Re: [Freeipa-users] Permission Denied
On Thu, 2013-09-12 at 16:16 -0500, Dean Hunter wrote: On Thu, 2013-09-12 at 16:59 -0400, Simo Sorce wrote: On Thu, 2013-09-12 at 15:34 -0500, Dean Hunter wrote: On Thu, 2013-09-12 at 13:59 -0400, Simo Sorce wrote: On Thu, 2013-09-12 at 11:27 -0500, Dean Hunter wrote: On Thu, 2013-09-12 at 09:09 -0400, Simo Sorce wrote: Yes it is, but I need to see also what you get on the successfull ssh case, klist is all I need to see, no other output. Also does it work all the time if you use the command ssh -K dean@desktop2 ? you did not try the above ^^ :-) Oops, it is these old eyes. OK, ssh -K dean@desktop2 works all the time. good Now there are problems when I log out, sometimes one processor starts spinning other times I get tossed all the way out of Gnome. I have not yet established a pattern. Is this familiar? Is this related to ssh in ? or is it a completely unrelated problem ? Simo. I am sorry. I see now that I was not clear. When I log out of ssh on desktop2 it sometimes spins. When I log out of Gnome terminal after the spins I get tossed all the way out of Gnome. Sounds like a bug in gnome-terminal or gnome in general, I've never seen that. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Wed, 2013-09-11 at 22:25 -0400, Dmitri Pal wrote: On 09/11/2013 10:10 PM, Dean Hunter wrote: On Wed, 2013-09-11 at 21:34 -0400, Dmitri Pal wrote: On 09/11/2013 09:27 PM, Dean Hunter wrote: On Wed, 2013-09-11 at 21:10 -0400, Dmitri Pal wrote: On 09/11/2013 08:49 PM, Dean Hunter wrote: On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. Yes, I am using Kerberos with NFS. Should I report this as a bug? We need to decide what component is faulty. It may be possible we can get it working somehow. When you ssh in what is the ccache ssh assign you ? can you run klist and post the output (sanitize it if needed) ? Simo. I hope this is what you requested: [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 19:41:48 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ hostname desktop2.hunter.org -bash-4.2$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_138741) -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org 09/11/13 19:44:43 09/12/13 19:43:28 host/desktop2.hunter@hunter.org [dean@ipa2 ~]$ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Do I get it right: you tried twice and the first time it did not work while the second it did? There might be a race condition mounting your home directory using your ticket. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com
Re: [Freeipa-users] Permission Denied
On Thu, 2013-09-12 at 16:59 -0400, Simo Sorce wrote: On Thu, 2013-09-12 at 15:34 -0500, Dean Hunter wrote: On Thu, 2013-09-12 at 13:59 -0400, Simo Sorce wrote: On Thu, 2013-09-12 at 11:27 -0500, Dean Hunter wrote: On Thu, 2013-09-12 at 09:09 -0400, Simo Sorce wrote: Yes it is, but I need to see also what you get on the successfull ssh case, klist is all I need to see, no other output. Also does it work all the time if you use the command ssh -K dean@desktop2 ? you did not try the above ^^ :-) Oops, it is these old eyes. OK, ssh -K dean@desktop2 works all the time. good Now there are problems when I log out, sometimes one processor starts spinning other times I get tossed all the way out of Gnome. I have not yet established a pattern. Is this familiar? Is this related to ssh in ? or is it a completely unrelated problem ? Simo. I am sorry. I see now that I was not clear. When I log out of ssh on desktop2 it sometimes spins. When I log out of Gnome terminal after the spins I get tossed all the way out of Gnome. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Thu, 2013-09-12 at 09:09 -0400, Simo Sorce wrote: Yes it is, but I need to see also what you get on the successfull ssh case, klist is all I need to see, no other output. Also does it work all the time if you use the command ssh -K dean@desktop2 ? [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/144081/krb5cc/tktH9faWP Default principal: d...@hunter.org Valid starting ExpiresService principal 09/12/13 11:14:40 09/13/13 11:14:40 krbtgt/hunter@hunter.org [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 21:14:18 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_144081) -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/144081/krb5cc/tktH9faWP Default principal: d...@hunter.org Valid starting ExpiresService principal 09/12/13 11:14:40 09/13/13 11:14:40 krbtgt/hunter@hunter.org 09/12/13 11:15:29 09/13/13 11:14:40 host/desktop2.hunter@hunter.org [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Thu Sep 12 11:16:15 2013 from ipa2.hunter.org [dean@desktop2 ~]$ klist Ticket cache: DIR::/run/user/144081/krb5cc/tktrhI7WX Default principal: d...