[Freeipa-users] nfsv4+kerberos: group ID not mapped on newly create users, however user id is correct

David Kupka dkupka at redhat.com
Thu Dec 8 08:39:55 UTC 2016 

On 08/12/16 08:57, Bjarne Blichfeldt wrote:
> Anybody have any suggestion as how to continue debugging this? The nfs server resolves usernames by loopkup in free-ipa lda.
>
> After a lot of digging, I see the 4.4 introduced "krbcanonicalname", no idea if that is relevant. Are there some update ldap procedure I am missing? Just in case I ran a ipa-server-upgrade, which did not resolve the issue.
>
>
>
> Regards
> Bjarne Blichfeldt.
>
> From: Bjarne Blichfeldt
> Sent: 6. december 2016 14:29
> To: freeipa-users at redhat.com
> Subject: nfsv4+kerberos: group ID not mapped on newly create users, however user id is correct
>
> VERSION: 4.4.0, API_VERSION: 2.213  on rhel7.
>
> ipa server was recently upgraded to version 4.4 from version 4.2 and it seems that we are having problems with users created after the upgrade. Of course, it could be
> something I forgot.
>
> Our environment consist of an hds nfs server, a couple of ipa servers - rhel7 and a lot of clients - rhel6.  The NFS server is not part of the idm domain, i.e. not joined, but of course has a keytab created on the ipa server. The NFS server provides common shares, mounted as krb5p on the clients.
>
> All this workes fine and the mapping is correct for all existing users. That is, if I log into a client, get a Kerberos ticket for myself and create a file on
> one of the shares, uid and gid are set to my uid and gid.
>
> But if I create a new user on the ipa server and do the same, the gid on the newly created file is "nobody(99)"  whereas the uid is correct.
> I have tested with two different users - same result.
>
> klist shows the default principal to be correct.
> For user mqm uid=1414 gid=1414, rpc.gssd shows,that after finding the user credentials, for some reason there is a switch to machine credentials:
>
>
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: handle_gssd_upcall: 'mech=krb5 uid=1414 enctypes=18,17,16,23,3,1,2 '
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: process_krb5_upcall: service is '<null>'
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: getting credentials for client with uid 1414 for server jnsa-dnt2.domaine.com
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_1622800027_u0vmh1' being considered, with preferred realm 'DOMAINE.COM'
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_1622800027_u0vmh1' owned by 1622800027, not 1414
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_1414_bVlw8x' being considered, with preferred realm 'DOMAINE.COM'
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_1414_bVlw8x'(mqm at DOMAINE.COM<mailto:mqm at DOMAINE.COM>) passed all checks and has mtime of 1481022999
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_machine_DOMAINE.COM' being considered, with preferred realm 'DOMAINE.COM'
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_machine_DOMAINE.COM' owned by 0, not 1414
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_0' being considered, with preferred realm 'DOMAINE.COM'
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: CC file '/tmp/krb5cc_0' owned by 0, not 1414
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: using FILE:/tmp/krb5cc_1414_bVlw8x as credentials cache for client with uid 1414 for server jnsa-dnt2.domaine.com
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_1414_bVlw8x
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: creating context using fsuid 1414 (save_uid 0)
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: creating tcp client for server jnsa-dnt2.domaine.com
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: DEBUG: port already set to 2049
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: creating context with server nfs at jnsa-dnt2.domaine.com<mailto:nfs at jnsa-dnt2.domaine.com>
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: DEBUG: serialize_krb5_ctx: lucid version!
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: prepare_krb5_rfc4121_buffer: protocol 1
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: doing downcall lifetime_rec 86363
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 '
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: process_krb5_upcall: service is '*'
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: Full hostname for 'jnsa-dnt2.domaine.com' is 'jnsa-dnt2.domaine.com'
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: Full hostname for 'nfsclient.domaine.com' is 'nfsclient.domaine.com'
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: No key table entry found for nfsclient$@DOMAINE.COM<mailto:nfsclient$@DOMAINE.COM> while getting keytab entry for 'nfsclient$@DOMAINE.COM'
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: No key table entry found for nfsclient$@DOMAINE.COM<mailto:nfsclient$@DOMAINE.COM> while getting keytab entry for 'nfsclient$@DOMAINE.COM'
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: No key table entry found for root/nfsclient.domaine.com at DOMAINE.COM<mailto:root/nfsclient.domaine.com at DOMAINE.COM> while getting keytab entry for 'root/nfsclient.domaine.com at DOMAINE.COM'
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: No key table entry found for nfs/nfsclient.domaine.com at DOMAINE.COM<mailto:nfs/nfsclient.domaine.com at DOMAINE.COM> while getting keytab entry for 'nfs/nfsclient.domaine.com at DOMAINE.COM'
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: Success getting keytab entry for 'host/nfsclient.domaine.com at DOMAINE.COM'
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_DOMAINE.COM' are good until 1481109339
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_DOMAINE.COM' are good until 1481109339
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: using FILE:/tmp/krb5cc_machine_DOMAINE.COM as credentials cache for machine creds
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_DOMAINE.COM
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: creating context using fsuid 0 (save_uid 0)
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: creating tcp client for server jnsa-dnt2.domaine.com
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: DEBUG: port already set to 2049
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: creating context with server nfs at jnsa-dnt2.domaine.com<mailto:nfs at jnsa-dnt2.domaine.com>
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: DEBUG: serialize_krb5_ctx: lucid version!
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: prepare_krb5_rfc4121_buffer: protocol 1
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32
> Dec  6 12:17:16 nfsclient rpc.gssd[1607]: doing downcall lifetime_rec 86303
>
> Regards
> Bjarne Blichfeldt.
>
>
>
>

Hello,
I'm almost sure that 'krbcanonicalname' has nothing to do with this. 
Adding krbcanonicalname attribute was done to allow principal aliases 
(multiple kerberos principals for one user/host/service), see [1] for 
details.

Unfortunately, I don't know what's wrong. SSSD is taking care of 
resolving users and groups on enrolled systems. "id mgm" should output 
something like "id=1414(mgm) gid=1414(mgm) groups=1414(mgm)" if it works 
properly.

[1] http://www.freeipa.org/page/V4/Kerberos_principal_aliases

-- 
David Kupka

More information about the Freeipa-users mailing list