subject:"\[Freeipa\-users\] Permission Denied"

[Freeipa-users] Permission Denied for IPA User

2017-05-05 Thread Lakshan Jayasekara

IPA user cannot login to the target centos system using the ssh. User and the 
password are valid and can access IPA server.


Lakshanth Chandika Jayasekara

[cid:image001.png@01D1F258.46575F30]

Senior Systems Engineer

Mobile:+94 77 294 0396 |  Dir:+94 11 235 6949

General:+94 11 235 6900  Ext: 949 | Fax:+94 11 2544346

LankaClear (Pvt) Ltd, Level 18, Bank of Ceylon Head Office,

"BOC Square", No. 01, Bank of Ceylon Mw, Colombo 01, Sri Lanka.

http://www.lankaclear.com


Confidentiality Notice: The information contained in this message is privileged 
and confidential information intended only for the use of the individual or 
entity named above. If the reader of this message is not the intended 
recipient, or the employee or agent responsible to deliver it to the intended 
recipient, you are hereby notified that any release, dissemination, 
distribution, or copying of this communication is strictly prohibited. If you 
have received this communication in error, please notify the author immediately 
by replying to this message and delete the original message. Internet 
communications cannot be guaranteed to be timely, secure, error or virus-free. 
The sender does not accept liability for any errors or omissions. This email 
has been scanned for all viruses by the Symantec End Point Protection Email 
Security System.
P Save a tree. Don't print this e-mail unless it's really necessary.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Permission Denied

2013-09-13 Thread Dean Hunter

On Thu, 2013-09-12 at 09:09 -0400, Simo Sorce wrote:


> Yes it is, but I need to see also what you get on the successfull ssh
> case, klist is all I need to see, no other output.
> 
> Also does it work all the time if you use the command
> 
> ssh -K dean@desktop2 ?


[dean@ipa2 ~]$ klist
Ticket cache: DIR::/run/user/144081/krb5cc/tktH9faWP
Default principal: d...@hunter.org

Valid starting ExpiresService principal
09/12/13 11:14:40  09/13/13 11:14:40  krbtgt/hunter@hunter.org

[dean@ipa2 ~]$ ssh dean@desktop2
Last login: Wed Sep 11 21:14:18 2013 from ipa2.hunter.org
Could not chdir to home directory /home/net/dean: Permission denied
-bash: /home/net/dean/.bash_profile: Permission denied

-bash-4.2$ klist
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_144081)

-bash-4.2$ logout
-bash: /home/net/dean/.bash_logout: Permission denied
Connection to desktop2 closed.

[dean@ipa2 ~]$ klist
Ticket cache: DIR::/run/user/144081/krb5cc/tktH9faWP
Default principal: d...@hunter.org

Valid starting ExpiresService principal
09/12/13 11:14:40  09/13/13 11:14:40  krbtgt/hunter@hunter.org
09/12/13 11:15:29  09/13/13 11:14:40
host/desktop2.hunter@hunter.org

[dean@ipa2 ~]$ su -
Password: 

[root@ipa2 ~]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

[root@ipa2 ~]# ssh dean@desktop2
dean@desktop2's password: 
Last login: Thu Sep 12 11:16:15 2013 from ipa2.hunter.org

[dean@desktop2 ~]$ klist
Ticket cache: DIR::/run/user/144081/krb5cc/tktrhI7WX
Default principal: d...@hunter.org

Valid starting ExpiresService principal
09/12/13 11:17:40  09/13/13 11:17:39  krbtgt/hunter@hunter.org
09/12/13 11:17:40  09/13/13 11:17:39  nfs/ipa2.hunter@hunter.org

[dean@desktop2 ~]$ logout
Connection to desktop2 closed.

[root@ipa2 ~]# logout

[dean@ipa2 ~]$ klist
Ticket cache: DIR::/run/user/144081/krb5cc/tktH9faWP
Default principal: d...@hunter.org

Valid starting ExpiresService principal
09/12/13 11:14:40  09/13/13 11:14:40  krbtgt/hunter@hunter.org
09/12/13 11:15:29  09/13/13 11:14:40
host/desktop2.hunter@hunter.org

[dean@ipa2 ~]$ ssh dean@desktop2
Last login: Thu Sep 12 11:17:39 2013 from ipa2.hunter.org

[dean@desktop2 ~]$ klist
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_144081)

[dean@desktop2 ~]$ logout
Connection to desktop2 closed.

[dean@ipa2 ~]$ klist
Ticket cache: DIR::/run/user/144081/krb5cc/tktH9faWP
Default principal: d...@hunter.org

Valid starting ExpiresService principal
09/12/13 11:14:40  09/13/13 11:14:40  krbtgt/hunter@hunter.org
09/12/13 11:15:29  09/13/13 11:14:40
host/desktop2.hunter@hunter.org

reboot 

[dean@ipa2 ~]$ klist
Ticket cache: DIR::/run/user/144081/krb5cc/tktLOSJxT
Default principal: d...@hunter.org

Valid starting ExpiresService principal
09/12/13 11:23:56  09/13/13 11:23:56  krbtgt/hunter@hunter.org

[dean@ipa2 ~]$ ssh -k dean@desktop2
Last login: Thu Sep 12 11:22:31 2013 from ipa2.hunter.org
Could not chdir to home directory /home/net/dean: Permission denied
-bash: /home/net/dean/.bash_profile: Permission denied

-bash-4.2$ klist
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_144081)

-bash-4.2$ logout
-bash: /home/net/dean/.bash_logout: Permission denied
Connection to desktop2 closed.

[dean@ipa2 ~]$ klist
Ticket cache: DIR::/run/user/144081/krb5cc/tktLOSJxT
Default principal: d...@hunter.org

Valid starting ExpiresService principal
09/12/13 11:23:56  09/13/13 11:23:56  krbtgt/hunter@hunter.org
09/12/13 11:24:43  09/13/13 11:23:56
host/desktop2.hunter@hunter.org

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Permission Denied

2013-09-13 Thread Simo Sorce

On Thu, 2013-09-12 at 15:34 -0500, Dean Hunter wrote:
> On Thu, 2013-09-12 at 13:59 -0400, Simo Sorce wrote: 
> > On Thu, 2013-09-12 at 11:27 -0500, Dean Hunter wrote:
> > > On Thu, 2013-09-12 at 09:09 -0400, Simo Sorce wrote:
> > > 
> > > > Yes it is, but I need to see also what you get on the successfull ssh
> > > > case, klist is all I need to see, no other output.
> > > > 
> > > > Also does it work all the time if you use the command
> > > > 
> > > > ssh -K dean@desktop2 ?
> > 
> > you did not try the above ^^ :-)
> 
> Oops, it is these old eyes.  OK, "ssh -K dean@desktop2" works all the
> time.

good

> Now there are problems when I log out, sometimes one processor starts
> spinning other times I get tossed all the way out of Gnome.  I have
> not yet established a pattern.  Is this familiar?
> 
Is this related to ssh in ? or is it a completely unrelated problem ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Permission Denied

2013-09-13 Thread Dean Hunter

On Thu, 2013-09-12 at 16:59 -0400, Simo Sorce wrote:

> On Thu, 2013-09-12 at 15:34 -0500, Dean Hunter wrote:
> > On Thu, 2013-09-12 at 13:59 -0400, Simo Sorce wrote: 
> > > On Thu, 2013-09-12 at 11:27 -0500, Dean Hunter wrote:
> > > > On Thu, 2013-09-12 at 09:09 -0400, Simo Sorce wrote:
> > > > 
> > > > > Yes it is, but I need to see also what you get on the successfull ssh
> > > > > case, klist is all I need to see, no other output.
> > > > > 
> > > > > Also does it work all the time if you use the command
> > > > > 
> > > > > ssh -K dean@desktop2 ?
> > > 
> > > you did not try the above ^^ :-)
> > 
> > Oops, it is these old eyes.  OK, "ssh -K dean@desktop2" works all the
> > time.
> 
> good
> 
> > Now there are problems when I log out, sometimes one processor starts
> > spinning other times I get tossed all the way out of Gnome.  I have
> > not yet established a pattern.  Is this familiar?
> > 
> Is this related to ssh in ? or is it a completely unrelated problem ?
> 
> Simo.



