[Freeipa-users] Permission Denied
Dmitri Pal
dpal at redhat.com
Thu Sep 12 01:34:17 UTC 2013
On 09/11/2013 09:27 PM, Dean Hunter wrote:
> On Wed, 2013-09-11 at 21:10 -0400, Dmitri Pal wrote:
>> On 09/11/2013 08:49 PM, Dean Hunter wrote:
>>> On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote:
>>>> On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote:
>>>> > On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote:
>>>> > > On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote:
>>>> > >
>>>> > > > I do NOT believe this:
>>>> > > > [dean at ipa2 ~]$ ssh dean at desktop2
>>>> > > > Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org
>>>> > > > Could not chdir to home directory /home/net/dean: Permission
>>>> > > > denied
>>>> > > > -bash: /home/net/dean/.bash_profile: Permission denied
>>>> > > >
>>>> > > > -bash-4.2$ logout
>>>> > > > -bash: /home/net/dean/.bash_logout: Permission denied
>>>> > > > Connection to desktop2 closed.
>>>> > > >
>>>> > > > [dean at ipa2 ~]$ su -
>>>> > > > Password:
>>>> > > >
>>>> > > > [root at ipa2 ~]# ssh dean at desktop2
>>>> > > > dean at desktop2's password:
>>>> > > > Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org
>>>> > > >
>>>> > > > [dean at desktop2 ~]$ logout
>>>> > > > Connection to desktop2 closed.
>>>> > > >
>>>> > > > [root at ipa2 ~]# logout
>>>> > > >
>>>> > > > [dean at ipa2 ~]$ ssh dean at desktop2
>>>> > > > Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org
>>>> > > >
>>>> > > > [dean at desktop2 ~]$
>>>> > > >
>>>> > >
>>>> > > Are you using a kerberized NFS mount ?
>>>> > >
>>>> > > I think what is happening is that when going via SSH rpc.gssd cannot
>>>> > > find your ticket, ssh may be doing something "wrong" in this case.
>>>> > >
>>>> > > Simo.
>>>> > >
>>>> > Yes, I am using Kerberos with NFS.
>>>> >
>>>> > Should I report this as a bug?
>>>> >
>>>> We need to decide what component is faulty. It may be possible we can
>>>> get it working somehow.
>>>>
>>>> When you ssh in what is the ccache ssh assign you ?
>>>> can you run klist and post the output (sanitize it if needed) ?
>>>>
>>>> Simo.
>>>>
>>> I hope this is what you requested:
>>>
>>> [dean at ipa2 <mailto:dean at ipa2> ~]$ klist
>>> Ticket cache: DIR::/run/user/1387400001/krb5cc/tktFDDxRR
>>> Default principal: dean at HUNTER.ORG <mailto:dean at HUNTER.ORG>
>>>
>>> Valid starting Expires Service principal
>>> 09/11/13 19:43:28 09/12/13 19:43:28
>>> krbtgt/HUNTER.ORG at HUNTER.ORG <mailto:HUNTER.ORG at HUNTER.ORG>
>>>
>>> [dean at ipa2 <mailto:dean at ipa2> ~]$ ssh dean at desktop2
>>> <mailto:dean at desktop2>
>>> Last login: Wed Sep 11 19:41:48 2013 from ipa2.hunter.org
>>> Could not chdir to home directory /home/net/dean: Permission denied
>>> -bash: /home/net/dean/.bash_profile: Permission denied
>>>
>>> -bash-4.2$ hostname
>>> desktop2.hunter.org
>>>
>>> -bash-4.2$ klist
>>> klist: No credentials cache found (ticket cache
>>> FILE:/tmp/krb5cc_1387400001)
>>>
>>> -bash-4.2$ logout
>>> -bash: /home/net/dean/.bash_logout: Permission denied
>>> Connection to desktop2 closed.
>>>
>>> [dean at ipa2 <mailto:dean at ipa2> ~]$ klist
>>> Ticket cache: DIR::/run/user/1387400001/krb5cc/tktFDDxRR
>>> Default principal: dean at HUNTER.ORG <mailto:dean at HUNTER.ORG>
>>>
>>> Valid starting Expires Service principal
>>> 09/11/13 19:43:28 09/12/13 19:43:28
>>> krbtgt/HUNTER.ORG at HUNTER.ORG <mailto:HUNTER.ORG at HUNTER.ORG>
>>> 09/11/13 19:44:43 09/12/13 19:43:28
>>> host/desktop2.hunter.org at HUNTER.ORG
>>> <mailto:desktop2.hunter.org at HUNTER.ORG>
>>>
>>> [dean at ipa2 <mailto:dean at ipa2> ~]$
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Do I get it right: you tried twice and the first time it did not work
>> while the second it did?
>> There might be a race condition mounting your home directory using
>> your ticket.
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> Starting clean after rebuilding ipa2 and desktop2 and a gdm login to
> ipa2 as dean, if I "ssh dean at desktop2 <mailto:dean at desktop2>" it will
> consistently fail as noted in my last note. However, if I:
>
> 1. su -
> 2. ssh dean at desktop2 <mailto:dean at desktop2>
> 3. logout of dean at desktop2 <mailto:dean at desktop2>
> 4. logout of root at ipa2 <mailto:root at ipa2>
>
> then "ssh dean at desktop2" <mailto:dean at desktop2> succeeds!
>
> Does that answer your question? So I do not think there is a race.
> It is more like the super user session leaves something behind that
> was missing?
Does it succeed if after step 3 but before step 4 you do kdestoy?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130911/94ac386d/attachment.htm>
More information about the Freeipa-users
mailing list