<html> <head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 09/11/2013 10:10 PM, Dean Hunter wrote: <blockquote cite="mid:1378951829.6584.18.camel@host.hunter.org" type="cite"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="GENERATOR" content="GtkHTML/4.6.6"> On Wed, 2013-09-11 at 21:34 -0400, Dmitri Pal wrote: <blockquote type="CITE"> On 09/11/2013 09:27 PM, Dean Hunter wrote: <blockquote type="CITE"> On Wed, 2013-09-11 at 21:10 -0400, Dmitri Pal wrote: <blockquote type="CITE"> On 09/11/2013 08:49 PM, Dean Hunter wrote: <blockquote type="CITE"> On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote: <blockquote type="CITE"> <pre>On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: > On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: > > On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: > > > > > I do NOT believe this: > > > [dean@ipa2 ~]$ ssh dean@desktop2 > > > Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org > > > Could not chdir to home directory /home/net/dean: Permission > > > denied > > > -bash: /home/net/dean/.bash_profile: Permission denied > > > > > > -bash-4.2$ logout > > > -bash: /home/net/dean/.bash_logout: Permission denied > > > Connection to desktop2 closed. > > > > > > [dean@ipa2 ~]$ su - > > > Password: > > > > > > [root@ipa2 ~]# ssh dean@desktop2 > > > dean@desktop2's password: > > > Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org > > > > > > [dean@desktop2 ~]$ logout > > > Connection to desktop2 closed. > > > > > > [root@ipa2 ~]# logout > > > > > > [dean@ipa2 ~]$ ssh dean@desktop2 > > > Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org > > > > > > [dean@desktop2 ~]$ > > > > > > > Are you using a kerberized NFS mount ? > > > > I think what is happening is that when going via SSH rpc.gssd cannot > > find your ticket, ssh may be doing something "wrong" in this case. > > > > Simo. > > > Yes, I am using Kerberos with NFS. > > Should I report this as a bug? > We need to decide what component is faulty. It may be possible we can get it working somehow. When you ssh in what is the ccache ssh assign you ? can you run klist and post the output (sanitize it if needed) ? Simo. </pre> </blockquote> I hope this is what you requested: <blockquote> <tt>[<a moz-do-not-send="true" href="mailto:dean@ipa2">dean@ipa2</a> ~]$ klist</tt> <tt>Ticket cache: DIR::/run/user/1387400001/krb5cc/tktFDDxRR</tt> <tt>Default principal: <a moz-do-not-send="true" href="mailto:dean@HUNTER.ORG">dean@HUNTER.ORG</a></tt> <tt>Valid starting Expires Service principal</tt> <tt>09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/<a moz-do-not-send="true" href="mailto:HUNTER.ORG@HUNTER.ORG">HUNTER.ORG@HUNTER.ORG</a></tt> <tt>[<a moz-do-not-send="true" href="mailto:dean@ipa2">dean@ipa2</a> ~]$ ssh <a moz-do-not-send="true" href="mailto:dean@desktop2">dean@desktop2</a></tt> <tt>Last login: Wed Sep 11 19:41:48 2013 from ipa2.hunter.org</tt> <tt>Could not chdir to home directory /home/net/dean: Permission denied</tt> <tt>-bash: /home/net/dean/.bash_profile: Permission denied</tt> <tt>-bash-4.2$ hostname</tt> <tt>desktop2.hunter.org</tt> <tt>-bash-4.2$ klist</tt> <tt>klist: No credentials cache found (ticket cache <a moz-do-not-send="true" href="FILE:/tmp/krb5cc_1387400001">FILE:/tmp/krb5cc_1387400001</a>)</tt> <tt>-bash-4.2$ logout</tt> <tt>-bash: /home/net/dean/.bash_logout: Permission denied</tt> <tt>Connection to desktop2 closed.