[Freeipa-users] Error with kerberos users

Tue Mar 3 17:59:13 UTC 2015

On 03/03/2015 12:35 PM, Günther J. Niederwimmer wrote:
> Hello,
>
> Am Dienstag, 3. März 2015, 11:15:14 schrieb Dmitri Pal:
>> On 03/03/2015 10:39 AM, Günther J. Niederwimmer wrote:
>>> Hello,
>>>
>>> what is wrong on my setup?
>>> This is a "normal" install with ipa-server-install and ipa-client install
>>> on 5 KVM clients.
>>>
>>> CentOs 7
>>>
>>>
>>>
>>> WARNING: Failed to create krb5 context for user with uid 225200001 for
>>> server bbs.gjn.prv
> Can this be correct ??
>
> I make a kinit with this user ?
>
>
>>> Mar  3 16:28:22 smtp1 rpc.gssd[6912]: doing error downcall
>>> Mar  3 16:28:22 smtp1 rpc.gssd[32155]: handling gssd upcall
>>> (/var/lib/nfs/rpc_pipefs/nfs/clnt5)
>>> Mar  3 16:28:22 smtp1 rpc.gssd[32155]: handle_gssd_upcall: 'mech=krb5
>>> uid=225200001 enctypes=18,17,16,23,3,1,2 '
>>> Mar  3 16:28:22 smtp1 rpc.gssd[6913]: handling krb5 upcall
>>> (/var/lib/nfs/rpc_pipefs/nfs/clnt5)
>>> Mar  3 16:28:22 smtp1 rpc.gssd[6913]: process_krb5_upcall: service is
>>> '<null>'
>> I assume this is a log from the nfs client shoing the attempt to access
>> NFS server.
>> Seems like something is misconfigured in the nfs configuration or there
>> is a mismatch between the acceptable encryption types on the server and
>> on the client.
> Yes this is a log from nfs-client but on the server I have the same Errors.
>   
> I have all docs I found read .-(.
>   
>>> Mar  3 16:28:22 smtp1 rpc.gssd[6913]: ERROR: GSS-API: error in
>>> gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code
>>> may
>>> provide more information) - No Kerberos credentials available
>>> Mar  3 16:28:22 smtp1 rpc.gssd[6913]: getting credentials for client with
>>> uid 225200001 for server bbs.gjn.prv
>>> Mar  3 16:28:22 smtp1 rpc.gssd[6913]: CC '/tmp/krb5ccmachine_GJN.PRV'
>>> being
>>> considered, with preferred realm 'GJN.PRV'
>>> Mar  3 16:28:22 smtp1 rpc.gssd[6913]: CC '/tmp/krb5ccmachine_GJN.PRV'
>>> owned by 0, not 225200001
>>> Mar  3 16:28:22 smtp1 rpc.gssd[6913]: getting credentials for client with
>>> uid 225200001 for server bbs.gjn.prv
>>> Mar  3 16:28:22 smtp1 rpc.gssd[6913]: Error doing scandir on directory
>>> '/run/user/225200001': No such file or directory
> Why I have no User (?) and this is not created by a kinit ?
>
>>> Mar  3 16:28:22 smtp1 rpc.gssd[6913]: WARNING: Failed to create krb5
>>> context for user with uid 225200001 for server bbs.gjn.prv
>
>>> Mar  3 16:28:22 smtp1 rpc.gssd[6913]: doing error downcall
>>> Mar  3 16:28:22 smtp1 rpc.gssd[32155]: handling gssd upcall
>>> (/var/lib/nfs/rpc_pipefs/nfs/clnt5)
>>> Mar  3 16:28:22 smtp1 rpc.gssd[32155]: handle_gssd_upcall: 'mech=krb5
>>> uid=225200001 enctypes=18,17,16,23,3,1,2 '
>>> Mar  3 16:28:22 smtp1 rpc.gssd[6914]: handling krb5 upcall
>>> (/var/lib/nfs/rpc_pipefs/nfs/clnt5)
>>> Mar  3 16:28:22 smtp1 rpc.gssd[6914]: process_krb5_upcall: service is
>>> '<null>' Mar  3 16:28:22 smtp1 rpc.gssd[6914]: ERROR: GSS-API: error in
>>> gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code
>>> may
>>> provide more information) - No Kerberos credentials available
>>> Mar  3 16:28:22 smtp1 rpc.gssd[6914]: getting credentials for client with
>>> uid 225200001 for server bbs.gjn.prv
>>> Mar  3 16:28:22 smtp1 rpc.gssd[6914]: CC '/tmp/krb5ccmachine_GJN.PRV'
>>> being
>>> considered, with preferred realm 'GJN.PRV'
>>> Mar  3 16:28:22 smtp1 rpc.gssd[6914]: CC '/tmp/krb5ccmachine_GJN.PRV'
>>> owned by 0, not 225200001
>>> Mar  3 16:28:22 smtp1 rpc.gssd[6914]: getting credentials for client with
>>> uid 225200001 for server bbs.gjn.prv
>>> Mar  3 16:28:22 smtp1 rpc.gssd[6914]: Error doing scandir on directory
>>> '/run/user/225200001': No such file or directory
>>> Mar  3 16:28:22 smtp1 rpc.gssd[6914]: WARNING: Failed to create krb5
>>> context for user with uid 225200001 for server bbs.gjn.prv
>   
> Thank's for answer.
>

If this is the client. Let us step back and ask the following questions:
a) Are users resolvable using id command and friends?
b) Can you do kinit as an ipa user from the client?
c) Can you log in to that system?

In 7 the credential cache created by SSSD is in kernel keyring but it 
seems that NFS client is looking for it in /tmp.

What is the sequence of operations? What do you actually do before you 
observe this error (for example: reboot, log into the system using sssd...)?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.