subject:"\[Freeipa\-users\] Wrong principal in request in NFS mount"

Re: [Freeipa-users] Wrong principal in request in NFS mount

2017-02-06 Thread Rob Crittenden

Matthew Carter wrote:
> So I have two test machines that I set up because of this same problem
> on my secure offline network. One of the test machines is a server that
> has FreeIPA and NFS running on it, the other test machine is a client
> that mounts two NFS shares from the server using krb5i sec.
> 
> Upon initial install, everything works as it is supposed to. The domain
> users can log in just fine, the mount mounts perfectly.

It sounds to me like /etc/krb5.keytab isn't being cleaned up properly on
uninstall.

What I'd suggest is to re-fetch the service principal, perhaps several
times, to bump the KVNO to be sure you have the right one. Then restart
the NFS services and see if that helps. Conceivably you'd need to do
something similar on the client if that too has a mix of principals from
the old and new masters.

Getting some logging from the previous uninstall would be useful. IIRC
there is a separate uninstall log for the client.

rob


> If I remove the client from the domain using:
> 
> ipa-client-automount --uninstall
> 
> ipa-client-install --uninstall
> 
> 
> And then on the server:
> 
> ipa-client-automount --uninstall
> 
> ipa-server-install --uninstall
> 
> then delete the ca.crt, run sss -E (to clear the sssd caches), rm
> /tmp/krb5*
> 
> 
> and then reinstall the server:
> 
> ipa-server-install
> 
> service sshd restart
> 
> kinit admin
> 
> ipa service-add nfs/server.dar.lan
> 
> ipa-getkeytab -s server.dar.lan -p host/server.dar.lan -k
> /etc/krb5.keytab
> 
> ipa-getkeytab -s server.dar.lan -p nfs/server.dar.lan -k
> /etc/krb5.keytab
> 
> ipa-client-automount
> 
> 
> and reinstall on the client:
> 
> ipa-client-install
> 
> ipa-client-automount
> 
> 
> I believe I now have the same setup as I had before.
> 
> I can kinit and get a ticket:
> 
> Ticket cache: FILE:/tmp/krb5cc_61520_TinxaO
> Default principal: ad...@dar.lan
> 
> Valid starting ExpiresService principal
> 02/03/17 12:54:02  02/04/17 12:53:59  krbtgt/dar@dar.lan
> 
> My domain users can log in to their desktops.
> 
> But I can't mount the shares.
> 
> I get:
> 
> mount.nfs4: timeout set for Fri Feb  3 12:58:36 2017
> mount.nfs4: trying text-based options
> 'sec=krb5i,proto=tcp,port=2049,rsize=8192,wsize=8192,timeo=14,intr,addr=137.67.205.1,clientaddr=137.67.205.11'
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: access denied by server while mounting
> server:/NFS_SHARE/USERS
> mount.nfs4: timeout set for Fri Feb  3 12:58:36 2017
> mount.nfs4: trying text-based options
> 'sec=krb5i,proto=tcp,port=2049,rsize=8192,wsize=8192,timeo=14,intr,addr=137.67.205.1,clientaddr=137.67.205.11'
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: access denied by server while mounting
> server:/NFS_SHARE/admin
> 
> 
> Originally I chased permissions, but when I started looking at
> /var/log/messages on the server, I noticed that rpcgssd was complaining 
> about a wrong principal.
> 
> On the server I executed kadmin.local and then listprincs
> 
> K/m...@dar.lan
> krbtgt/dar@dar.lan
> kadmin/server.dar@dar.lan
> kadmin/ad...@dar.lan
> kadmin/chang...@dar.lan
> ldap/server.dar@dar.lan
> host/server.dar@dar.lan
> HTTP/server.dar@dar.lan
> nfs/server.dar@dar.lan
> s_shar...@dar.lan
> host/as1.dar@dar.lan
> 
> and then a getprinc on nfs/server.dar@dar.lan:
> 
> Principal: nfs/server.dar@dar.lan
> Expiration date: [never]
> Last password change: Thu Feb 02 15:31:24 EST 2017
> Password expiration date: [none]
> Maximum ticket life: 1 day 00:00:00
> Maximum renewable life: 7 days 00:00:00
> Last modified: Thu Feb 02 15:31:24 EST 2017
> (nfs/server.dar@dar.lan)
> Last successful authentication: Thu Feb 02 16:52:16 EST 2017
> Last failed authentication: Fri Feb 03 12:09:14 EST 2017
> Failed password attempts: 1
> Number of keys: 4
> Key: vno 3, aes256-cts-hmac-sha1-96, no salt
> Key: vno 3, aes128-cts-hmac-sha1-96, no salt
> Key: vno 3, des3-cbc-sha1, no salt
> Key: vno 3, arcfour-hmac, no salt
> MKey: vno 1
> Attributes: REQUIRES_PRE_AUTH
> Policy: [none]
> 
> looking at my keytab, klist -ke /etc/krb5.keytab
> 
>12  host/server.dar@dar.lan
>21   nfs/server.dar@dar.lan
>33  host/server.dar@dar.lan
>43  host/server.dar@dar.lan
>53  host/server.dar@dar.lan
>63  host/server.dar@dar.lan
>72   nfs/server.dar@dar.lan
>82   nfs/server.dar@dar.lan
>92   nfs/server.dar@dar.lan
>   102   nfs/server.dar@dar.lan
> 
> I saw I had two extra older kt's so I used kadmin.local to remove them
> with modp

[Freeipa-users] Wrong principal in request in NFS mount

2017-02-03 Thread Matthew Carter

So I have two test machines that I set up because of this same problem 
on my secure offline network. One of the test machines is a server that 
has FreeIPA and NFS running on it, the other test machine is a client 
that mounts two NFS shares from the server using krb5i sec.


