:51, Brendan Kearney wrote:
>>>>> On 02/23/2017 07:32 AM, Kees Bakker wrote:
>>>>>> On 22-02-17 17:33, Brendan Kearney wrote:
>>>>>>> On 02/22/2017 10:26 AM, Kees Bakker wrote:
>>>>>>>> On 22-02-17 14:05, Brendan Kearney wrote:
>>>>>>>>> On 02/22/2017 05:23 AM, Kees Bakker wrote:
>>>>>>>>>> On 21-02-17 19:49, Brendan Kearney wrote:
>>>>>>>>>>> On 02/21/2017 10:57 AM, Kees Bakker wrote:
>>>>>>>>>>>> Hey,
>>>>>>>>>>>>
>>>>>>>>>>>> Maybe one of the NFS users on this list could give me a hint what
>>>>>>>>>>>> could be wrong. I'm not sure if it has any relation with 
>>>>>>>>>>>> FreeIPA/Kerberos.
>>>>>>>>>>>>
>>>>>>>>>>>> I've set up an NFS server and I can mount the NFS directory on my 
>>>>>>>>>>>> client. So, I'm
>>>>>>>>>>>> guessing that setting up Kerberos principal was done correctly.
>>>>>>>>>>>>
>>>>>>>>>>>> However, only root can actually access the mounted contents. Any 
>>>>>>>>>>>> other user
>>>>>>>>>>>> only sees question marks as shown below.
>>>>>>>>>>>>
>>>>>>>>>>>> The mount command is simple.
>>>>>>>>>>>> $ sudo mount -v -t nfs srv1.example.com:/home /nfshome
>>>>>>>>>>>> mount.nfs: timeout set for Tue Feb 21 16:36:39 2017
>>>>>>>>>>>> mount.nfs: trying text-based options 
>>>>>>>>>>>> 'vers=4,addr=172.16.16.45,clientaddr=172.16.16.30'
>>>>>>>>>>>>
>>>>>>>>>>>> On the server side /etc/exports looks like this.
>>>>>>>>>>>> /home        *(rw,sync,sec=krb5i,no_subtree_check)
>>>>>>>>>>>>
>>>>>>>>>>>> $ sudo mount |grep nfs
>>>>>>>>>>>> srv1.example.com:/home on /nfshome type nfs4 
>>>>>>>>>>>> (rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5i,clientaddr=172.16.16.30,local_lock=none,addr=172.16.16.45)
>>>>>>>>>>>>
>>>>>>>>>>>> $ sudo ls -ld /nfshome
>>>>>>>>>>>> drwxr-xr-x 1 root root 72 feb 21 04:22 /nfshome
>>>>>>>>>>>> $ sudo ls -l /nfshome
>>>>>>>>>>>> total 0
>>>>>>>>>>>> drwxr-xr-x 1 keesb  keesb  116 jan 27 12:56 keesb
>>>>>>>>>>>>
>>>>>>>>>>>> $ ls -l /nfshome
>>>>>>>>>>>> ls: cannot access '/nfshome': Permission denied
>>>>>>>>>>>> $ ls -l / | grep nfshome
>>>>>>>>>>>> ls: cannot access '/nfshome': Permission denied
>>>>>>>>>>>> d?????????   ? ?    ?       ?            ? nfshome
>>>>>>>>>>>>
>>>>>>>>>>>
[...]

Continuing story...

I've tried various things in the meantime. I've set up two test environments 
with virtual
machines (virtualbox).
* with Fedora 25; this works.
* with Ubuntu 16.04; I'm getting the same problem (permission denied and 
question marks).

I also looked at the verbose output of rpc.gssd, it gives

ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS 
failure.  Minor code may provide more information) - Can't find client 
principal keesb@REALM in cache collection
getting credentials for client with uid 60001 for server srv1.example.com
getting credentials for client with uid 60001 for server srv1.example.com
WARNING: Failed to create krb5 context for user with uid 60001 for server 
srv1.example.com

But the user really did get a TGT.

$ klist
Ticket cache: KEYRING:persistent:60001:60001
Default principal: ke...@example.com

Valid starting     Expires            Service principal
02-03-17 10:25:25  03-03-17 10:25:22  krbtgt/example....@example.com

So, still no solution for Ubuntu + freeipa + nfs.

BTW. I've enabled verbosity in /etc/idmapd.conf. The logging tells me it is OK. 
However,
there is only any output when root (uid 0) does a NFS directory lookup. When a 
regular
user tries to stat the NFS directory it does not even get to the point where id 
mapping is
done.
-- 
Kees

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to