[Freeipa-users] nfsnobody with ubuntu 14.04 in trusted relationship with AD
Domineaux Philippe
pdomineaux at gmail.com
Wed Feb 10 17:03:45 UTC 2016
Hello all,
I have several virtual machines ( on virtualbox ) running freeipa-client
and
freeipa-server in a trust domain relationship with an Active Directory (AD)
also
on a virtual machine.
Here is the details of the machines :
### Freeipa-server :
- Centos 7.2
- ipa-server-install 4.2.0
### client1 :
- centos 7.2
- ipa-client-install 4.2.0
### Nfs-server :
- centos 7.2
- ipa-client-install 4.2.0
### Client2 :
- Ubuntu 14.04 (trusty)
- ipa-client-install 3.3.4
also try the unofficial 4.0.x backport (
https://launchpad.net/~freeipa/+archive/ubuntu/4.0)
Everything works fine except for the ubuntu client and the nfs mount :
- I can mount the share using ""-o sec=krb5" option but the owner of the
folders is nobody. It seems just a display error because the permissions on
the files are good.
user1 cannot write on the folder of user2 and vice versa.
If I mount without kinit I get this (syslog ubuntu client):
Feb 10 17:09:38 client2 rpc.idmapd[417]: New client: 0
Feb 10 17:09:38 client2 kernel: [ 2709.796390] NFS: Registering the
id_resolver key type
Feb 10 17:09:38 client2 kernel: [ 2709.796399] Key type id_resolver
registered
Feb 10 17:09:38 client2 kernel: [ 2709.796399] Key type id_legacy registered
Feb 10 17:09:38 client2 rpc.idmapd[417]: Opened
/run/rpc_pipefs/nfs/clnt0/idmap
Feb 10 17:09:38 client2 rpc.idmapd[417]: New client: 1
Feb 10 17:09:38 client2 nfsidmap[2714]: key: 0x261c251d type: uid value:
root at ipa.local timeout 600
Feb 10 17:09:38 client2 nfsidmap[2714]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
Feb 10 17:09:38 client2 nfsidmap[2714]: nss_getpwnam: name 'root at ipa.local'
domain 'ipa.local': resulting localname 'root'
Feb 10 17:09:38 client2 nfsidmap[2714]: nfs4_name_to_uid:
nsswitch->name_to_uid returned 0
Feb 10 17:09:38 client2 nfsidmap[2714]: nfs4_name_to_uid: final return
value is 0
Feb 10 17:09:38 client2 nfsidmap[2716]: key: 0x314352bb type: gid value:
root at ipa.local timeout 600
Feb 10 17:09:38 client2 nfsidmap[2716]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Feb 10 17:09:38 client2 nfsidmap[2716]: nfs4_name_to_gid:
nsswitch->name_to_gid returned 0
Feb 10 17:09:38 client2 nfsidmap[2716]: nfs4_name_to_gid: final return
value is 0
Feb 10 17:09:55 client2 nfsidmap[2722]: key: 0x29600d2b type: uid value:
adipa at domino.local@ipa.local timeout 600
Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
Feb 10 17:09:55 client2 nfsidmap[2722]: nss_getpwnam: name
'adipa at domino.local@ipa.local' domain 'ipa.local': resulting localname
'(null)'
Feb 10 17:09:55 client2 nfsidmap[2722]: nss_getpwnam: name
'adipa at domino.local@ipa.local' does not map into domain 'ipa.local'
Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid:
nsswitch->name_to_uid returned -22
Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid: final return
value is -22
Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid: calling
nsswitch->name_to_uid
Feb 10 17:09:55 client2 nfsidmap[2722]: nss_getpwnam: name 'nobody at ipa.local'
domain 'ipa.local': resulting localname 'nobody'
Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid:
nsswitch->name_to_uid returned 0
Feb 10 17:09:55 client2 nfsidmap[2722]: nfs4_name_to_uid: final return
value is 0
Feb 10 17:09:55 client2 nfsidmap[2724]: key: 0x398852c2 type: gid value:
posix_users at domino.local@ipa.local timeout 600
Feb 10 17:09:55 client2 nfsidmap[2724]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Feb 10 17:09:55 client2 nfsidmap[2724]: nfs4_name_to_gid:
nsswitch->name_to_gid returned -22
Feb 10 17:09:55 client2 nfsidmap[2724]: nfs4_name_to_gid: final return
value is -22
Feb 10 17:09:55 client2 nfsidmap[2724]: nfs4_name_to_gid: calling
nsswitch->name_to_gid
Feb 10 17:09:56 client2 nfsidmap[2724]: nfs4_name_to_gid:
nsswitch->name_to_gid returned -2
Feb 10 17:09:56 client2 nfsidmap[2724]: nfs4_name_to_gid: final return
value is -2
But if I mount with let's say kinit admin no logs in the syslog file of the
ubuntu client.
