<html dir="ltr"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> </head> <body ocsi="0" fpstyle="1" bgcolor="#FFFFFF"> <div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">If i enable RPCGSSDARGS="-vvv" in one of the servers i can't ssh to i get the following in /var/log/messages:<br> <br> Feb 27 14:46:22 mail rpc.gssd[2210]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0)<br> Feb 27 14:46:22 mail rpc.gssd[2210]: handle_gssd_upcall: 'mech=krb5 uid=1644800003 enctypes=18,17,16,23,3,1,2 '<br> Feb 27 14:46:22 mail rpc.gssd[2210]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0)<br> Feb 27 14:46:22 mail rpc.gssd[2210]: process_krb5_upcall: service is '<null>'<br> Feb 27 14:46:22 mail rpc.gssd[2210]: getting credentials for client with uid 1644800003 for server share.test.net<br> Feb 27 14:46:22 mail rpc.gssd[2210]: CC file '/tmp/krb5cc_machine_TEST.NET' being considered, with preferred realm 'TEST.NET'<br> Feb 27 14:46:22 mail rpc.gssd[2210]: CC file '/tmp/krb5cc_machine_TEST.NET' owned by 0, not 1644800003<br> Feb 27 14:46:22 mail rpc.gssd[2210]: CC file '/tmp/krb5cc_1644800003_8T4y9x' being considered, with preferred realm 'TEST.NET'<br> Feb 27 14:46:22 mail rpc.gssd[2210]: CC file '/tmp/krb5cc_1644800003_8T4y9x' is expired or corrupt<br> Feb 27 14:46:22 mail rpc.gssd[2210]: CC file '/tmp/krb5cc_0' being considered, with preferred realm 'TEST.NET'<br> Feb 27 14:46:22 mail rpc.gssd[2210]: CC file '/tmp/krb5cc_0' owned by 0, not 1644800003<br> Feb 27 14:46:22 mail rpc.gssd[2210]: CC file '/tmp/krb5cc_1644800001_rNDIHA' being considered, with preferred realm 'TEST.NET'<br> Feb 27 14:46:22 mail rpc.gssd[2210]: CC file '/tmp/krb5cc_1644800001_rNDIHA' owned by 1644800001, not 1644800003<br> Feb 27 14:46:22 mail rpc.gssd[2210]: WARNING: Failed to create krb5 context for user with uid 1644800003 for server share.test.net<br> Feb 27 14:46:22 mail rpc.gssd[2210]: doing error downcall<br> <br> Regards,<br> Johan.<br> <div style="font-family: Times New Roman; color: #000000; font-size: 16px"> <hr tabindex="-1"> <div style="direction: ltr;" id="divRpF536898"><font color="#000000" size="2" face="Tahoma"><b>From:</b> freeipa-users-bounces@redhat.com [freeipa-users-bounces@redhat.com] on behalf of Johan Petersson [Johan.Petersson@sscspace.com]<br> <b>Sent:</b> Wednesday, February 27, 2013 14:15<br> <b>To:</b> dpal@redhat.com; freeipa-users@redhat.com<br> <b>Subject:</b> Re: [Freeipa-users] IPA,NFS4,krb5p Ticket expired error<br> </font><br> </div> <div></div> <div> <div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt">I think you are right, ssh always works to the nfs server and i believe that is because the home directory is situated there.<br> <br> All ssh/sshd configuration are default from IPA Client install.<br> Only things changed are the necessary autofs configuration and that is straight from the manual.<br> <br> I use strict NFS4 with port 2049 only open. (tried all firewalls and selinux disabled, no difference)<br> Home directory is exported as:<br> /nethomes 192.168.1.0(rw,sync,sec=krb5p)<br> <br> IPA autofs map<br> default/auto_nethome * -fstype=nfs4 -sec=krb5p,rw,soft, share.test.net:/nethomes/&<br> <br> -fstype=nfs4 i had to use to get autofs working, through firewall and only port 2049 open it got crazy otherwise rambling about nfs2 and3<br> -sec=krb5p i had to put in autofs map since otherwise autofs ignored settings in exports and tried empty -o when mounting and thus failed because no kerberos auth.<br> <br> I have updated everything to RHEL 6.4 now but no change.<br> <br> Thunderbird complains that my ticket was not accepted.<br> <br> NFS server shows this in logs:<br> rpc.gssd[2060]: ERROR: failed to read service info<br> rpc.gssd[2060]: WARNING: can't create tcp rpc_clnt to server laptop1.test.net for user with uid 0: RPC: Remote system error - No route to host<br> <br> Network is fine and all firewalls down.<br> Do you want any other logs beside debug autofs?<br> <br> Thanks for the help.<br> <br> Regards,<br> Johan.<br> <br> <br> <br> <div style="font-family:Times New Roman; color:#000000; font-size:16px"> <hr tabindex="-1"> <div id="divRpF804870" style="direction:ltr"><font color="#000000" size="2" face="Tahoma"><b>From:</b> freeipa-users-bounces@redhat.com [freeipa-users-bounces@redhat.com] on behalf of Dmitri Pal [dpal@redhat.com]<br> <b>Sent:</b> Tuesday, February 26, 2013 20:30<br> <b>To:</b> freeipa-users@redhat.com<br> <b>Subject:</b> Re: [Freeipa-users] IPA,NFS4,krb5p Ticket expired error<br> </font><br> </div> <div></div> <div>On 02/26/2013 02:03 PM, Johan Petersson wrote: <blockquote type="cite"><style type="text/css" id="owaParaStyle">  BODY {direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;}P {margin-top:0;margin-bottom:0;}</style> <div style="direction:ltr; font-family:Tahoma; color:rgb(0,0,0); font-size:10pt"> Hi, <div><br> </div> <div>I have a IPA server, NFS4 Server sharing home directories with autofs and krb5p as only valid authentication.