I am sorry.  I see now that I was not clear.  When I log out of ssh on
desktop2 it sometimes spins.  When I log out of Gnome terminal after the
spins I get tossed all the way out of Gnome.


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Permission Denied

2013-09-13 Thread Dean Hunter

On Wed, 2013-09-11 at 22:25 -0400, Dmitri Pal wrote:

> On 09/11/2013 10:10 PM, Dean Hunter wrote: 
> 
> > On Wed, 2013-09-11 at 21:34 -0400, Dmitri Pal wrote:
> > 
> > > On 09/11/2013 09:27 PM, Dean Hunter wrote: 
> > > 
> > > > On Wed, 2013-09-11 at 21:10 -0400, Dmitri Pal wrote:
> > > > 
> > > > > On 09/11/2013 08:49 PM, Dean Hunter wrote: 
> > > > > 
> > > > > > On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote: 
> > > > > > 
> > > > > > > On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote:
> > > > > > > > On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: 
> > > > > > > > > On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote:
> > > > > > > > > 
> > > > > > > > > > I do NOT believe this:
> > > > > > > > > > [dean@ipa2 ~]$ ssh dean@desktop2
> > > > > > > > > > Last login: Wed Sep 11 08:32:21 2013 from 
> > > > > > > > > > ipa2.hunter.org
> > > > > > > > > > Could not chdir to home directory /home/net/dean: 
> > > > > > > > > > Permission
> > > > > > > > > > denied
> > > > > > > > > > -bash: /home/net/dean/.bash_profile: Permission 
> > > > > > > > > > denied
> > > > > > > > > > 
> > > > > > > > > > -bash-4.2$ logout
> > > > > > > > > > -bash: /home/net/dean/.bash_logout: Permission 
> > > > > > > > > > denied
> > > > > > > > > > Connection to desktop2 closed.
> > > > > > > > > > 
> > > > > > > > > > [dean@ipa2 ~]$ su -
> > > > > > > > > > Password: 
> > > > > > > > > > 
> > > > > > > > > > [root@ipa2 ~]# ssh dean@desktop2
> > > > > > > > > > dean@desktop2's password: 
> > > > > > > > > > Last login: Wed Sep 11 08:34:29 2013 from 
> > > > > > > > > > ipa2.hunter.org
> > > > > > > > > > 
> > > > > > > > > > [dean@desktop2 ~]$ logout
> > > > > > > > > > Connection to desktop2 closed.
> > > > > > > > > > 
> > > > > > > > > > [root@ipa2 ~]# logout
> > > > > > > > > > 
> > > > > > > > > > [dean@ipa2 ~]$ ssh dean@desktop2
> > > > > > > > > > Last login: Wed Sep 11 08:35:16 2013 from 
> > > > > > > > > > ipa2.hunter.org
> > > > > > > > > > 
> > > > > > > > > > [dean@desktop2 ~]$ 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > > Are you using a kerberized NFS mount ?
> > > > > > > > > 
> > > > > > > > > I think what is happening is that when going via SSH rpc.gssd 
> > > > > > > > > cannot
> > > > > > > > > find your ticket, ssh may be doing something "wrong" in this 
> > > > > > > > > case.
> > > > > > > > > 
> > > > > > > > > Simo.
> > > > > > > > > 
> > > > > > > > Yes, I am using Kerberos with NFS.
> > > > > > > > 
> > > > > > > > Should I report this as a bug?
> > > > > > > > 
> > > > > > > We need to decide what component is faulty. It may be possible we 
> > > > > > > can
> > > > > > > get it working somehow.
> > > > > > > 
> > > > > > > When you ssh in what is the ccache ssh assign you ?
> > > > > > > can you run klist and post the output (sanitize it if needed) ?
> > > > > > > 
> > > > > > > Simo.
> > > > > > > 
> > > > > > 
> > > > > > I hope this is what you requested:
> > > > > > 
> > > > > > [dean@ipa2 ~]$ klist
> > > > > > Ticket cache:
> > > > > > DIR::/run/user/138741/krb5cc/tktFDDxRR
> > > > > > Default principal: d...@hunter.org
> > > > > > 
> > > > > > Valid starting ExpiresService
> > > > > > principal
> > > > > > 09/11/13 19:43:28  09/12/13 19:43:28
> > > > > > krbtgt/hunter@hunter.org
> > > > > > 
> > > > > > [dean@ipa2 ~]$ ssh dean@desktop2
> > > > > > Last login: Wed Sep 11 19:41:48 2013 from
> > > > > > ipa2.hunter.org
> > > > > > Could not chdir to home directory /home/net/dean:
> > > > > > Permission denied
> > > > > > -bash: /home/net/dean/.bash_profile: Permission
> > > > > > denied
> > > > > > 
> > > > > > -bash-4.2$ hostname
> > > > > > desktop2.hunter.org
> > > > > > 
> > > > > > -bash-4.2$ klist
> > > > > > klist: No credentials cache found (ticket cache
> > > > > > FILE:/tmp/krb5cc_138741)
> > > > > > 
> > > > > > -bash-4.2$ logout
> > > > > > -bash: /home/net/dean/.bash_logout: Permission
> > > > > > denied
> > > > > > Connection to desktop2 closed.
> > > > > > 
> > > > > > [dean@ipa2 ~]$ klist
> > > > > > Ticket cache:
> > > > > > DIR::/run/user/138741/krb5cc/tktFDDxRR
> > > > > > Default principal: d...@hunter.org
> > > > > > 
> > > > > > Valid starting ExpiresService
> > > > > > principal
> > > > > > 09/11/13 19:43:28  09/12/13 19:43:28
> > > > > > krbtgt/hunter@hunter.org
> > > > > > 09/11/13 19:44:43  09/12/13 19:43:28
> > > > > > host/desktop2.hunter@hunter.org
> > > > > >

Re: [Freeipa-users] Permission Denied

2013-09-13 Thread Simo Sorce

On Thu, 2013-09-12 at 16:16 -0500, Dean Hunter wrote:
> On Thu, 2013-09-12 at 16:59 -0400, Simo Sorce wrote: 
> > On Thu, 2013-09-12 at 15:34 -0500, Dean Hunter wrote:
> > > On Thu, 2013-09-12 at 13:59 -0400, Simo Sorce wrote: 
> > > > On Thu, 2013-09-12 at 11:27 -0500, Dean Hunter wrote:
> > > > > On Thu, 2013-09-12 at 09:09 -0400, Simo Sorce wrote:
> > > > > 
> > > > > > Yes it is, but I need to see also what you get on the successfull 
> > > > > > ssh
> > > > > > case, klist is all I need to see, no other output.
> > > > > > 
> > > > > > Also does it work all the time if you use the command
> > > > > > 
> > > > > > ssh -K dean@desktop2 ?
> > > > 
> > > > you did not try the above ^^ :-)
> > > 
> > > Oops, it is these old eyes.  OK, "ssh -K dean@desktop2" works all the
> > > time.
> > 
> > good
> > 
> > > Now there are problems when I log out, sometimes one processor starts
> > > spinning other times I get tossed all the way out of Gnome.  I have
> > > not yet established a pattern.  Is this familiar?
> > > 
> > Is this related to ssh in ? or is it a completely unrelated problem ?
> > 
> > Simo.
> 
> I am sorry.  I see now that I was not clear.  When I log out of ssh on
> desktop2 it sometimes spins.  When I log out of Gnome terminal after
> the spins I get tossed all the way out of Gnome.
> 
Sounds like a bug in gnome-terminal or gnome in general, I've never seen
that.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Permission Denied

2013-09-12 Thread Simo Sorce

On Thu, 2013-09-12 at 11:27 -0500, Dean Hunter wrote:
> On Thu, 2013-09-12 at 09:09 -0400, Simo Sorce wrote:
> 
> > Yes it is, but I need to see also what you get on the successfull ssh
> > case, klist is all I need to see, no other output.
> > 
> > Also does it work all the time if you use the command
> > 
> > ssh -K dean@desktop2 ?

you did not try the above ^^ :-)