Another thing is, when mounting on both clients (ubuntu and centos), the
NFS server output :
"nfsserver gssproxy: gssproxy[659]: (OID: { 1 2 840 113554 1 2 2 })
Unspecified GSS failure. Minor code may provide more information, No
credentials cache found"
But it works for the centos but not for the ubuntu.
### NFS server logs for client 2 (Ubuntu) :
Feb 10 17:30:01 nfsserver systemd: Created slice user-0.slice.
Feb 10 17:30:01 nfsserver systemd: Starting user-0.slice.
Feb 10 17:30:01 nfsserver systemd: Started Session 14 of user root.
Feb 10 17:30:01 nfsserver systemd: Starting Session 14 of user root.
Feb 10 17:30:01 nfsserver systemd: Removed slice user-0.slice.
Feb 10 17:30:01 nfsserver systemd: Stopping user-0.slice.
Feb 10 17:30:21 nfsserver rpc.gssd[756]: Closing 'gssd' pipe for
/var/lib/nfs/rpc_pipefs/nfsd4_cb/clnt5
Feb 10 17:30:21 nfsserver rpc.gssd[756]: destroying client
/var/lib/nfs/rpc_pipefs/nfsd4_cb/clnt5
Feb 10 17:30:21 nfsserver rpc.gssd[756]: handling gssd upcall
(/var/lib/nfs/rpc_pipefs/nfsd4_cb/clnt6)
Feb 10 17:30:21 nfsserver rpc.gssd[756]: handle_gssd_upcall: 'mech=krb5
uid=0 target=host at client2.ipa.local service=nfs enctypes=18,17,16,23,3,1,2 '
Feb 10 17:30:21 nfsserver rpc.gssd[756]: handling krb5 upcall
(/var/lib/nfs/rpc_pipefs/nfsd4_cb/clnt6)
Feb 10 17:30:21 nfsserver rpc.gssd[756]: process_krb5_upcall: service is
'nfs'
Feb 10 17:30:21 nfsserver rpc.gssd[756]: krb5_use_machine_creds: uid 0
tgtname host at client2.ipa.local
Feb 10 17:30:21 nfsserver rpc.gssd[756]: Full hostname for
'client2.ipa.local' is 'client2.ipa.local'
Feb 10 17:30:21 nfsserver rpc.gssd[756]: Full hostname for
'nfsserver.ipa.local' is 'nfsserver.ipa.local'
Feb 10 17:30:21 nfsserver rpc.gssd[756]: Success getting keytab entry for
'nfs/nfsserver.ipa.local at IPA.LOCAL'
Feb 10 17:30:21 nfsserver rpc.gssd[756]: INFO: Credentials in CC
'FILE:/tmp/krb5ccmachine_IPA.LOCAL' are good until 1455202622
Feb 10 17:30:21 nfsserver rpc.gssd[756]: INFO: Credentials in CC
'FILE:/tmp/krb5ccmachine_IPA.LOCAL' are good until 1455202622
Feb 10 17:30:21 nfsserver rpc.gssd[756]: using
FILE:/tmp/krb5ccmachine_IPA.LOCAL as credentials cache for machine creds
Feb 10 17:30:21 nfsserver rpc.gssd[756]: using environment variable to
select krb5 ccache FILE:/tmp/krb5ccmachine_IPA.LOCAL
Feb 10 17:30:21 nfsserver gssproxy: gssproxy[659]: (OID: { 1 2 840 113554 1
2 2 }) Unspecified GSS failure. Minor code may provide more information,
No credentials cache found
Feb 10 17:30:21 nfsserver rpc.gssd[756]: creating tcp client for server
client2.ipa.local
Feb 10 17:30:21 nfsserver rpc.gssd[756]: DEBUG: port already set to 50270
Feb 10 17:30:21 nfsserver rpc.gssd[756]: creating context with server
host at client2.ipa.local
Feb 10 17:30:21 nfsserver rpc.gssd[756]: WARNING: Failed to create krb5
context for user with uid 0 for server host at client2.ipa.local
Feb 10 17:30:21 nfsserver rpc.gssd[756]: WARNING: Failed to create machine
krb5context with cred cache FILE:/tmp/krb5ccmachine_IPA.LOCAL for server
client2.ipa.local
Feb 10 17:30:21 nfsserver rpc.gssd[756]: WARNING: Machine cache
