<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8"> <META NAME="GENERATOR" CONTENT="GtkHTML/4.6.6"> </HEAD> <BODY TEXT="#000000" BGCOLOR="#ffffff"> On Wed, 2013-09-11 at 21:34 -0400, Dmitri Pal wrote: <BLOCKQUOTE TYPE=CITE> On 09/11/2013 09:27 PM, Dean Hunter wrote: <BLOCKQUOTE TYPE=CITE> On Wed, 2013-09-11 at 21:10 -0400, Dmitri Pal wrote: <BLOCKQUOTE TYPE=CITE> On 09/11/2013 08:49 PM, Dean Hunter wrote: <BLOCKQUOTE TYPE=CITE> On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote: <BLOCKQUOTE TYPE=CITE> <PRE> On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: > On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: > > On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: > > > > > I do NOT believe this: > > > [dean@ipa2 ~]$ ssh dean@desktop2 > > > Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org > > > Could not chdir to home directory /home/net/dean: Permission > > > denied > > > -bash: /home/net/dean/.bash_profile: Permission denied > > > > > > -bash-4.2$ logout > > > -bash: /home/net/dean/.bash_logout: Permission denied > > > Connection to desktop2 closed. > > > > > > [dean@ipa2 ~]$ su - > > > Password: > > > > > > [root@ipa2 ~]# ssh dean@desktop2 > > > dean@desktop2's password: > > > Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org > > > > > > [dean@desktop2 ~]$ logout > > > Connection to desktop2 closed. > > > > > > [root@ipa2 ~]# logout > > > > > > [dean@ipa2 ~]$ ssh dean@desktop2 > > > Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org > > > > > > [dean@desktop2 ~]$ > > > > > > > Are you using a kerberized NFS mount ? > > > > I think what is happening is that when going via SSH rpc.gssd cannot > > find your ticket, ssh may be doing something "wrong" in this case. > > > > Simo. > > > Yes, I am using Kerberos with NFS. > > Should I report this as a bug? > We need to decide what component is faulty. It may be possible we can get it working somehow. When you ssh in what is the ccache ssh assign you ? can you run klist and post the output (sanitize it if needed) ? Simo. </PRE> </BLOCKQUOTE> I hope this is what you requested: <BLOCKQUOTE> <TT>[<A HREF="mailto:dean@ipa2">dean@ipa2</A> ~]$ klist</TT> <TT>Ticket cache: DIR::/run/user/1387400001/krb5cc/tktFDDxRR</TT> <TT>Default principal: <A HREF="mailto:dean@HUNTER.ORG">dean@HUNTER.ORG</A></TT> <TT>Valid starting Expires Service principal</TT> <TT>09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/<A HREF="mailto:HUNTER.ORG@HUNTER.ORG">HUNTER.ORG@HUNTER.ORG</A></TT> <TT>[<A HREF="mailto:dean@ipa2">dean@ipa2</A> ~]$ ssh <A HREF="mailto:dean@desktop2">dean@desktop2</A></TT> <TT>Last login: Wed Sep 11 19:41:48 2013 from ipa2.hunter.org</TT> <TT>Could not chdir to home directory /home/net/dean: Permission denied</TT> <TT>-bash: /home/net/dean/.bash_profile: Permission denied</TT> <TT>-bash-4.2$ hostname</TT> <TT>desktop2.hunter.org</TT> <TT>-bash-4.2$ klist</TT> <TT>klist: No credentials cache found (ticket cache <A HREF="FILE:/tmp/krb5cc_1387400001">FILE:/tmp/krb5cc_1387400001</A>)</TT> <TT>-bash-4.2$ logout</TT> <TT>-bash: /home/net/dean/.bash_logout: Permission denied</TT> <TT>Connection to desktop2 closed.</TT> <TT>[<A HREF="mailto:dean@ipa2">dean@ipa2</A> ~]$ klist</TT> <TT>Ticket cache: DIR::/run/user/1387400001/krb5cc/tktFDDxRR</TT> <TT>Default principal: <A HREF="mailto:dean@HUNTER.ORG">dean@HUNTER.ORG</A></TT> <TT>Valid starting Expires Service principal</TT> <TT>09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/<A HREF="mailto:HUNTER.ORG@HUNTER.ORG">HUNTER.ORG@HUNTER.ORG</A></TT> <TT>09/11/13 19:44:43 09/12/13 19:43:28 host/<A HREF="mailto:desktop2.hunter.org@HUNTER.ORG">desktop2.hunter.org@HUNTER.ORG</A></TT> <TT>[<A HREF="mailto:dean@ipa2">dean@ipa2</A> ~]$ </TT> </BLOCKQUOTE> <PRE> _______________________________________________ Freeipa-users mailing list <A HREF="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</A> <A HREF="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</A> </PRE> </BLOCKQUOTE> Do I get it right: you tried twice and the first time it did not work while the second it did? There might be a race condition mounting your home directory using your ticket. <PRE> -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <A HREF="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</A> _______________________________________________ Freeipa-users mailing list <A HREF="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</A> <A HREF="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</A> </PRE> </BLOCKQUOTE> Starting clean after rebuilding ipa2 and desktop2 and a gdm login to ipa2 as dean, if I "ssh <A HREF="mailto:dean@desktop2">dean@desktop2</A>" it will consistently fail as noted in my last note. However, if I: <OL TYPE=1> <LI TYPE=1 VALUE=1>su - <LI TYPE=1 VALUE=2>ssh <A HREF="mailto:dean@desktop2">dean@desktop2</A> <LI TYPE=1 VALUE=3>logout of <A HREF="mailto:dean@desktop2">dean@desktop2</A> <LI TYPE=1 VALUE=4>logout of <A HREF="mailto:root@ipa2">root@ipa2</A> </OL> then "ssh dean@desktop2<A HREF="mailto:dean@desktop2">"</A> succeeds! Does that answer your question? So I do not think there is a race. It is more like the super user session leaves something behind that was missing? </BLOCKQUOTE> Does it succeed if after step 3 but before step 4 you do kdestoy? <PRE> -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <A HREF="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</A> </PRE> </BLOCKQUOTE> Hah! Even better, it works the first time and every time, if I start with a kdestroy: <OL TYPE=1> <LI TYPE=1 VALUE=1>From Virtual Machine Manager open ipa2 <LI TYPE=1 VALUE=2>Login as dean <LI TYPE=1 VALUE=3>Open a terminal <LI TYPE=1 VALUE=4>kdestroy <LI TYPE=1 VALUE=5>ssh <A HREF="mailto:dean@desktop2">dean@desktop2</A> <LI TYPE=1 VALUE=6>logout <LI TYPE=1 VALUE=7>ssh <A HREF="mailto:dean@desktop2">dean@desktop2</A> <LI TYPE=1 VALUE=8>logout </OL> Now, the fun starts. Why do it do that? </BODY> </HTML>