> [dean@ipa2 ~]$ klist
> Ticket cache: DIR::/run/user/144081/krb5cc/tktH9faWP
> Default principal: d...@hunter.org
> 
> Valid starting ExpiresService principal
> 09/12/13 11:14:40  09/13/13 11:14:40  krbtgt/hunter@hunter.org
> 
> [dean@ipa2 ~]$ ssh dean@desktop2
> Last login: Wed Sep 11 21:14:18 2013 from ipa2.hunter.org
> Could not chdir to home directory /home/net/dean: Permission denied
> -bash: /home/net/dean/.bash_profile: Permission denied
> 
> -bash-4.2$ klist
> klist: No credentials cache found (ticket cache
> FILE:/tmp/krb5cc_144081)
> 
> -bash-4.2$ logout
> -bash: /home/net/dean/.bash_logout: Permission denied
> Connection to desktop2 closed.
> 
> [dean@ipa2 ~]$ klist
> Ticket cache: DIR::/run/user/144081/krb5cc/tktH9faWP
> Default principal: d...@hunter.org
> 
> Valid starting ExpiresService principal
> 09/12/13 11:14:40  09/13/13 11:14:40  krbtgt/hunter@hunter.org
> 09/12/13 11:15:29  09/13/13 11:14:40
> host/desktop2.hunter@hunter.org
> 
> [dean@ipa2 ~]$ su -
> Password: 
> 
> [root@ipa2 ~]# klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
> 
> [root@ipa2 ~]# ssh dean@desktop2
> dean@desktop2's password: 
> Last login: Thu Sep 12 11:16:15 2013 from ipa2.hunter.org

> [dean@desktop2 ~]$ klist
> Ticket cache: DIR::/run/user/144081/krb5cc/tktrhI7WX
> Default principal: d...@hunter.org
> 
> Valid starting ExpiresService principal
> 09/12/13 11:17:40  09/13/13 11:17:39  krbtgt/hunter@hunter.org
> 09/12/13 11:17:40  09/13/13 11:17:39  nfs/ipa2.hunter@hunter.org
> 
> [dean@desktop2 ~]$ logout
> Connection to desktop2 closed.
> 
> [root@ipa2 ~]# logout
> 
> [dean@ipa2 ~]$ klist
> Ticket cache: DIR::/run/user/144081/krb5cc/tktH9faWP
> Default principal: d...@hunter.org
> 
> Valid starting ExpiresService principal
> 09/12/13 11:14:40  09/13/13 11:14:40  krbtgt/hunter@hunter.org
> 09/12/13 11:15:29  09/13/13 11:14:40
> host/desktop2.hunter@hunter.org
> 
> [dean@ipa2 ~]$ ssh dean@desktop2
> Last login: Thu Sep 12 11:17:39 2013 from ipa2.hunter.org
> 
> [dean@desktop2 ~]$ klist
> klist: No credentials cache found (ticket cache
> FILE:/tmp/krb5cc_144081)
> 
> [dean@desktop2 ~]$ logout
> Connection to desktop2 closed.
> 
> [dean@ipa2 ~]$ klist
> Ticket cache: DIR::/run/user/144081/krb5cc/tktH9faWP
> Default principal: d...@hunter.org
> 
> Valid starting ExpiresService principal
> 09/12/13 11:14:40  09/13/13 11:14:40  krbtgt/hunter@hunter.org
> 09/12/13 11:15:29  09/13/13 11:14:40
> host/desktop2.hunter@hunter.org
> 
> reboot 
> 
> [dean@ipa2 ~]$ klist
> Ticket cache: DIR::/run/user/144081/krb5cc/tktLOSJxT
> Default principal: d...@hunter.org
> 
> Valid starting ExpiresService principal
> 09/12/13 11:23:56  09/13/13 11:23:56  krbtgt/hunter@hunter.org
> 
> [dean@ipa2 ~]$ ssh -k dean@desktop2
> Last login: Thu Sep 12 11:22:31 2013 from ipa2.hunter.org
> Could not chdir to home directory /home/net/dean: Permission denied
> -bash: /home/net/dean/.bash_profile: Permission denied
> 
> -bash-4.2$ klist
> klist: No credentials cache found (ticket cache
> FILE:/tmp/krb5cc_144081)
> 
> -bash-4.2$ logout
> -bash: /home/net/dean/.bash_logout: Permission denied
> Connection to desktop2 closed.
> 
> [dean@ipa2 ~]$ klist
> Ticket cache: DIR::/run/user/144081/krb5cc/tktLOSJxT
> Default principal: d...@hunter.org
> 
> Valid starting ExpiresService principal
> 09/12/13 11:23:56  09/13/13 11:23:56  krbtgt/hunter@hunter.org
> 09/12/13 11:24:43  09/13/13 11:23:56
> host/desktop2.hunter@hunter.org
> 


However here is the exact explanation of what is going on.

The first time you ssh in you are not using password authentication but
SSO (GSSAPI auth) *however* you are not delegating credentials to
desktop2 (-K option).

What this means is that ssh can allow you in because you have a valid
ticket, but once you alnd of the cmahine there are no credentials
avaliable there locally so the NFS client has no way to authenticate you
to the NFS server.

Later on when you do the su - and the ssh you are doing password
authentication instead. *that* is the key difference, the fact that you
do su - is a red herring and only causes you to not have credentials to
use and makes ssh fall back to password authentication.

you can obtain the same effect calling kdestroy instead of su - or
telling ssh to not use GSSAPI for auth.

Anyway when you authenticate with a password you give the target system
your password which it will use to obtain a ticket for you

Re: [Freeipa-users] Permission Denied

2013-09-12 Thread Dean Hunter

On Thu, 2013-09-12 at 13:59 -0400, Simo Sorce wrote:

> On Thu, 2013-09-12 at 11:27 -0500, Dean Hunter wrote:
> > On Thu, 2013-09-12 at 09:09 -0400, Simo Sorce wrote:
> > 
> > > Yes it is, but I need to see also what you get on the successfull ssh
> > > case, klist is all I need to see, no other output.
> > > 
> > > Also does it work all the time if you use the command
> > > 
> > > ssh -K dean@desktop2 ?
> 
> you did not try the above ^^ :-)

Oops, it is these old eyes.  OK, "ssh -K dean@desktop2" works all the
time.

Now there are problems when I log out, sometimes one processor starts
spinning other times I get tossed all the way out of Gnome.  I have not
yet established a pattern.  Is this familiar?

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Permission Denied

2013-09-12 Thread Simo Sorce

On Thu, 2013-09-12 at 13:59 -0400, Simo Sorce wrote:
> ticket, but once you alnd of the cmahine there are no credentials

this meant to be 'land on the machine', sorry for my typing impairment.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Permission Denied

2013-09-12 Thread Simo Sorce

On Wed, 2013-09-11 at 19:49 -0500, Dean Hunter wrote:
> On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote: 
> > On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote:
> > > On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: 
> > > > On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote:
> > > > 
> > > > > I do NOT believe this:
> > > > > [dean@ipa2 ~]$ ssh dean@desktop2
> > > > > Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org
> > > > > Could not chdir to home directory /home/net/dean: Permission
> > > > > denied
> > > > > -bash: /home/net/dean/.bash_profile: Permission denied
> > > > > 
> > > > > -bash-4.2$ logout
> > > > > -bash: /home/net/dean/.bash_logout: Permission denied
> > > > > Connection to desktop2 closed.
> > > > > 
> > > > > [dean@ipa2 ~]$ su -
> > > > > Password: 
> > > > > 
> > > > > [root@ipa2 ~]# ssh dean@desktop2
> > > > > dean@desktop2's password: 
> > > > > Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org
> > > > > 
> > > > > [dean@desktop2 ~]$ logout
> > > > > Connection to desktop2 closed.
> > > > > 
> > > > > [root@ipa2 ~]# logout
> > > > > 
> > > > > [dean@ipa2 ~]$ ssh dean@desktop2
> > > > > Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org
> > > > > 
> > > > > [dean@desktop2 ~]$ 
> > > > > 
> > > > 
> > > > Are you using a kerberized NFS mount ?
> > > > 
> > > > I think what is happening is that when going via SSH rpc.gssd cannot
> > > > find your ticket, ssh may be doing something "wrong" in this case.
> > > > 
> > > > Simo.
> > > > 
> > > Yes, I am using Kerberos with NFS.
> > > 
> > > Should I report this as a bug?
> > > 
> > We need to decide what component is faulty. It may be possible we can
> > get it working somehow.
> > 
> > When you ssh in what is the ccache ssh assign you ?
> > can you run klist and post the output (sanitize it if needed) ?
> > 
> > Simo.
> > 
> I hope this is what you requested:

Yes it is, but I need to see also what you get on the successfull ssh
case, klist is all I need to see, no other output.