@hunter.org Valid starting ExpiresService principal 09/12/13 11:17:40 09/13/13 11:17:39 krbtgt/hunter@hunter.org 09/12/13 11:17:40 09/13/13 11:17:39 nfs/ipa2.hunter@hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/144081/krb5cc/tktH9faWP Default principal: d...@hunter.org Valid starting ExpiresService principal 09/12/13 11:14:40 09/13/13 11:14:40 krbtgt/hunter@hunter.org 09/12/13 11:15:29 09/13/13 11:14:40 host/desktop2.hunter@hunter.org [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Thu Sep 12 11:17:39 2013 from ipa2.hunter.org [dean@desktop2 ~]$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_144081) [dean@desktop2 ~]$ logout Connection to desktop2 closed. [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/144081/krb5cc/tktH9faWP Default principal: d...@hunter.org Valid starting ExpiresService principal 09/12/13 11:14:40 09/13/13 11:14:40 krbtgt/hunter@hunter.org 09/12/13 11:15:29 09/13/13 11:14:40 host/desktop2.hunter@hunter.org reboot [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/144081/krb5cc/tktLOSJxT Default principal: d...@hunter.org Valid starting ExpiresService principal 09/12/13 11:23:56 09/13/13 11:23:56 krbtgt/hunter@hunter.org [dean@ipa2 ~]$ ssh -k dean@desktop2 Last login: Thu Sep 12 11:22:31 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_144081) -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/144081/krb5cc/tktLOSJxT Default principal: d...@hunter.org Valid starting ExpiresService principal 09/12/13 11:23:56 09/13/13 11:23:56 krbtgt/hunter@hunter.org 09/12/13 11:24:43 09/13/13 11:23:56 host/desktop2.hunter@hunter.org ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Thu, 2013-09-12 at 15:34 -0500, Dean Hunter wrote: On Thu, 2013-09-12 at 13:59 -0400, Simo Sorce wrote: On Thu, 2013-09-12 at 11:27 -0500, Dean Hunter wrote: On Thu, 2013-09-12 at 09:09 -0400, Simo Sorce wrote: Yes it is, but I need to see also what you get on the successfull ssh case, klist is all I need to see, no other output. Also does it work all the time if you use the command ssh -K dean@desktop2 ? you did not try the above ^^ :-) Oops, it is these old eyes. OK, ssh -K dean@desktop2 works all the time. good Now there are problems when I log out, sometimes one processor starts spinning other times I get tossed all the way out of Gnome. I have not yet established a pattern. Is this familiar? Is this related to ssh in ? or is it a completely unrelated problem ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Wed, 2013-09-11 at 19:49 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. Yes, I am using Kerberos with NFS. Should I report this as a bug? We need to decide what component is faulty. It may be possible we can get it working somehow. When you ssh in what is the ccache ssh assign you ? can you run klist and post the output (sanitize it if needed) ? Simo. I hope this is what you requested: Yes it is, but I need to see also what you get on the successfull ssh case, klist is all I need to see, no other output. Also does it work all the time if you use the command ssh -K dean@desktop2 ? [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 19:41:48 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ hostname desktop2.hunter.org -bash-4.2$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_138741) -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org 09/11/13 19:44:43 09/12/13 19:43:28 host/desktop2.hunter@hunter.org [dean@ipa2 ~]$ -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Thu, 2013-09-12 at 13:59 -0400, Simo Sorce wrote: ticket, but once you alnd of the cmahine there are no credentials this meant to be 'land on the machine', sorry for my typing impairment. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Thu, 2013-09-12 at 13:59 -0400, Simo Sorce wrote: On Thu, 2013-09-12 at 11:27 -0500, Dean Hunter wrote: On Thu, 2013-09-12 at 09:09 -0400, Simo Sorce wrote: Yes it is, but I need to see also what you get on the successfull ssh case, klist is all I need to see, no other output. Also does it work all the time if you use the command ssh -K dean@desktop2 ? you did not try the above ^^ :-) Oops, it is these old eyes. OK, ssh -K dean@desktop2 works all the time. Now there are problems when I log out, sometimes one processor starts spinning other times I get tossed all the way out of Gnome. I have not yet established a pattern. Is this familiar? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Thu, 2013-09-12 at 11:27 -0500, Dean Hunter wrote: On Thu, 2013-09-12 at 09:09 -0400, Simo Sorce wrote: Yes it is, but I need to see also what you get on the successfull ssh case, klist is all I need to see, no other output. Also does it work all the time if you use the command ssh -K dean@desktop2 ? you did not try the above ^^ :-) [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/144081/krb5cc/tktH9faWP Default principal: d...