</div> <div>Mail Postfix/Dovecot both with startTLS and GSSAPI.</div> <div>All servers and clients are Red Hat 6.3 and updated with latest kernel and everything else.</div> <div><br> </div> <div>If i start and log in locally as user1 on a IPA Client machine everything works perfect including mail and home directory initially.</div> <div>I then start experience errors when trying to ssh other servers as ssh <a class="moz-txt-link-abbreviated" href="mailto:user1@mail.example.com" target="_blank"> user1@mail.example.com</a>.</div> <div>Nothing happens, no password question, nothing until i have to ctrl-c (tried leaving it overnight - still same).</div> <div>Mail stops working, thunderbird complain about expired credentials.</div> <div>If i use ssh as root to the server and then try either: su user1 or su - user1 both get same result as ssh user1.</div> <div>Sometimes a su have actually worked and i can browse to my mounted home directory but get permission denied when trying to access.</div> <div>id works and permissions on home directory shows ok but can't access anyway.</div> <div><br> </div> <div>The only thing i have found helping is to logout user1 on the client, login root and then ssh as user1.</div> <div>In that case i get password question and it works with home directory.</div> <div>If i logout root then, login user1 then mail, ssh and su works again for some time.</div> <div><br> </div> <div>I guess the credential renewal works in that case.</div> <div><br> </div> <div>Firewalls turned off, tried setenforce=0 and autofs on debug log mode but find nothing.</div> <div><br> </div> <div>Even sshd logging on and verbose ssh shows nothing wrong.</div> <div>It is like everything works but a expired ticket or something similar generate the error, tickets are new though and should be valid.</div> <div><br> </div> <div>Only error messages i have been able to find is:</div> <div><br> </div> <div><span style="font-family:'Segoe UI',Helvetica,Arial,sans-serif">IPA server /var/log/messages show:</span><br style="font-family:'Segoe UI',Helvetica,Arial,sans-serif"> <span style="font-family:'Segoe UI',Helvetica,Arial,sans-serif">rpc.gssd[1116]: Error doing stat on file '/tmp/krb5cc_48' </span></div> <div><span style="font-family:'Segoe UI',Helvetica,Arial,sans-serif"><br> </span></div> <div><span style="font-family:'Segoe UI',Helvetica,Arial,sans-serif">automount[1197]: sasl_log_func:98: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)</span></div> <div><span style="font-family:'Segoe UI',Helvetica,Arial,sans-serif"><br> </span></div> <div><span style="font-family:'Segoe UI',Helvetica,Arial,sans-serif">Anyone have a idea what this could be and how to solve it?</span></div> <div><span style="font-family:'Segoe UI',Helvetica,Arial,sans-serif"><br> </span></div> <div><span style="font-family:'Segoe UI',Helvetica,Arial,sans-serif">I am really thankful for any help.</span></div> <div><span style="font-family:'Segoe UI',Helvetica,Arial,sans-serif"><br> </span></div> <div><span style="font-family:'Segoe UI',Helvetica,Arial,sans-serif">Regards,</span></div> <div><span style="font-family:'Segoe UI',Helvetica,Arial,sans-serif">Johan.</span></div> <div><span style=""><br> </span></div> </div> </blockquote> <br> This looks very much as if when you ssh into the remote system the home directory NFS mount fails.<br> Can you try to configure a local directory and see if the problem goes away? If this helps then I would see what is going on with the NFS client on the system.<br> <br> Also I do not know how your SSH is configured. Does it actually delegate the ticket? <br> AFAIU the system you SSH into needs to have a TGT to be able to mount an NFS share on behalf of the user.<br> This is as far as I can go with what I know and what can be done without actually looking at the logs on the system.<br> <br> HTH<br> <br> <br> <blockquote type="cite"> <div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt"> <div><span style="font-family:'Segoe UI',Helvetica,Arial,sans-serif"></span></div> <div><br> </div> <div><br> </div> <div><br> </div> </div> <br> <fieldset class="mimeAttachmentHeader" target="_blank"></fieldset> <br> <pre>_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a> </pre> </div> </div> </div> </div> </div> </div> </body> </html>