Also does it work all the time if you use the command

ssh -K dean@desktop2 ?


> [dean@ipa2 ~]$ klist
> Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR
> Default principal: d...@hunter.org
> 
> Valid starting ExpiresService principal
> 09/11/13 19:43:28  09/12/13 19:43:28
> krbtgt/hunter@hunter.org
> 
> [dean@ipa2 ~]$ ssh dean@desktop2
> Last login: Wed Sep 11 19:41:48 2013 from ipa2.hunter.org
> Could not chdir to home directory /home/net/dean: Permission
> denied
> -bash: /home/net/dean/.bash_profile: Permission denied
> 
> -bash-4.2$ hostname
> desktop2.hunter.org
> 
> -bash-4.2$ klist
> klist: No credentials cache found (ticket cache
> FILE:/tmp/krb5cc_138741)
> 
> -bash-4.2$ logout
> -bash: /home/net/dean/.bash_logout: Permission denied
> Connection to desktop2 closed.
> 
> [dean@ipa2 ~]$ klist
> Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR
> Default principal: d...@hunter.org
> 
> Valid starting ExpiresService principal
> 09/11/13 19:43:28  09/12/13 19:43:28
> krbtgt/hunter@hunter.org
> 09/11/13 19:44:43  09/12/13 19:43:28
> host/desktop2.hunter@hunter.org
> 
> [dean@ipa2 ~]$ 
> 


-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Permission Denied

2013-09-11 Thread Dmitri Pal

On 09/11/2013 10:10 PM, Dean Hunter wrote:
> On Wed, 2013-09-11 at 21:34 -0400, Dmitri Pal wrote:
>> On 09/11/2013 09:27 PM, Dean Hunter wrote:
>>> On Wed, 2013-09-11 at 21:10 -0400, Dmitri Pal wrote:
 On 09/11/2013 08:49 PM, Dean Hunter wrote:
> On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote:
>> On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote:
>> > On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: 
>> > > On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote:
>> > > 
>> > > > I do NOT believe this:
>> > > > [dean@ipa2 ~]$ ssh dean@desktop2
>> > > > Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org
>> > > > Could not chdir to home directory /home/net/dean: 
>> > > > Permission
>> > > > denied
>> > > > -bash: /home/net/dean/.bash_profile: Permission denied
>> > > > 
>> > > > -bash-4.2$ logout
>> > > > -bash: /home/net/dean/.bash_logout: Permission denied
>> > > > Connection to desktop2 closed.
>> > > > 
>> > > > [dean@ipa2 ~]$ su -
>> > > > Password: 
>> > > > 
>> > > > [root@ipa2 ~]# ssh dean@desktop2
>> > > > dean@desktop2's password: 
>> > > > Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org
>> > > > 
>> > > > [dean@desktop2 ~]$ logout
>> > > > Connection to desktop2 closed.
>> > > > 
>> > > > [root@ipa2 ~]# logout
>> > > > 
>> > > > [dean@ipa2 ~]$ ssh dean@desktop2
>> > > > Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org
>> > > > 
>> > > > [dean@desktop2 ~]$ 
>> > > > 
>> > > 
>> > > Are you using a kerberized NFS mount ?
>> > > 
>> > > I think what is happening is that when going via SSH rpc.gssd cannot
>> > > find your ticket, ssh may be doing something "wrong" in this case.
>> > > 
>> > > Simo.
>> > > 
>> > Yes, I am using Kerberos with NFS.
>> > 
>> > Should I report this as a bug?
>> > 
>> We need to decide what component is faulty. It may be possible we can
>> get it working somehow.
>>
>> When you ssh in what is the ccache ssh assign you ?
>> can you run klist and post the output (sanitize it if needed) ?
>>
>> Simo.
>>
> I hope this is what you requested:
>
> [dean@ipa2  ~]$ klist
> Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR
> Default principal: d...@hunter.org 
>
> Valid starting ExpiresService principal
> 09/11/13 19:43:28  09/12/13 19:43:28 
> krbtgt/hunter@hunter.org 
>
> [dean@ipa2  ~]$ ssh dean@desktop2
> 
> Last login: Wed Sep 11 19:41:48 2013 from ipa2.hunter.org
> Could not chdir to home directory /home/net/dean: Permission
> denied
> -bash: /home/net/dean/.bash_profile: Permission denied
>
> -bash-4.2$ hostname
> desktop2.hunter.org
>
> -bash-4.2$ klist
> klist: No credentials cache found (ticket cache
> FILE:/tmp/krb5cc_138741)
>
> -bash-4.2$ logout
> -bash: /home/net/dean/.bash_logout: Permission denied
> Connection to desktop2 closed.
>
> [dean@ipa2  ~]$ klist
> Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR
> Default principal: d...@hunter.org 
>
> Valid starting ExpiresService principal
> 09/11/13 19:43:28  09/12/13 19:43:28 
> krbtgt/hunter@hunter.org 
> 09/11/13 19:44:43  09/12/13 19:43:28 
> host/desktop2.hunter@hunter.org
> 
>
> [dean@ipa2  ~]$
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com 
> https://www.redhat.com/mailman/listinfo/freeipa-users
 Do I get it right: you tried twice and the first time it did not
 work while the second it did?
 There might be a race condition mounting your home directory using
 your ticket.

 -- 
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager for IdM portfolio
 Red Hat Inc.


 ---
 Looking to carve out IT costs?
 www.redhat.com/carveoutcosts/ 


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com 
 https://www.redhat.com/mailman/listinfo/freeipa-

Re: [Freeipa-users] Permission Denied

2013-09-11 Thread Dean Hunter

On Wed, 2013-09-11 at 21:34 -0400, Dmitri Pal wrote:

> On 09/11/2013 09:27 PM, Dean Hunter wrote: 
> 
> > On Wed, 2013-09-11 at 21:10 -0400, Dmitri Pal wrote:
> > 
> > > On 09/11/2013 08:49 PM, Dean Hunter wrote: 
> > > 
> > > > On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote: 
> > > > 
> > > > > On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote:
> > > > > > On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: 
> > > > > > > On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote:
> > > > > > > 
> > > > > > > > I do NOT believe this:
> > > > > > > > [dean@ipa2 ~]$ ssh dean@desktop2
> > > > > > > > Last login: Wed Sep 11 08:32:21 2013 from 
> > > > > > > > ipa2.hunter.org
> > > > > > > > Could not chdir to home directory /home/net/dean: 
> > > > > > > > Permission
> > > > > > > > denied
> > > > > > > > -bash: /home/net/dean/.bash_profile: Permission denied
> > > > > > > > 
> > > > > > > > -bash-4.2$ logout
> > > > > > > > -bash: /home/net/dean/.bash_logout: Permission denied
> > > > > > > > Connection to desktop2 closed.
> > > > > > > > 
> > > > > > > > [dean@ipa2 ~]$ su -
> > > > > > > > Password: 
> > > > > > > > 
> > > > > > > > [root@ipa2 ~]# ssh dean@desktop2
> > > > > > > > dean@desktop2's password: 
> > > > > > > > Last login: Wed Sep 11 08:34:29 2013 from 
> > > > > > > > ipa2.hunter.org
> > > > > > > > 
> > > > > > > > [dean@desktop2 ~]$ logout
> > > > > > > > Connection to desktop2 closed.
> > > > > > > > 
> > > > > > > > [root@ipa2 ~]# logout
> > > > > > > > 
> > > > > > > > [dean@ipa2 ~]$ ssh dean@desktop2
> > > > > > > > Last login: Wed Sep 11 08:35:16 2013 from 
> > > > > > > > ipa2.hunter.org
> > > > > > > > 
> > > > > > > > [dean@desktop2 ~]$ 
> > > > > > > > 
> > > > > > > 
> > > > > > > Are you using a kerberized NFS mount ?
> > > > > > > 
> > > > > > > I think what is happening is that when going via SSH rpc.gssd 
> > > > > > > cannot
> > > > > > > find your ticket, ssh may be doing something "wrong" in this case.
> > > > > > > 
> > > > > > > Simo.
> > > > > > > 
> > > > > > Yes, I am using Kerberos with NFS.
> > > > > > 
> > > > > > Should I report this as a bug?
> > > > > > 
> > > > > We need to decide what component is faulty. It may be possible we can
> > > > > get it working somehow.
> > > > > 
> > > > > When you ssh in what is the ccache ssh assign you ?
> > > > > can you run klist and post the output (sanitize it if needed) ?
> > > > > 
> > > > > Simo.
> > > > > 
> > > > 
> > > > I hope this is what you requested:
> > > > 
> > > > [dean@ipa2 ~]$ klist
> > > > Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR
> > > > Default principal: d...@hunter.org
> > > > 
> > > > Valid starting ExpiresService principal
> > > > 09/11/13 19:43:28  09/12/13 19:43:28
> > > > krbtgt/hunter@hunter.org
> > > > 
> > > > [dean@ipa2 ~]$ ssh dean@desktop2
> > > > Last login: Wed Sep 11 19:41:48 2013 from
> > > > ipa2.hunter.org
> > > > Could not chdir to home directory /home/net/dean:
> > > > Permission denied
> > > > -bash: /home/net/dean/.bash_profile: Permission denied
> > > > 
> > > > -bash-4.2$ hostname
> > > > desktop2.hunter.org
> > > > 
> > > > -bash-4.2$ klist
> > > > klist: No credentials cache found (ticket cache
> > > > FILE:/tmp/krb5cc_138741)
> > > > 
> > > > -bash-4.2$ logout
> > > > -bash: /home/net/dean/.bash_logout: Permission denied
> > > > Connection to desktop2 closed.
> > > > 
> > > > [dean@ipa2 ~]$ klist
> > > > Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR
> > > > Default principal: d...@hunter.org
> > > > 
> > > > Valid starting ExpiresService principal
> > > > 09/11/13 19:43:28  09/12/13 19:43:28
> > > > krbtgt/hunter@hunter.org
> > > > 09/11/13 19:44:43  09/12/13 19:43:28
> > > > host/desktop2.hunter@hunter.org
> > > > 
> > > > [dean@ipa2 ~]$ 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > ___
> > > > Freeipa-users mailing list
> > > > Freeipa-users@redhat.com
> > > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > 
> > > Do I get it right: you tried twice and the first time it did not
> > > work while the second it did?
> > > There might be a race condition mounting your home directory using
> > > your ticket.
> > > 
> > > 
> > > -- 
> > > Thank you,
> > > Dmitri Pal
> > > 
> > > Sr. Engineering Manager for IdM portfolio
> > > Red Hat Inc.
> > > 
> > > 
> > > ---
> > > Looking to carve out IT costs?
> > > www.redhat.c

Re: [Freeipa-users] Permission Denied

2013-09-11 Thread Dmitri Pal

On 09/11/2013 09:27 PM, Dean Hunter wrote:
> On Wed, 2013-09-11 at 21:10 -0400, Dmitri Pal wrote:
>> On 09/11/2013 08:49 PM, Dean Hunter wrote:
>>> On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote:
 On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote:
 > On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: 
 > > On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote:
 > > 
 > > > I do NOT believe this:
 > > > [dean@ipa2 ~]$ ssh dean@desktop2
 > > > Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org
 > > > Could not chdir to home directory /home/net/dean: Permission
 > > > denied
 > > > -bash: /home/net/dean/.bash_profile: Permission denied
 > > > 
 > > > -bash-4.2$ logout
 > > > -bash: /home/net/dean/.bash_logout: Permission denied
 > > > Connection to desktop2 closed.
 > > > 
 > > > [dean@ipa2 ~]$ su -
 > > > Password: 
 > > > 
 > > > [root@ipa2 ~]# ssh dean@desktop2
 > > > dean@desktop2's password: 
 > > > Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org
 > > > 
 > > > [dean@desktop2 ~]$ logout
 > > > Connection to desktop2 closed.
 > > > 
 > > > [root@ipa2 ~]# logout
 > > > 
 > > > [dean@ipa2 ~]$ ssh dean@desktop2
 > > > Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org
 > > > 
 > > > [dean@desktop2 ~]$ 
 > > > 
 > > 
 > > Are you using a kerberized NFS mount ?
 > > 
 > > I think what is happening is that when going via SSH rpc.gssd cannot
 > > find your ticket, ssh may be doing something "wrong" in this case.
 > > 
 > > Simo.
 > > 
 > Yes, I am using Kerberos with NFS.
 > 
 > Should I report this as a bug?
 > 
 We need to decide what component is faulty. It may be possible we can
 get it working somehow.

 When you ssh in what is the ccache ssh assign you ?
 can you run klist and post the output (sanitize it if needed) ?

 Simo.

>>> I hope this is what you requested:
>>>
>>> [dean@ipa2  ~]$ klist
>>> Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR
>>> Default principal: d...@hunter.org 
>>>
>>> Valid starting ExpiresService principal
>>> 09/11/13 19:43:28  09/12/13 19:43:28 
>>> krbtgt/hunter@hunter.org 
>>>
>>> [dean@ipa2  ~]$ ssh dean@desktop2
>>> 
>>> Last login: Wed Sep 11 19:41:48 2013 from ipa2.hunter.org
>>> Could not chdir to home directory /home/net/dean: Permission denied
>>> -bash: /home/net/dean/.bash_profile: Permission denied
>>>
>>> -bash-4.2$ hostname
>>> desktop2.hunter.org
>>>
>>> -bash-4.2$ klist
>>> klist: No credentials cache found (ticket cache
>>> FILE:/tmp/krb5cc_138741)
>>>
>>> -bash-4.2$ logout
>>> -bash: /home/net/dean/.bash_logout: Permission denied
>>> Connection to desktop2 closed.
>>>
>>> [dean@ipa2  ~]$ klist
>>> Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR
>>> Default principal: d...@hunter.org 
>>>
>>> Valid starting ExpiresService principal
>>> 09/11/13 19:43:28  09/12/13 19:43:28 
>>> krbtgt/hunter@hunter.org 
>>> 09/11/13 19:44:43  09/12/13 19:43:28 
>>> host/desktop2.hunter@hunter.org
>>> 
>>>
>>> [dean@ipa2  ~]$
>>>
>>>
>>>
>>> ___
>>> Freeipa-users mailing list
>>> Freeipa-users@redhat.com 
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Do I get it right: you tried twice and the first time it did not work
>> while the second it did?
>> There might be a race condition mounting your home directory using
>> your ticket.
>>
>> -- 
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> ---
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/ 
>>
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com 
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> Starting clean after rebuilding ipa2 and desktop2 and a gdm login to
> ipa2 as dean, if I "ssh dean@desktop2 " it will
> consistently fail as noted in my last note.  However, if I:
>
>  1. su -
>  2. ssh dean@desktop2 
>  3. logout of dean@desktop2 
>  4. logout of root@ipa2

Re: [Freeipa-users] Permission Denied

2013-09-11 Thread Dean Hunter

On Wed, 2013-09-11 at 21:10 -0400, Dmitri Pal wrote:

> On 09/11/2013 08:49 PM, Dean Hunter wrote: 
> 
> > On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote: 
> > 
> > > On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote:
> > > > On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: 
> > > > > On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote:
> > > > > 
> > > > > > I do NOT believe this:
> > > > > > [dean@ipa2 ~]$ ssh dean@desktop2
> > > > > > Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org
> > > > > > Could not chdir to home directory /home/net/dean: Permission
> > > > > > denied
> > > > > > -bash: /home/net/dean/.bash_profile: Permission denied
> > > > > > 
> > > > > > -bash-4.2$ logout
> > > > > > -bash: /home/net/dean/.bash_logout: Permission denied
> > > > > > Connection to desktop2 closed.
> > > > > > 
> > > > > > [dean@ipa2 ~]$ su -
> > > > > > Password: 
> > > > > > 
> > > > > > [root@ipa2 ~]# ssh dean@desktop2
> > > > > > dean@desktop2's password: 
> > > > > > Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org
> > > > > > 
> > > > > > [dean@desktop2 ~]$ logout
> > > > > > Connection to desktop2 closed.
> > > > > > 
> > > > > > [root@ipa2 ~]# logout
> > > > > > 
> > > > > > [dean@ipa2 ~]$ ssh dean@desktop2
> > > > > > Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org
> > > > > > 
> > > > > > [dean@desktop2 ~]$ 
> > > > > > 
> > > > > 
> > > > > Are you using a kerberized NFS mount ?
> > > > > 
> > > > > I think what is happening is that when going via SSH rpc.gssd cannot
> > > > > find your ticket, ssh may be doing something "wrong" in this case.
> > > > > 
> > > > > Simo.
> > > > > 
> > > > Yes, I am using Kerberos with NFS.
> > > > 
> > > > Should I report this as a bug?
> > > > 
> > > We need to decide what component is faulty. It may be possible we can
> > > get it working somehow.
> > > 
> > > When you ssh in what is the ccache ssh assign you ?
> > > can you run klist and post the output (sanitize it if needed) ?
> > > 
> > > Simo.
> > > 
> > 
> > I hope this is what you requested:
> > 
> > [dean@ipa2 ~]$ klist
> > Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR
> > Default principal: d...@hunter.org
> > 
> > Valid starting ExpiresService principal
> > 09/11/13 19:43:28  09/12/13 19:43:28
> > krbtgt/hunter@hunter.org
> > 
> > [dean@ipa2 ~]$ ssh dean@desktop2
> > Last login: Wed Sep 11 19:41:48 2013 from ipa2.hunter.org
> > Could not chdir to home directory /home/net/dean: Permission
> > denied
> > -bash: /home/net/dean/.bash_profile: Permission denied
> > 
> > -bash-4.2$ hostname
> > desktop2.hunter.org
> > 
> > -bash-4.2$ klist
> > klist: No credentials cache found (ticket cache
> > FILE:/tmp/krb5cc_138741)
> > 
> > -bash-4.2$ logout
> > -bash: /home/net/dean/.bash_logout: Permission denied
> > Connection to desktop2 closed.
> > 
> > [dean@ipa2 ~]$ klist
> > Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR
> > Default principal: d...@hunter.org
> > 
> > Valid starting ExpiresService principal
> > 09/11/13 19:43:28  09/12/13 19:43:28
> > krbtgt/hunter@hunter.org
> > 09/11/13 19:44:43  09/12/13 19:43:28
> > host/desktop2.hunter@hunter.org
> > 
> > [dean@ipa2 ~]$ 
> > 
> > 
> > 
> > 
> > 
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> Do I get it right: you tried twice and the first time it did not work
> while the second it did?
> There might be a race condition mounting your home directory using
> your ticket.
> 
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
> 
> 
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> 
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


Starting clean after rebuilding ipa2 and desktop2 and a gdm login to
ipa2 as dean, if I "ssh dean@desktop2" it will consistently fail as
noted in my last note.  However, if I:

 1. su -
 2. ssh dean@desktop2
 3. logout of dean@desktop2
 4. logout of root@ipa2

then "ssh dean@desktop2" succeeds!

Does that answer your question?  So I do not think there is a race.  It
is more like the super user session leaves something behind that was
missing?
 
_

Re: [Freeipa-users] Permission Denied

2013-09-11 Thread Dmitri Pal

On 09/11/2013 08:49 PM, Dean Hunter wrote:
> On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote:
>> On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote:
>> > On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: 
>> > > On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote:
>> > > 
>> > > > I do NOT believe this:
>> > > > [dean@ipa2 ~]$ ssh dean@desktop2
>> > > > Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org
>> > > > Could not chdir to home directory /home/net/dean: Permission
>> > > > denied
>> > > > -bash: /home/net/dean/.bash_profile: Permission denied
>> > > > 
>> > > > -bash-4.2$ logout
>> > > > -bash: /home/net/dean/.bash_logout: Permission denied
>> > > > Connection to desktop2 closed.
>> > > > 
>> > > > [dean@ipa2 ~]$ su -
>> > > > Password: 
>> > > > 
>> > > > [root@ipa2 ~]# ssh dean@desktop2
>> > > > dean@desktop2's password: 
>> > > > Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org
>> > > > 
>> > > > [dean@desktop2 ~]$ logout
>> > > > Connection to desktop2 closed.
>> > > > 
>> > > > [root@ipa2 ~]# logout
>> > > > 
>> > > > [dean@ipa2 ~]$ ssh dean@desktop2
>> > > > Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org
>> > > > 
>> > > > [dean@desktop2 ~]$ 
>> > > > 
>> > > 
>> > > Are you using a kerberized NFS mount ?
>> > > 
>> > > I think what is happening is that when going via SSH rpc.gssd cannot
>> > > find your ticket, ssh may be doing something "wrong" in this case.
>> > > 
>> > > Simo.
>> > > 
>> > Yes, I am using Kerberos with NFS.
>> > 
>> > Should I report this as a bug?
>> > 
>> We need to decide what component is faulty. It may be possible we can
>> get it working somehow.
>>
>> When you ssh in what is the ccache ssh assign you ?
>> can you run klist and post the output (sanitize it if needed) ?
>>
>> Simo.
>>
> I hope this is what you requested:
>
> [dean@ipa2  ~]$ klist
> Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR
> Default principal: d...@hunter.org 
>
> Valid starting ExpiresService principal
> 09/11/13 19:43:28  09/12/13 19:43:28  krbtgt/hunter@hunter.org
> 
>
> [dean@ipa2  ~]$ ssh dean@desktop2
> 
> Last login: Wed Sep 11 19:41:48 2013 from ipa2.hunter.org
> Could not chdir to home directory /home/net/dean: Permission denied
> -bash: /home/net/dean/.bash_profile: Permission denied
>
> -bash-4.2$ hostname
> desktop2.hunter.org
>
> -bash-4.2$ klist
> klist: No credentials cache found (ticket cache
> FILE:/tmp/krb5cc_138741)
>
> -bash-4.2$ logout
> -bash: /home/net/dean/.bash_logout: Permission denied
> Connection to desktop2 closed.
>
> [dean@ipa2  ~]$ klist
> Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR
> Default principal: d...@hunter.org 
>
> Valid starting ExpiresService principal
> 09/11/13 19:43:28  09/12/13 19:43:28  krbtgt/hunter@hunter.org
> 
> 09/11/13 19:44:43  09/12/13 19:43:28 
> host/desktop2.hunter@hunter.org
> 
>
> [dean@ipa2  ~]$
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Do I get it right: you tried twice and the first time it did not work
while the second it did?
There might be a race condition mounting your home directory using your
ticket.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Permission Denied

2013-09-11 Thread Dean Hunter

On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote:

> On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote:
> > On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: 
> > > On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote:
> > > 
> > > > I do NOT believe this:
> > > > [dean@ipa2 ~]$ ssh dean@desktop2
> > > > Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org
> > > > Could not chdir to home directory /home/net/dean: Permission
> > > > denied
> > > > -bash: /home/net/dean/.bash_profile: Permission denied
> > > > 
> > > > -bash-4.2$ logout
> > > > -bash: /home/net/dean/.bash_logout: Permission denied
> > > > Connection to desktop2 closed.
> > > > 
> > > > [dean@ipa2 ~]$ su -
> > > > Password: 
> > > > 
> > > > [root@ipa2 ~]# ssh dean@desktop2
> > > > dean@desktop2's password: 
> > > > Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org
> > > > 
> > > > [dean@desktop2 ~]$ logout
> > > > Connection to desktop2 closed.
> > > > 
> > > > [root@ipa2 ~]# logout
> > > > 
> > > > [dean@ipa2 ~]$ ssh dean@desktop2
> > > > Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org
> > > > 
> > > > [dean@desktop2 ~]$ 
> > > > 
> > > 
> > > Are you using a kerberized NFS mount ?
> > > 
> > > I think what is happening is that when going via SSH rpc.gssd cannot
> > > find your ticket, ssh may be doing something "wrong" in this case.
> > > 
> > > Simo.
> > > 
> > Yes, I am using Kerberos with NFS.
> > 
> > Should I report this as a bug?
> > 
> We need to decide what component is faulty. It may be possible we can
> get it working somehow.
> 
> When you ssh in what is the ccache ssh assign you ?
> can you run klist and post the output (sanitize it if needed) ?
> 
> Simo.
> 

I hope this is what you requested:

[dean@ipa2 ~]$ klist
Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR
Default principal: d...@hunter.org

Valid starting ExpiresService principal
09/11/13 19:43:28  09/12/13 19:43:28
krbtgt/hunter@hunter.org

[dean@ipa2 ~]$ ssh dean@desktop2
Last login: Wed Sep 11 19:41:48 2013 from ipa2.hunter.org
Could not chdir to home directory /home/net/dean: Permission
denied
-bash: /home/net/dean/.bash_profile: Permission denied

-bash-4.2$ hostname
desktop2.hunter.org

-bash-4.2$ klist
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_138741)

-bash-4.2$ logout
-bash: /home/net/dean/.bash_logout: Permission denied
Connection to desktop2 closed.

