[Freeipa-users] nfsv4+kerberos: group ID not mapped on newly create users, however user id is correct

Bjarne Blichfeldt BJB at jndata.dk
Thu Dec 8 07:57:00 UTC 2016 

Anybody have any suggestion as how to continue debugging this? The nfs server resolves usernames by loopkup in free-ipa lda.

After a lot of digging, I see the 4.4 introduced "krbcanonicalname", no idea if that is relevant. Are there some update ldap procedure I am missing? Just in case I ran a ipa-server-upgrade, which did not resolve the issue.



Regards
Bjarne Blichfeldt.

From: Bjarne Blichfeldt
Sent: 6. december 2016 14:29
To: freeipa-users at redhat.com
Subject: nfsv4+kerberos: group ID not mapped on newly create users, however user id is correct

VERSION: 4.4.0, API_VERSION: 2.213  on rhel7.

ipa server was recently upgraded to version 4.4 from version 4.2 and it seems that we are having problems with users created after the upgrade. Of course, it could be
something I forgot.

Our environment consist of an hds nfs server, a couple of ipa servers - rhel7 and a lot of clients - rhel6.  The NFS server is not part of the idm domain, i.e. not joined, but of course has a keytab created on the ipa server. The NFS server provides common shares, mounted as krb5p on the clients.

All this workes fine and the mapping is correct for all existing users. That is, if I log into a client, get a Kerberos ticket for myself and create a file on
one of the shares, uid and gid are set to my uid and gid.

But if I create a new user on the ipa server and do the same, the gid on the newly created file is "nobody(99)"  whereas the uid is correct.
I have tested with two different users - same result.

klist shows the default principal to be correct.
For user mqm uid=1414 gid=1414, rpc.gssd shows,that after finding the user credentials, for some reason there is a switch to machine credentials:


Dec  6 12:17:16 nfsclient rpc.gssd[1607]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: handle_gssd_upcall: 'mech=krb5 uid=1414 enctypes=18,17,16,23,3,1,2 '
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: process_krb5_upcall: service is '<null>'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: getting credentials for client with uid 1414 for server jnsa-dnt2.domaine.com
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_1622800027_u0vmh1' being considered, with preferred realm 'DOMAINE.COM'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_1622800027_u0vmh1' owned by 1622800027, not 1414
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_1414_bVlw8x' being considered, with preferred realm 'DOMAINE.COM'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_1414_bVlw8x'(mqm at DOMAINE.COM<mailto:mqm at DOMAINE.COM>) passed all checks and has mtime of 1481022999
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_machine_DOMAINE.COM' being considered, with preferred realm 'DOMAINE.COM'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_machine_DOMAINE.COM' owned by 0, not 1414
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_0' being considered, with preferred realm 'DOMAINE.COM'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_0' owned by 0, not 1414
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: using FILE:/tmp/krb5cc_1414_bVlw8x as credentials cache for client with uid 1414 for server jnsa-dnt2.domaine.com
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_1414_bVlw8x
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: creating context using fsuid 1414 (save_uid 0)
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: creating tcp client for server jnsa-dnt2.domaine.com
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: DEBUG: port already set to 2049
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: creating context with server nfs at jnsa-dnt2.domaine.com<mailto:nfs at jnsa-dnt2.domaine.com>
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: DEBUG: serialize_krb5_ctx: lucid version!
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: prepare_krb5_rfc4121_buffer: protocol 1
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: doing downcall lifetime_rec 86363
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 '
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: process_krb5_upcall: service is '*'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: Full hostname for 'jnsa-dnt2.domaine.com' is 'jnsa-dnt2.domaine.com'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: Full hostname for 'nfsclient.domaine.com' is 'nfsclient.domaine.com'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: No key table entry found for nfsclient$@DOMAINE.COM<mailto:nfsclient$@DOMAINE.COM> while getting keytab entry for 'nfsclient$@DOMAINE.COM'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: No key table entry found for nfsclient$@DOMAINE.COM<mailto:nfsclient$@DOMAINE.COM> while getting keytab entry for 'nfsclient$@DOMAINE.COM'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: No key table entry found for root/nfsclient.domaine.com at DOMAINE.COM<mailto:root/nfsclient.domaine.com at DOMAINE.COM> while getting keytab entry for 'root/nfsclient.domaine.com at DOMAINE.COM'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: No key table entry found for nfs/nfsclient.domaine.com at DOMAINE.COM<mailto:nfs/nfsclient.domaine.com at DOMAINE.COM> while getting keytab entry for 'nfs/nfsclient.domaine.com at DOMAINE.COM'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: Success getting keytab entry for 'host/nfsclient.domaine.com at DOMAINE.COM'
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_DOMAINE.COM' are good until 1481109339
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_DOMAINE.COM' are good until 1481109339
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: using FILE:/tmp/krb5cc_machine_DOMAINE.COM as credentials cache for machine creds
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_DOMAINE.COM
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: creating context using fsuid 0 (save_uid 0)
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: creating tcp client for server jnsa-dnt2.domaine.com
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: DEBUG: port already set to 2049
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: creating context with server nfs at jnsa-dnt2.domaine.com<mailto:nfs at jnsa-dnt2.domaine.com>
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: DEBUG: serialize_krb5_ctx: lucid version!
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: prepare_krb5_rfc4121_buffer: protocol 1
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32
Dec  6 12:17:16 nfsclient rpc.gssd[1607]: doing downcall lifetime_rec 86303

Regards
Bjarne Blichfeldt.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161208/7d2436bc/attachment.htm>

More information about the Freeipa-users mailing list