prematurelyexpired or corrupted trying torecreate cache for server
client2.ipa.local
Feb 10 17:30:21 nfsserver rpc.gssd[756]: Full hostname for
'client2.ipa.local' is 'client2.ipa.local'
Feb 10 17:30:21 nfsserver rpc.gssd[756]: Full hostname for
'nfsserver.ipa.local' is 'nfsserver.ipa.local'
Feb 10 17:30:21 nfsserver rpc.gssd[756]: Success getting keytab entry for
'nfs/nfsserver.ipa.local at IPA.LOCAL'
Feb 10 17:30:21 nfsserver rpc.gssd[756]: INFO: Credentials in CC
'FILE:/tmp/krb5ccmachine_IPA.LOCAL' are good until 1455202622
Feb 10 17:30:21 nfsserver rpc.gssd[756]: INFO: Credentials in CC
'FILE:/tmp/krb5ccmachine_IPA.LOCAL' are good until 1455202622
Feb 10 17:30:21 nfsserver rpc.gssd[756]: using
FILE:/tmp/krb5ccmachine_IPA.LOCAL as credentials cache for machine creds
Feb 10 17:30:21 nfsserver rpc.gssd[756]: using environment variable to
select krb5 ccache FILE:/tmp/krb5ccmachine_IPA.LOCAL
Feb 10 17:30:21 nfsserver rpc.gssd[756]: creating tcp client for server
client2.ipa.local
Feb 10 17:30:21 nfsserver rpc.gssd[756]: DEBUG: port already set to 50270
Feb 10 17:30:21 nfsserver rpc.gssd[756]: creating context with server
host at client2.ipa.local
Feb 10 17:30:21 nfsserver rpc.gssd[756]: WARNING: Failed to create krb5
context for user with uid 0 for server host at client2.ipa.local
Feb 10 17:30:21 nfsserver rpc.gssd[756]: WARNING: Failed to create machine
krb5context with cred cache FILE:/tmp/krb5ccmachine_IPA.LOCAL for server
client2.ipa.local
Feb 10 17:30:21 nfsserver gssproxy: gssproxy[659]: (OID: { 1 2 840 113554 1
2 2 }) Unspecified GSS failure. Minor code may provide more information,
No credentials cache found
Feb 10 17:30:21 nfsserver rpc.gssd[756]: WARNING: Failed to create
machinekrb5 context with any credentialscache for server client2.ipa.local
Feb 10 17:30:21 nfsserver rpc.gssd[756]: doing error downcall
### NFS server logs for client 1 (centos 7) :
Feb 10 17:34:00 nfsserver rpc.gssd[756]: Closing 'gssd' pipe for
/var/lib/nfs/rpc_pipefs/nfsd4_cb/clnt0
Feb 10 17:34:00 nfsserver rpc.gssd[756]: destroying client
/var/lib/nfs/rpc_pipefs/nfsd4_cb/clnt0
Feb 10 17:34:00 nfsserver rpc.gssd[756]: handling gssd upcall
(/var/lib/nfs/rpc_pipefs/nfsd4_cb/clnt8)
Feb 10 17:34:00 nfsserver rpc.gssd[756]: handle_gssd_upcall: 'mech=krb5
uid=0 target=nfs at client1.ipa.local service=nfs enctypes=18,17,16,23,3,1,2 '
Feb 10 17:34:00 nfsserver rpc.gssd[756]: handling krb5 upcall
(/var/lib/nfs/rpc_pipefs/nfsd4_cb/clnt8)
Feb 10 17:34:00 nfsserver rpc.gssd[756]: process_krb5_upcall: service is
'nfs'
Feb 10 17:34:00 nfsserver rpc.gssd[756]: krb5_use_machine_creds: uid 0
tgtname nfs at client1.ipa.local
Feb 10 17:34:00 nfsserver rpc.gssd[756]: Full hostname for
'client1.ipa.local' is 'client1.ipa.local'
Feb 10 17:34:00 nfsserver rpc.gssd[756]: Full hostname for
'nfsserver.ipa.local' is 'nfsserver.ipa.local'
Feb 10 17:34:00 nfsserver rpc.gssd[756]: Success getting keytab entry for
'nfs/nfsserver.ipa.local at IPA.LOCAL'
Feb 10 17:34:00 nfsserver rpc.gssd[756]: INFO: Credentials in CC
'FILE:/tmp/krb5ccmachine_IPA.LOCAL' are good until 1455202622