[dean@ipa2 ~]$ klist
Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR
Default principal: d...@hunter.org

Valid starting ExpiresService principal
09/11/13 19:43:28  09/12/13 19:43:28
krbtgt/hunter@hunter.org
09/11/13 19:44:43  09/12/13 19:43:28
host/desktop2.hunter@hunter.org

[dean@ipa2 ~]$ 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Permission Denied

2013-09-11 Thread Simo Sorce

On Wed, 2013-09-11 at 12:08 -0400, Dmitri Pal wrote:
> On 09/11/2013 11:49 AM, Simo Sorce wrote:
> > On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote:
> >> On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: 
> >>> On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote:
> >>>
>  I do NOT believe this:
>  [dean@ipa2 ~]$ ssh dean@desktop2
>  Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org
>  Could not chdir to home directory /home/net/dean: Permission
>  denied
>  -bash: /home/net/dean/.bash_profile: Permission denied
>  
>  -bash-4.2$ logout
>  -bash: /home/net/dean/.bash_logout: Permission denied
>  Connection to desktop2 closed.
>  
>  [dean@ipa2 ~]$ su -
>  Password: 
>  
>  [root@ipa2 ~]# ssh dean@desktop2
>  dean@desktop2's password: 
>  Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org
>  
>  [dean@desktop2 ~]$ logout
>  Connection to desktop2 closed.
>  
>  [root@ipa2 ~]# logout
>  
>  [dean@ipa2 ~]$ ssh dean@desktop2
>  Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org
>  
>  [dean@desktop2 ~]$ 
> 
> >>> Are you using a kerberized NFS mount ?
> >>>
> >>> I think what is happening is that when going via SSH rpc.gssd cannot
> >>> find your ticket, ssh may be doing something "wrong" in this case.
> >>>
> >>> Simo.
> >>>
> >> Yes, I am using Kerberos with NFS.
> >>
> >> Should I report this as a bug?
> >>
> > We need to decide what component is faulty. It may be possible we can
> > get it working somehow.
> >
> > When you ssh in what is the ccache ssh assign you ?
> > can you run klist and post the output (sanitize it if needed) ?
> >
> > Simo.
> >
> 
> Simo,
> 
> Would setting KRBCCACHE explicitly on the client help?

It depends, it would not help if you used GSSAPI SSO auth but did *not*
delegate your credentials for example, as you have no credentials on the
target system in that case.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Permission Denied

2013-09-11 Thread Dmitri Pal

On 09/11/2013 11:49 AM, Simo Sorce wrote:
> On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote:
>> On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: 
>>> On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote:
>>>
 I do NOT believe this:
 [dean@ipa2 ~]$ ssh dean@desktop2
 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org
 Could not chdir to home directory /home/net/dean: Permission
 denied
 -bash: /home/net/dean/.bash_profile: Permission denied
 
 -bash-4.2$ logout
 -bash: /home/net/dean/.bash_logout: Permission denied
 Connection to desktop2 closed.
 
 [dean@ipa2 ~]$ su -
 Password: 
 
 [root@ipa2 ~]# ssh dean@desktop2
 dean@desktop2's password: 
 Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org
 
 [dean@desktop2 ~]$ logout
 Connection to desktop2 closed.
 
 [root@ipa2 ~]# logout
 
 [dean@ipa2 ~]$ ssh dean@desktop2
 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org
 
 [dean@desktop2 ~]$ 

>>> Are you using a kerberized NFS mount ?
>>>
>>> I think what is happening is that when going via SSH rpc.gssd cannot
>>> find your ticket, ssh may be doing something "wrong" in this case.
>>>
>>> Simo.
>>>
>> Yes, I am using Kerberos with NFS.
>>
>> Should I report this as a bug?
>>
> We need to decide what component is faulty. It may be possible we can
> get it working somehow.
>
> When you ssh in what is the ccache ssh assign you ?
> can you run klist and post the output (sanitize it if needed) ?
>
> Simo.
>

Simo,

Would setting KRBCCACHE explicitly on the client help?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Permission Denied

2013-09-11 Thread Simo Sorce

On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote:
> On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: 
> > On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote:
> > 
> > > I do NOT believe this:
> > > [dean@ipa2 ~]$ ssh dean@desktop2
> > > Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org
> > > Could not chdir to home directory /home/net/dean: Permission
> > > denied
> > > -bash: /home/net/dean/.bash_profile: Permission denied
> > > 
> > > -bash-4.2$ logout
> > > -bash: /home/net/dean/.bash_logout: Permission denied
> > > Connection to desktop2 closed.
> > > 
> > > [dean@ipa2 ~]$ su -
> > > Password: 
> > > 
> > > [root@ipa2 ~]# ssh dean@desktop2
> > > dean@desktop2's password: 
> > > Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org
> > > 
> > > [dean@desktop2 ~]$ logout
> > > Connection to desktop2 closed.
> > > 
> > > [root@ipa2 ~]# logout
> > > 
> > > [dean@ipa2 ~]$ ssh dean@desktop2
> > > Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org
> > > 
> > > [dean@desktop2 ~]$ 
> > > 
> > 
> > Are you using a kerberized NFS mount ?
> > 
> > I think what is happening is that when going via SSH rpc.gssd cannot
> > find your ticket, ssh may be doing something "wrong" in this case.
> > 
> > Simo.
> > 
> Yes, I am using Kerberos with NFS.
> 
> Should I report this as a bug?
> 
We need to decide what component is faulty. It may be possible we can
get it working somehow.

When you ssh in what is the ccache ssh assign you ?
can you run klist and post the output (sanitize it if needed) ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Permission Denied

2013-09-11 Thread Dean Hunter

On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote:

> On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote:
> 
> > I do NOT believe this:
> > [dean@ipa2 ~]$ ssh dean@desktop2
> > Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org
> > Could not chdir to home directory /home/net/dean: Permission
> > denied
> > -bash: /home/net/dean/.bash_profile: Permission denied
> > 
> > -bash-4.2$ logout
> > -bash: /home/net/dean/.bash_logout: Permission denied
> > Connection to desktop2 closed.
> > 
> > [dean@ipa2 ~]$ su -
> > Password: 
> > 
> > [root@ipa2 ~]# ssh dean@desktop2
> > dean@desktop2's password: 
> > Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org
> > 
> > [dean@desktop2 ~]$ logout
> > Connection to desktop2 closed.
> > 
> > [root@ipa2 ~]# logout
> > 
> > [dean@ipa2 ~]$ ssh dean@desktop2
> > Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org
> > 
> > [dean@desktop2 ~]$ 
> > 
> 
> Are you using a kerberized NFS mount ?
> 
> I think what is happening is that when going via SSH rpc.gssd cannot
> find your ticket, ssh may be doing something "wrong" in this case.
> 
> Simo.
> 

Yes, I am using Kerberos with NFS.

Should I report this as a bug?

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Permission Denied

2013-09-11 Thread Simo Sorce

On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote:

> I do NOT believe this:
> [dean@ipa2 ~]$ ssh dean@desktop2
> Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org
> Could not chdir to home directory /home/net/dean: Permission
> denied
> -bash: /home/net/dean/.bash_profile: Permission denied
> 
> -bash-4.2$ logout
> -bash: /home/net/dean/.bash_logout: Permission denied
> Connection to desktop2 closed.
> 
> [dean@ipa2 ~]$ su -
> Password: 
> 
> [root@ipa2 ~]# ssh dean@desktop2
> dean@desktop2's password: 
> Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org
> 
> [dean@desktop2 ~]$ logout
> Connection to desktop2 closed.
> 
> [root@ipa2 ~]# logout
> 
> [dean@ipa2 ~]$ ssh dean@desktop2
> Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org
> 
> [dean@desktop2 ~]$ 
> 

Are you using a kerberized NFS mount ?