@hunter.org Valid starting ExpiresService principal 09/12/13 11:14:40 09/13/13 11:14:40 krbtgt/hunter@hunter.org [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 21:14:18 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_144081) -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/144081/krb5cc/tktH9faWP Default principal: d...@hunter.org Valid starting ExpiresService principal 09/12/13 11:14:40 09/13/13 11:14:40 krbtgt/hunter@hunter.org 09/12/13 11:15:29 09/13/13 11:14:40 host/desktop2.hunter@hunter.org [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Thu Sep 12 11:16:15 2013 from ipa2.hunter.org [dean@desktop2 ~]$ klist Ticket cache: DIR::/run/user/144081/krb5cc/tktrhI7WX Default principal: d...@hunter.org Valid starting ExpiresService principal 09/12/13 11:17:40 09/13/13 11:17:39 krbtgt/hunter@hunter.org 09/12/13 11:17:40 09/13/13 11:17:39 nfs/ipa2.hunter@hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/144081/krb5cc/tktH9faWP Default principal: d...@hunter.org Valid starting ExpiresService principal 09/12/13 11:14:40 09/13/13 11:14:40 krbtgt/hunter@hunter.org 09/12/13 11:15:29 09/13/13 11:14:40 host/desktop2.hunter@hunter.org [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Thu Sep 12 11:17:39 2013 from ipa2.hunter.org [dean@desktop2 ~]$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_144081) [dean@desktop2 ~]$ logout Connection to desktop2 closed. [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/144081/krb5cc/tktH9faWP Default principal: d...@hunter.org Valid starting ExpiresService principal 09/12/13 11:14:40 09/13/13 11:14:40 krbtgt/hunter@hunter.org 09/12/13 11:15:29 09/13/13 11:14:40 host/desktop2.hunter@hunter.org reboot [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/144081/krb5cc/tktLOSJxT Default principal: d...@hunter.org Valid starting ExpiresService principal 09/12/13 11:23:56 09/13/13 11:23:56 krbtgt/hunter@hunter.org [dean@ipa2 ~]$ ssh -k dean@desktop2 Last login: Thu Sep 12 11:22:31 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_144081) -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/144081/krb5cc/tktLOSJxT Default principal: d...@hunter.org Valid starting ExpiresService principal 09/12/13 11:23:56 09/13/13 11:23:56 krbtgt/hunter@hunter.org 09/12/13 11:24:43 09/13/13 11:23:56 host/desktop2.hunter@hunter.org However here is the exact explanation of what is going on. The first time you ssh in you are not using password authentication but SSO (GSSAPI auth) *however* you are not delegating credentials to desktop2 (-K option). What this means is that ssh can allow you in because you have a valid ticket, but once you alnd of the cmahine there are no credentials avaliable there locally so the NFS client has no way to authenticate you to the NFS server. Later on when you do the su - and the ssh you are doing password authentication instead. *that* is the key difference, the fact that you do su - is a red herring and only causes you to not have credentials to use and makes ssh fall back to password authentication. you can obtain the same effect calling kdestroy instead of su - or telling ssh to not use GSSAPI for auth. Anyway when you authenticate with a password you give the target system your password which it will use to obtain a ticket for you and it places the ticket in the DIR:/run/user/... directory. There the NFS client can find it and uses it to authenticate
Re: [Freeipa-users] Permission Denied
On Wed, 2013-09-11 at 07:10 +0300, Alexander Bokovoy wrote: Hi Dean, On Tue, 10 Sep 2013, Dean Hunter wrote: How do I determine the cause of this problem? [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Tue Sep 10 21:10:01 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ rpm -q freeipa-client freeipa-client-3.1.5-1.fc18.x86_64 -bash-4.2$ I can log in as dean on desktop2 using gdm without a problem. But when I try to log in using ssh then I am denied access to the user's home directory. Is there any SELinux AVC in the logs? Is /home/net an NFS mount? Does use_nfs_home_dirs SELinux boolean set to on? (getsebool -a|grep home) 1) Is there any SELinux AVC in the logs? [dean@desktop2 ~]$ sudo ausearch --message avc no matches 2) Is /home/net an NFS mount? Yes 3) Is use_nfs_home_dirs SELinux boolean set to on? [dean@desktop2 ~]$ getsebool use_nfs_home_dirs use_nfs_home_dirs -- on Here is the script I use to configure IPA NFS clients: # Configure the Network File System client setsebool -P use_nfs_home_dirs on cat /usr/lib/systemd/system/nfs-secure.service \ | sed -e s/WantedBy=nfs.target/WantedBy=multi-user.target/ \ /etc/systemd/system/nfs-secure.service # RedHat bug 972363 ipa-client-automount \\ --location VM \\ --unattended sed -i 's/sss files/ files sss/g' /etc/nsswitch.conf # FreeIPA bug 3733 systemctl restart sssd.service # FreeIPA bug 3733 systemctl restart autofs.service # FreeIPA bug 3733 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Wed, 2013-09-11 at 08:27 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 07:10 +0300, Alexander Bokovoy wrote: Hi Dean, On Tue, 10 Sep 2013, Dean Hunter wrote: How do I determine the cause of this problem? [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Tue Sep 10 21:10:01 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ rpm -q freeipa-client freeipa-client-3.1.5-1.fc18.x86_64 -bash-4.2$ I can log in as dean on desktop2 using gdm without a problem. But when I try to log in using ssh then I am denied access to the user's home directory. Is there any SELinux AVC in the logs? Is /home/net an NFS mount? Does use_nfs_home_dirs SELinux boolean set to on? (getsebool -a|grep home) 1) Is there any SELinux AVC in the logs? [dean@desktop2 ~]$ sudo ausearch --message avc no matches 2) Is /home/net an NFS mount? Yes 3) Is use_nfs_home_dirs SELinux boolean set to on? [dean@desktop2 ~]$ getsebool use_nfs_home_dirs use_nfs_home_dirs -- on Here is the script I use to configure IPA NFS clients: # Configure the Network File System client setsebool -P use_nfs_home_dirs on cat /usr/lib/systemd/system/nfs-secure.service \ | sed -e s/WantedBy=nfs.target/WantedBy=multi-user.target/ \ /etc/systemd/system/nfs-secure.service # RedHat bug 972363 ipa-client-automount \\ --location VM \\ --unattended sed -i 's/sss files/ files sss/g' /etc/nsswitch.conf # FreeIPA bug 3733 systemctl restart sssd.service # FreeIPA bug 3733 systemctl restart autofs.service # FreeIPA bug 3733 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. Yes, I am using Kerberos with NFS. Should I report this as a bug? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. Yes, I am using Kerberos with NFS. Should I report this as a bug? We need to decide what component is faulty. It may be possible we can get it working somehow. When you ssh in what is the ccache ssh assign you ? can you run klist and post the output (sanitize it if needed) ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On 09/11/2013 11:49 AM, Simo Sorce wrote: On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. Yes, I am using Kerberos with NFS. Should I report this as a bug? We need to decide what component is faulty. It may be possible we can get it working somehow. When you ssh in what is the ccache ssh assign you ? can you run klist and post the output (sanitize it if needed) ? Simo. Simo, Would setting KRBCCACHE explicitly on the client help? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Wed, 2013-09-11 at 12:08 -0400, Dmitri Pal wrote: On 09/11/2013 11:49 AM, Simo Sorce wrote: On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. Yes, I am using Kerberos with NFS. Should I report this as a bug? We need to decide what component is faulty. It may be possible we can get it working somehow. When you ssh in what is the ccache ssh assign you ? can you run klist and post the output (sanitize it if needed) ? Simo. Simo, Would setting KRBCCACHE explicitly on the client help? It depends, it would not help if you used GSSAPI SSO auth but did *not* delegate your credentials for example, as you have no credentials on the target system in that case. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. Yes, I am using Kerberos with NFS. Should I report this as a bug? We need to decide what component is faulty. It may be possible we can get it working somehow. When you ssh in what is the ccache ssh assign you ? can you run klist and post the output (sanitize it if needed) ? Simo. I hope this is what you requested: [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 19:41:48 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ hostname desktop2.hunter.org -bash-4.2$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_138741) -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org 09/11/13 19:44:43 09/12/13 19:43:28 host/desktop2.hunter@hunter.org [dean@ipa2 ~]$ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On 09/11/2013 08:49 PM, Dean Hunter wrote: On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. Yes, I am using Kerberos with NFS. Should I report this as a bug? We need to decide what component is faulty. It may be possible we can get it working somehow. When you ssh in what is the ccache ssh assign you ? can you run klist and post the output (sanitize it if needed) ? Simo. I hope this is what you requested: [dean@ipa2 mailto:dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org