Upon initial install, everything works as it is supposed to. The domain 
users can log in just fine, the mount mounts perfectly.


If I remove the client from the domain using:

ipa-client-automount --uninstall

ipa-client-install --uninstall


And then on the server:

ipa-client-automount --uninstall

ipa-server-install --uninstall

then delete the ca.crt, run sss -E (to clear the sssd caches), rm 
/tmp/krb5*



and then reinstall the server:

ipa-server-install

service sshd restart

kinit admin

ipa service-add nfs/server.dar.lan

ipa-getkeytab -s server.dar.lan -p host/server.dar.lan -k 
/etc/krb5.keytab


ipa-getkeytab -s server.dar.lan -p nfs/server.dar.lan -k 
/etc/krb5.keytab


ipa-client-automount


and reinstall on the client:

ipa-client-install

ipa-client-automount


I believe I now have the same setup as I had before.

I can kinit and get a ticket:

Ticket cache: FILE:/tmp/krb5cc_61520_TinxaO
Default principal: ad...@dar.lan

Valid starting ExpiresService principal
02/03/17 12:54:02  02/04/17 12:53:59 krbtgt/dar@dar.lan

My domain users can log in to their desktops.

But I can't mount the shares.

I get:

mount.nfs4: timeout set for Fri Feb  3 12:58:36 2017
mount.nfs4: trying text-based options 
'sec=krb5i,proto=tcp,port=2049,rsize=8192,wsize=8192,timeo=14,intr,addr=137.67.205.1,clientaddr=137.67.205.11'

mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting 
server:/NFS_SHARE/USERS

mount.nfs4: timeout set for Fri Feb  3 12:58:36 2017
mount.nfs4: trying text-based options 
'sec=krb5i,proto=tcp,port=2049,rsize=8192,wsize=8192,timeo=14,intr,addr=137.67.205.1,clientaddr=137.67.205.11'

mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting 
server:/NFS_SHARE/admin



Originally I chased permissions, but when I started looking at 
/var/log/messages on the server, I noticed that rpcgssd was complaining  
about a wrong principal.


On the server I executed kadmin.local and then listprincs

K/m...@dar.lan
krbtgt/dar@dar.lan
kadmin/server.dar@dar.lan
kadmin/ad...@dar.lan
kadmin/chang...@dar.lan
ldap/server.dar@dar.lan
host/server.dar@dar.lan
HTTP/server.dar@dar.lan
nfs/server.dar@dar.lan
s_shar...@dar.lan
host/as1.dar@dar.lan

and then a getprinc on nfs/server.dar@dar.lan:

Principal: nfs/server.dar@dar.lan
Expiration date: [never]
Last password change: Thu Feb 02 15:31:24 EST 2017
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Feb 02 15:31:24 EST 2017 
(nfs/server.dar@dar.lan)

Last successful authentication: Thu Feb 02 16:52:16 EST 2017
Last failed authentication: Fri Feb 03 12:09:14 EST 2017
Failed password attempts: 1
Number of keys: 4
Key: vno 3, aes256-cts-hmac-sha1-96, no salt
Key: vno 3, aes128-cts-hmac-sha1-96, no salt
Key: vno 3, des3-cbc-sha1, no salt
Key: vno 3, arcfour-hmac, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]

looking at my keytab, klist -ke /etc/krb5.keytab

   12 host/server.dar@dar.lan
   21 nfs/server.dar@dar.lan
   33 host/server.dar@dar.lan
   43 host/server.dar@dar.lan
   53 host/server.dar@dar.lan
   63 host/server.dar@dar.lan
   72 nfs/server.dar@dar.lan
   82 nfs/server.dar@dar.lan
   92 nfs/server.dar@dar.lan
  102 nfs/server.dar@dar.lan

I saw I had two extra older kt's so I used kadmin.local to remove them 
with modprinc. Not sure where they came from. . .


I again tried to mount, this time using -vvv in /etc/sysconfig/nfs for 
rpcgssd, rpcsvcgssd, and rpcbind and /var/log/messages output this on 
the server (I'll only paste the data from one mount attempt as there is 
two mounts and they're complaining identically.):


Feb  3 12:25:32 server rpc.svcgssd[4796]: leaving poll
Feb  3 12:25:32 server rpc.svcgssd[4796]: handling null request
Feb  3 12:25:32 server rpc.svcgssd[4796]: svcgssd_limit_krb5_enctypes: 
Calling gss_set_allowable_enctypes with 7 enctypes from the kernel
Feb  3 12:25:32 server rpc.svcgssd[4796]: WARNING: 
gss_accept_sec_context failed
Feb  3 12:25:32 server rpc.svcgssd[4796]: ERROR: GSS-API: error in 
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS 
failure.  Minor code may provide more information) - Wrong principal in 
request

Feb  3 12:25:32 server rpc.svcgssd[4796]: sending null reply
Feb  3 12:25:32 server rpc.svcgssd

Re: [Freeipa-users] Wrong principal in request in NFS mount

[Freeipa-users] Wrong principal in request in NFS mount

2 matches

Site Navigation

Mail list logo

Footer information