Feb 10 17:34:00 nfsserver rpc.gssd[756]: INFO: Credentials in CC
'FILE:/tmp/krb5ccmachine_IPA.LOCAL' are good until 1455202622
Feb 10 17:34:00 nfsserver rpc.gssd[756]: using
FILE:/tmp/krb5ccmachine_IPA.LOCAL as credentials cache for machine creds
Feb 10 17:34:00 nfsserver rpc.gssd[756]: using environment variable to
select krb5 ccache FILE:/tmp/krb5ccmachine_IPA.LOCAL
Feb 10 17:34:00 nfsserver rpc.gssd[756]: creating tcp client for server
client1.ipa.local
Feb 10 17:34:00 nfsserver rpc.gssd[756]: DEBUG: port already set to 42165
Feb 10 17:34:00 nfsserver rpc.gssd[756]: WARNING: can't create tcp rpc_clnt
to server client1.ipa.local for user with uid 0: RPC: Remote system error -
No route to host
Feb 10 17:34:00 nfsserver rpc.gssd[756]: WARNING: Failed to create machine
krb5context with cred cache FILE:/tmp/krb5ccmachine_IPA.LOCAL for server
client1.ipa.local
Feb 10 17:34:00 nfsserver rpc.gssd[756]: WARNING: Machine cache
prematurelyexpired or corrupted trying torecreate cache for server
client1.ipa.local
Feb 10 17:34:00 nfsserver gssproxy: gssproxy[659]: (OID: { 1 2 840 113554 1
2 2 }) Unspecified GSS failure. Minor code may provide more information,
No credentials cache found
Feb 10 17:34:00 nfsserver rpc.gssd[756]: Full hostname for
'client1.ipa.local' is 'client1.ipa.local'
Feb 10 17:34:00 nfsserver rpc.gssd[756]: Full hostname for
'nfsserver.ipa.local' is 'nfsserver.ipa.local'
Feb 10 17:34:00 nfsserver rpc.gssd[756]: Success getting keytab entry for
'nfs/nfsserver.ipa.local at IPA.LOCAL'
Feb 10 17:34:00 nfsserver rpc.gssd[756]: INFO: Credentials in CC
'FILE:/tmp/krb5ccmachine_IPA.LOCAL' are good until 1455202622
Feb 10 17:34:00 nfsserver rpc.gssd[756]: INFO: Credentials in CC
'FILE:/tmp/krb5ccmachine_IPA.LOCAL' are good until 1455202622
Feb 10 17:34:00 nfsserver rpc.gssd[756]: using
FILE:/tmp/krb5ccmachine_IPA.LOCAL as credentials cache for machine creds
Feb 10 17:34:00 nfsserver rpc.gssd[756]: using environment variable to
select krb5 ccache FILE:/tmp/krb5ccmachine_IPA.LOCAL
Feb 10 17:34:00 nfsserver rpc.gssd[756]: creating tcp client for server
client1.ipa.local
Feb 10 17:34:00 nfsserver rpc.gssd[756]: DEBUG: port already set to 42165
Feb 10 17:34:00 nfsserver gssproxy: gssproxy[659]: (OID: { 1 2 840 113554 1
2 2 }) Unspecified GSS failure. Minor code may provide more information,
No credentials cache found
Feb 10 17:34:00 nfsserver rpc.gssd[756]: WARNING: can't create tcp rpc_clnt
to server client1.ipa.local for user with uid 0: RPC: Remote system error -
No route to host
Feb 10 17:34:00 nfsserver rpc.gssd[756]: WARNING: Failed to create machine
krb5context with cred cache FILE:/tmp/krb5ccmachine_IPA.LOCAL for server
client1.ipa.local
Feb 10 17:34:00 nfsserver rpc.gssd[756]: WARNING: Failed to create
machinekrb5 context with any credentialscache for server client1.ipa.local
Feb 10 17:34:00 nfsserver rpc.gssd[756]: doing error downcall
So my question is :
How can I deal with this display problem?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160210/9eb54c1b/attachment.htm>
More information about the Freeipa-users
mailing list