mailto:d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org mailto:hunter@hunter.org [dean@ipa2 mailto:dean@ipa2 ~]$ ssh dean@desktop2 mailto:dean@desktop2 Last login: Wed Sep 11 19:41:48 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ hostname desktop2.hunter.org -bash-4.2$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_138741) -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 mailto:dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org mailto:d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org mailto:hunter@hunter.org 09/11/13 19:44:43 09/12/13 19:43:28 host/desktop2.hunter@hunter.org mailto:desktop2.hunter@hunter.org [dean@ipa2 mailto:dean@ipa2 ~]$ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Do I get it right: you tried twice and the first time it did not work while the second it did? There might be a race condition mounting your home directory using your ticket. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Wed, 2013-09-11 at 21:10 -0400, Dmitri Pal wrote: On 09/11/2013 08:49 PM, Dean Hunter wrote: On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. Yes, I am using Kerberos with NFS. Should I report this as a bug? We need to decide what component is faulty. It may be possible we can get it working somehow. When you ssh in what is the ccache ssh assign you ? can you run klist and post the output (sanitize it if needed) ? Simo. I hope this is what you requested: [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 19:41:48 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ hostname desktop2.hunter.org -bash-4.2$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_138741) -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org 09/11/13 19:44:43 09/12/13 19:43:28 host/desktop2.hunter@hunter.org [dean@ipa2 ~]$ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Do I get it right: you tried twice and the first time it did not work while the second it did? There might be a race condition mounting your home directory using your ticket. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Starting clean after rebuilding ipa2 and desktop2 and a gdm login to ipa2 as dean, if I ssh dean@desktop2 it will consistently fail as noted in my last note. However, if I: 1. su - 2. ssh dean@desktop2 3. logout of dean@desktop2 4. logout of root@ipa2 then ssh dean@desktop2 succeeds! Does that answer your question? So I do not think there is a race. It is more like the super user session leaves something behind that was missing? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On 09/11/2013 09:27 PM, Dean Hunter wrote: On Wed, 2013-09-11 at 21:10 -0400, Dmitri Pal wrote: On 09/11/2013 08:49 PM, Dean Hunter wrote: On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. Yes, I am using Kerberos with NFS. Should I report this as a bug? We need to decide what component is faulty. It may be possible we can get it working somehow. When you ssh in what is the ccache ssh assign you ? can you run klist and post the output (sanitize it if needed) ? Simo. I hope this is what you requested: [dean@ipa2 mailto:dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org mailto:d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org mailto:hunter@hunter.org [dean@ipa2 mailto:dean@ipa2 ~]$ ssh dean@desktop2 mailto:dean@desktop2 Last login: Wed Sep 11 19:41:48 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ hostname desktop2.hunter.org -bash-4.2$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_138741) -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 mailto:dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org mailto:d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org mailto:hunter@hunter.org 09/11/13 19:44:43 09/12/13 19:43:28 host/desktop2.hunter@hunter.org mailto:desktop2.hunter@hunter.org [dean@ipa2 mailto:dean@ipa2 ~]$ ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Do I get it right: you tried twice and the first time it did not work while the second it did? There might be a race condition mounting your home directory using your ticket. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Starting clean after rebuilding ipa2 and desktop2 and a gdm login to ipa2 as dean, if I ssh dean@desktop2 mailto:dean@desktop2 it will consistently fail as noted in my last note. However, if I: 1. su - 2. ssh dean@desktop2 mailto:dean@desktop2 3. logout of dean@desktop2 mailto:dean@desktop2 4. logout of root@ipa2 mailto:root@ipa2 then ssh dean@desktop2 mailto:dean@desktop2 succeeds! Does that answer your question? So I do not think there is a race. It is more like the super user session leaves something behind that was missing? Does it succeed if after step 3 but before step 4 you do kdestoy? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list
