<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 02/26/2013 02:03 PM, Johan Petersson wrote: <blockquote cite="mid:558C15177F5E714F83334217C9A197DF7A554DA4@SSC-MBX2.ssc.internal" type="cite"> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <style type="text/css" id="owaParaStyle"></style> <div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0, 0); font-size: 10pt;">Hi, <div><br> </div> <div>I have a IPA server, NFS4 Server sharing home directories with autofs and krb5p as only valid authentication.</div> <div>Mail Postfix/Dovecot both with startTLS and GSSAPI.</div> <div>All servers and clients are Red Hat 6.3 and updated with latest kernel and everything else.</div> <div><br> </div> <div>If i start and log in locally as user1 on a IPA Client machine everything works perfect including mail and home directory initially.</div> <div>I then start experience errors when trying to ssh other servers as ssh <a class="moz-txt-link-abbreviated" href="mailto:user1@mail.example.com">user1@mail.example.com</a>.</div> <div>Nothing happens, no password question, nothing until i have to ctrl-c (tried leaving it overnight - still same).</div> <div>Mail stops working, thunderbird complain about expired credentials.</div> <div>If i use ssh as root to the server and then try either: su user1 or su - user1 both get same result as ssh user1.</div> <div>Sometimes a su have actually worked and i can browse to my mounted home directory but get permission denied when trying to access.</div> <div>id works and permissions on home directory shows ok but can't access anyway.</div> <div><br> </div> <div>The only thing i have found helping is to logout user1 on the client, login root and then ssh as user1.</div> <div>In that case i get password question and it works with home directory.</div> <div>If i logout root then, login user1 then mail, ssh and su works again for some time.</div> <div><br> </div> <div>I guess the credential renewal works in that case.</div> <div><br> </div> <div>Firewalls turned off, tried setenforce=0 and autofs on debug log mode but find nothing.</div> <div><br> </div> <div>Even sshd logging on and verbose ssh shows nothing wrong.</div> <div>It is like everything works but a expired ticket or something similar generate the error, tickets are new though and should be valid.</div> <div><br> </div> <div>Only error messages i have been able to find is:</div> <div><br> </div> <div><span style="font-family: 'Segoe UI', Helvetica, Arial, sans-serif;">IPA server /var/log/messages show:</span><br style="font-family: 'Segoe UI', Helvetica, Arial, sans-serif;"> <span style="font-family: 'Segoe UI', Helvetica, Arial, sans-serif;">rpc.gssd[1116]: Error doing stat on file '/tmp/krb5cc_48' </span></div> <div><span style="font-family: 'Segoe UI', Helvetica, Arial, sans-serif;"><br> </span></div> <div><span style="font-family: 'Segoe UI', Helvetica, Arial, sans-serif;">automount[1197]: sasl_log_func:98: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)</span></div> <div><span style="font-family: 'Segoe UI', Helvetica, Arial, sans-serif;"><br> </span></div> <div><span style="font-family: 'Segoe UI', Helvetica, Arial, sans-serif;">Anyone have a idea what this could be and how to solve it?</span></div> <div><span style="font-family: 'Segoe UI', Helvetica, Arial, sans-serif;"><br> </span></div> <div><span style="font-family: 'Segoe UI', Helvetica, Arial, sans-serif;">I am really thankful for any help.</span></div> <div><span style="font-family: 'Segoe UI', Helvetica, Arial, sans-serif;"><br> </span></div> <div><span style="font-family: 'Segoe UI', Helvetica, Arial, sans-serif;">Regards,</span></div> <div><span style="font-family: 'Segoe UI', Helvetica, Arial, sans-serif;">Johan.</span></div> <div><span style="font-family: 'Segoe UI',Helvetica,Arial,sans-serif;"><br> </span></div> </div> </blockquote> <br> This looks very much as if when you ssh into the remote system the home directory NFS mount fails.<br> Can you try to configure a local directory and see if the problem goes away? If this helps then I would see what is going on with the NFS client on the system.<br> <br> Also I do not know how your SSH is configured. Does it actually delegate the ticket? <br> AFAIU the system you SSH into needs to have a TGT to be able to mount an NFS share on behalf of the user.<br> This is as far as I can go with what I know and what can be done without actually looking at the logs on the system.<br> <br> HTH<br> <br> <br> <blockquote cite="mid:558C15177F5E714F83334217C9A197DF7A554DA4@SSC-MBX2.ssc.internal" type="cite"> <div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;"> <div><span style="font-family: 'Segoe UI', Helvetica, Arial, sans-serif;"> </span></div> <div><br> </div> <div><br> </div> <div><br> </div> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> </body> </html>