</tt> <tt>[<a moz-do-not-send="true" href="mailto:dean@ipa2">dean@ipa2</a> ~]$ klist</tt> <tt>Ticket cache: DIR::/run/user/1387400001/krb5cc/tktFDDxRR</tt> <tt>Default principal: <a moz-do-not-send="true" href="mailto:dean@HUNTER.ORG">dean@HUNTER.ORG</a></tt> <tt>Valid starting Expires Service principal</tt> <tt>09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/<a moz-do-not-send="true" href="mailto:HUNTER.ORG@HUNTER.ORG">HUNTER.ORG@HUNTER.ORG</a></tt> <tt>09/11/13 19:44:43 09/12/13 19:43:28 host/<a moz-do-not-send="true" href="mailto:desktop2.hunter.org@HUNTER.ORG">desktop2.hunter.org@HUNTER.ORG</a></tt> <tt>[<a moz-do-not-send="true" href="mailto:dean@ipa2">dean@ipa2</a> ~]$ </tt> </blockquote> <pre>_______________________________________________ Freeipa-users mailing list <a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </pre> </blockquote> Do I get it right: you tried twice and the first time it did not work while the second it did? There might be a race condition mounting your home directory using your ticket. <pre>-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> _______________________________________________ Freeipa-users mailing list <a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </pre> </blockquote> Starting clean after rebuilding ipa2 and desktop2 and a gdm login to ipa2 as dean, if I "ssh <a moz-do-not-send="true" href="mailto:dean@desktop2">dean@desktop2</a>" it will consistently fail as noted in my last note. However, if I: <ol type="1"> <li value="1" type="1">su - </li> <li value="2" type="1">ssh <a moz-do-not-send="true" href="mailto:dean@desktop2">dean@desktop2</a> </li> <li value="3" type="1">logout of <a moz-do-not-send="true" href="mailto:dean@desktop2">dean@desktop2</a> </li> <li value="4" type="1">logout of <a moz-do-not-send="true" href="mailto:root@ipa2">root@ipa2</a> </li> </ol> then "ssh dean@desktop2<a moz-do-not-send="true" href="mailto:dean@desktop2">"</a> succeeds! Does that answer your question? So I do not think there is a race. It is more like the super user session leaves something behind that was missing? </blockquote> Does it succeed if after step 3 but before step 4 you do kdestoy? <pre>-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> </blockquote> Hah! Even better, it works the first time and every time, if I start with a kdestroy: <ol type="1"> <li value="1" type="1">From Virtual Machine Manager open ipa2 </li> <li value="2" type="1">Login as dean </li> <li value="3" type="1">Open a terminal </li> <li value="4" type="1">kdestroy </li> <li value="5" type="1">ssh <a moz-do-not-send="true" href="mailto:dean@desktop2">dean@desktop2</a> </li> <li value="6" type="1">logout </li> <li value="7" type="1">ssh <a moz-do-not-send="true" href="mailto:dean@desktop2">dean@desktop2</a> </li> <li value="8" type="1">logout </li> </ol> Now, the fun starts. Why do it do that? </blockquote> Now you need to see what you have before kdestroy. Klist will help to see what cache is in play. Then you need to see whether you as dean can access this cache (check permissions and SELinux). Based on the input you provided earlier the cache might be in <tt><a moz-do-not-send="true" href="FILE:/tmp/krb5cc_1387400001">FILE:/tmp/krb5cc_1387400001</a></tt> While after you login it is in <tt>DIR::/run/user/1387400001/krb5cc/tktFDDxRR </tt>The latter is the right one. All applications in Fedora starting F18 should use DIR cache. It seems that on this machine there is some other kerberized software (NFS client?) that is not configured or updated to create DIR cache style cache and continues to use FILE style cache. There have been a slew of bugs around this. It seems you are hitting one of those. Just FYI to avoid this confusion and to fight some race conditions related to creation of the /run/user/uid directory the cache is now moved to kernel and we are in process of updating different components to use it. <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> </body> </html>