Re: [Freeipa-users] Permission Denied
On Wed, 2013-09-11 at 21:34 -0400, Dmitri Pal wrote: On 09/11/2013 09:27 PM, Dean Hunter wrote: On Wed, 2013-09-11 at 21:10 -0400, Dmitri Pal wrote: On 09/11/2013 08:49 PM, Dean Hunter wrote: On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. Yes, I am using Kerberos with NFS. Should I report this as a bug? We need to decide what component is faulty. It may be possible we can get it working somehow. When you ssh in what is the ccache ssh assign you ? can you run klist and post the output (sanitize it if needed) ? Simo. I hope this is what you requested: [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 19:41:48 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ hostname desktop2.hunter.org -bash-4.2$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_138741) -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org 09/11/13 19:44:43 09/12/13 19:43:28 host/desktop2.hunter@hunter.org [dean@ipa2 ~]$ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Do I get it right: you tried twice and the first time it did not work while the second it did? There might be a race condition mounting your home directory using your ticket. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Starting clean after rebuilding ipa2 and desktop2 and a gdm login to ipa2 as dean, if I ssh dean@desktop2 it will consistently fail as noted in my last note. However, if I: 1. su - 2. ssh dean@desktop2 3. logout of dean@desktop2 4. logout of root@ipa2 then ssh dean@desktop2 succeeds! Does that answer your question? So I do not think there is a race. It is more like the super user session leaves something behind that was
Re: [Freeipa-users] Permission Denied
On 09/11/2013 10:10 PM, Dean Hunter wrote: On Wed, 2013-09-11 at 21:34 -0400, Dmitri Pal wrote: On 09/11/2013 09:27 PM, Dean Hunter wrote: On Wed, 2013-09-11 at 21:10 -0400, Dmitri Pal wrote: On 09/11/2013 08:49 PM, Dean Hunter wrote: On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. Yes, I am using Kerberos with NFS. Should I report this as a bug? We need to decide what component is faulty. It may be possible we can get it working somehow. When you ssh in what is the ccache ssh assign you ? can you run klist and post the output (sanitize it if needed) ? Simo. I hope this is what you requested: [dean@ipa2 mailto:dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org mailto:d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org mailto:hunter@hunter.org [dean@ipa2 mailto:dean@ipa2 ~]$ ssh dean@desktop2 mailto:dean@desktop2 Last login: Wed Sep 11 19:41:48 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ hostname desktop2.hunter.org -bash-4.2$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_138741) -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 mailto:dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org mailto:d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org mailto:hunter@hunter.org 09/11/13 19:44:43 09/12/13 19:43:28 host/desktop2.hunter@hunter.org mailto:desktop2.hunter@hunter.org [dean@ipa2 mailto:dean@ipa2 ~]$ ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Do I get it right: you tried twice and the first time it did not work while the second it did? There might be a race condition mounting your home directory using your ticket. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Starting clean after rebuilding ipa2 and desktop2 and a gdm login to ipa2 as dean, if I ssh dean@desktop2 mailto:dean@desktop2 it will consistently fail as noted in my last note. However, if I: 1. su - 2. ssh dean@desktop2 mailto:dean@desktop2 3. logout of dean@desktop2 mailto:dean@desktop2 4. logout of root@ipa2 mailto:root@ipa2 then ssh dean@desktop2 mailto:dean@desktop2 succeeds! Does that answer your question? So I do not think there is a race. It is more like the super user session leaves something behind that was missing? Does it succeed if after step 3 but before step 4 you do kdestoy? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?
Re: [Freeipa-users] Permission Denied
Hi Dean, On Tue, 10 Sep 2013, Dean Hunter wrote: How do I determine the cause of this problem? [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Tue Sep 10 21:10:01 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ rpm -q freeipa-client freeipa-client-3.1.5-1.fc18.x86_64 -bash-4.2$ I can log in as dean on desktop2 using gdm without a problem. But when I try to log in using ssh then I am denied access to the user's home directory. Is there any SELinux AVC in the logs? Is /home/net an NFS mount? Does use_nfs_home_dirs SELinux boolean set to on? (getsebool -a|grep home) -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users