I think what is happening is that when going via SSH rpc.gssd cannot
find your ticket, ssh may be doing something "wrong" in this case.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Permission Denied

2013-09-11 Thread Dean Hunter

On Wed, 2013-09-11 at 08:27 -0500, Dean Hunter wrote:

> On Wed, 2013-09-11 at 07:10 +0300, Alexander Bokovoy wrote: 
> 
> > Hi Dean,
> > 
> > On Tue, 10 Sep 2013, Dean Hunter wrote:
> > >How do I determine the cause of this problem?
> > >
> > >[dean@ipa2 ~]$ ssh dean@desktop2
> > >Last login: Tue Sep 10 21:10:01 2013 from ipa2.hunter.org
> > >Could not chdir to home directory /home/net/dean: Permission
> > >denied
> > >-bash: /home/net/dean/.bash_profile: Permission denied
> > >
> > >-bash-4.2$ rpm -q freeipa-client
> > >freeipa-client-3.1.5-1.fc18.x86_64
> > >-bash-4.2$
> > >
> > >I can log in as dean on desktop2 using gdm without a problem.  But when
> > >I try to log in using ssh then I am denied access to the user's home
> > >directory.
> > Is there any SELinux AVC in the logs? Is /home/net an NFS mount? Does
> > use_nfs_home_dirs SELinux boolean set to on? (getsebool -a|grep home)
> > 
> 
> 1) Is there any SELinux AVC in the logs?
> 
> [dean@desktop2 ~]$ sudo ausearch --message avc
> 
> 
> 
> 2) Is /home/net an NFS mount?  Yes
> 
> 3) Is use_nfs_home_dirs SELinux boolean set to on?
> 
> [dean@desktop2 ~]$ getsebool use_nfs_home_dirs
> use_nfs_home_dirs --> on
> 
> 
> Here is the script I use to configure IPA NFS clients:
> 
> # Configure the Network File System client
> 
>   setsebool -P use_nfs_home_dirs on
> 
>   cat /usr/lib/systemd/system/nfs-secure.service \
> | sed -e s/WantedBy=nfs.target/WantedBy=multi-user.target/
> \
> > /etc/systemd/system/nfs-secure.service #
> RedHat bug 972363
> 
>   ipa-client-automount \\
> --location VM \\
> --unattended
> 
>   sed -i 's/sss files/ files sss/g' /etc/nsswitch.conf   #
> FreeIPA bug 3733
>   systemctl restart sssd.service #
> FreeIPA bug 3733
>   systemctl restart autofs.service   #
> FreeIPA bug 3733
> 
> 
> 
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


I do NOT believe this:

[dean@ipa2 ~]$ ssh dean@desktop2
Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org
Could not chdir to home directory /home/net/dean: Permission
denied
-bash: /home/net/dean/.bash_profile: Permission denied

-bash-4.2$ logout
-bash: /home/net/dean/.bash_logout: Permission denied
Connection to desktop2 closed.

[dean@ipa2 ~]$ su -
Password: 

[root@ipa2 ~]# ssh dean@desktop2
dean@desktop2's password: 
Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org

[dean@desktop2 ~]$ logout
Connection to desktop2 closed.

[root@ipa2 ~]# logout

[dean@ipa2 ~]$ ssh dean@desktop2
Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org

[dean@desktop2 ~]$ 


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Permission Denied

2013-09-11 Thread Dean Hunter

On Wed, 2013-09-11 at 07:10 +0300, Alexander Bokovoy wrote:

> Hi Dean,
> 
> On Tue, 10 Sep 2013, Dean Hunter wrote:
> >How do I determine the cause of this problem?
> >
> >[dean@ipa2 ~]$ ssh dean@desktop2
> >Last login: Tue Sep 10 21:10:01 2013 from ipa2.hunter.org
> >Could not chdir to home directory /home/net/dean: Permission
> >denied
> >-bash: /home/net/dean/.bash_profile: Permission denied
> >
> >-bash-4.2$ rpm -q freeipa-client
> >freeipa-client-3.1.5-1.fc18.x86_64
> >-bash-4.2$
> >
> >I can log in as dean on desktop2 using gdm without a problem.  But when
> >I try to log in using ssh then I am denied access to the user's home
> >directory.
> Is there any SELinux AVC in the logs? Is /home/net an NFS mount? Does
> use_nfs_home_dirs SELinux boolean set to on? (getsebool -a|grep home)
> 

1) Is there any SELinux AVC in the logs?

[dean@desktop2 ~]$ sudo ausearch --message avc



2) Is /home/net an NFS mount?  Yes

3) Is use_nfs_home_dirs SELinux boolean set to on?

[dean@desktop2 ~]$ getsebool use_nfs_home_dirs
use_nfs_home_dirs --> on


Here is the script I use to configure IPA NFS clients:

# Configure the Network File System client

  setsebool -P use_nfs_home_dirs on

  cat /usr/lib/systemd/system/nfs-secure.service \
| sed -e s/WantedBy=nfs.target/WantedBy=multi-user.target/ \
> /etc/systemd/system/nfs-secure.service #
RedHat bug 972363

  ipa-client-automount \\
--location VM \\
--unattended

  sed -i 's/sss files/ files sss/g' /etc/nsswitch.conf   #
FreeIPA bug 3733
  systemctl restart sssd.service #
FreeIPA bug 3733
  systemctl restart autofs.service   #
FreeIPA bug 3733



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Permission Denied

2013-09-10 Thread Alexander Bokovoy


Hi Dean,

On Tue, 10 Sep 2013, Dean Hunter wrote:

How do I determine the cause of this problem?

   [dean@ipa2 ~]$ ssh dean@desktop2
   Last login: Tue Sep 10 21:10:01 2013 from ipa2.hunter.org
   Could not chdir to home directory /home/net/dean: Permission
   denied
   -bash: /home/net/dean/.bash_profile: Permission denied

   -bash-4.2$ rpm -q freeipa-client
   freeipa-client-3.1.5-1.fc18.x86_64
   -bash-4.2$

I can log in as dean on desktop2 using gdm without a problem.  But when
I try to log in using ssh then I am denied access to the user's home
directory.

Is there any SELinux AVC in the logs? Is /home/net an NFS mount? Does
use_nfs_home_dirs SELinux boolean set to on? (getsebool -a|grep home)

--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Permission Denied

2013-09-10 Thread Dean Hunter

How do I determine the cause of this problem?

[dean@ipa2 ~]$ ssh dean@desktop2
Last login: Tue Sep 10 21:10:01 2013 from ipa2.hunter.org
Could not chdir to home directory /home/net/dean: Permission
denied
-bash: /home/net/dean/.bash_profile: Permission denied

-bash-4.2$ rpm -q freeipa-client
freeipa-client-3.1.5-1.fc18.x86_64
-bash-4.2$ 

I can log in as dean on desktop2 using gdm without a problem.  But when
I try to log in using ssh then I am denied access to the user's home
directory.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Permission Denied for IPA User

Re: [Freeipa-users] Permission Denied

Re: [Freeipa-users] Permission Denied

Re: [Freeipa-users] Permission Denied

Re: [Freeipa-users] Permission Denied

Re: [Freeipa-users] Permission Denied

Re: [Freeipa-users] Permission Denied

Re: [Freeipa-users] Permission Denied

Re: [Freeipa-users] Permission Denied

Re: [Freeipa-users] Permission Denied

Re: [Freeipa-users] Permission Denied

Re: [Freeipa-users] Permission Denied

Re: [Freeipa-users] Permission Denied

Re: [Freeipa-users] Permission Denied

Re: [Freeipa-users] Permission Denied

Re: [Freeipa-users] Permission Denied

Re: [Freeipa-users] Permission Denied

Re: [Freeipa-users] Permission Denied

Re: [Freeipa-users] Permission Denied

Re: [Freeipa-users] Permission Denied

Re: [Freeipa-users] Permission Denied

Re: [Freeipa-users] Permission Denied

Re: [Freeipa-users] Permission Denied

Re: [Freeipa-users] Permission Denied

[Freeipa-users] Permission Denied

25 matches

Site Navigation

Mail list logo

Footer information