[Freeipa-users] Wrong principal in request in NFS mount

Matthew Carter redbranchwarrior at gmail.com
Fri Feb 3 18:21:02 UTC 2017 

So I have two test machines that I set up because of this same problem 
on my secure offline network. One of the test machines is a server that 
has FreeIPA and NFS running on it, the other test machine is a client 
that mounts two NFS shares from the server using krb5i sec.

Upon initial install, everything works as it is supposed to. The domain 
users can log in just fine, the mount mounts perfectly.

If I remove the client from the domain using:

     ipa-client-automount --uninstall

     ipa-client-install --uninstall


And then on the server:

     ipa-client-automount --uninstall

     ipa-server-install --uninstall

     then delete the ca.crt, run sss -E (to clear the sssd caches), rm 
/tmp/krb5*


and then reinstall the server:

     ipa-server-install

     service sshd restart

     kinit admin

     ipa service-add nfs/server.dar.lan

     ipa-getkeytab -s server.dar.lan -p host/server.dar.lan -k 
/etc/krb5.keytab

     ipa-getkeytab -s server.dar.lan -p nfs/server.dar.lan -k 
/etc/krb5.keytab

     ipa-client-automount


and reinstall on the client:

     ipa-client-install

     ipa-client-automount


I believe I now have the same setup as I had before.

I can kinit and get a ticket:

     Ticket cache: FILE:/tmp/krb5cc_615200000_TinxaO
     Default principal: admin at DAR.LAN

     Valid starting     Expires            Service principal
     02/03/17 12:54:02  02/04/17 12:53:59 krbtgt/DAR.LAN at DAR.LAN

My domain users can log in to their desktops.

But I can't mount the shares.

I get:

     mount.nfs4: timeout set for Fri Feb  3 12:58:36 2017
     mount.nfs4: trying text-based options 
'sec=krb5i,proto=tcp,port=2049,rsize=8192,wsize=8192,timeo=14,intr,addr=137.67.205.1,clientaddr=137.67.205.11'
     mount.nfs4: mount(2): Permission denied
     mount.nfs4: access denied by server while mounting 
server:/NFS_SHARE/USERS
     mount.nfs4: timeout set for Fri Feb  3 12:58:36 2017
     mount.nfs4: trying text-based options 
'sec=krb5i,proto=tcp,port=2049,rsize=8192,wsize=8192,timeo=14,intr,addr=137.67.205.1,clientaddr=137.67.205.11'
     mount.nfs4: mount(2): Permission denied
     mount.nfs4: access denied by server while mounting 
server:/NFS_SHARE/admin


Originally I chased permissions, but when I started looking at 
/var/log/messages on the server, I noticed that rpcgssd was complaining  
about a wrong principal.

On the server I executed kadmin.local and then listprincs

K/M at DAR.LAN
krbtgt/DAR.LAN at DAR.LAN
kadmin/server.dar.lan at DAR.LAN
kadmin/admin at DAR.LAN
kadmin/changepw at DAR.LAN
ldap/server.dar.lan at DAR.LAN
host/server.dar.lan at DAR.LAN
HTTP/server.dar.lan at DAR.LAN
nfs/server.dar.lan at DAR.LAN
s_sharkey at DAR.LAN
host/as1.dar.lan at DAR.LAN

and then a getprinc on nfs/server.dar.lan at DAR.LAN:

     Principal: nfs/server.dar.lan at DAR.LAN
     Expiration date: [never]
     Last password change: Thu Feb 02 15:31:24 EST 2017
     Password expiration date: [none]
     Maximum ticket life: 1 day 00:00:00
     Maximum renewable life: 7 days 00:00:00
     Last modified: Thu Feb 02 15:31:24 EST 2017 
(nfs/server.dar.lan at DAR.LAN)
     Last successful authentication: Thu Feb 02 16:52:16 EST 2017
     Last failed authentication: Fri Feb 03 12:09:14 EST 2017
     Failed password attempts: 1
     Number of keys: 4
     Key: vno 3, aes256-cts-hmac-sha1-96, no salt
     Key: vno 3, aes128-cts-hmac-sha1-96, no salt
     Key: vno 3, des3-cbc-sha1, no salt
     Key: vno 3, arcfour-hmac, no salt
     MKey: vno 1
     Attributes: REQUIRES_PRE_AUTH
     Policy: [none]

looking at my keytab, klist -ke /etc/krb5.keytab

        1    2 host/server.dar.lan at DAR.LAN
        2    1 nfs/server.dar.lan at DAR.LAN
        3    3 host/server.dar.lan at DAR.LAN
        4    3 host/server.dar.lan at DAR.LAN
        5    3 host/server.dar.lan at DAR.LAN
        6    3 host/server.dar.lan at DAR.LAN
        7    2 nfs/server.dar.lan at DAR.LAN
        8    2 nfs/server.dar.lan at DAR.LAN
        9    2 nfs/server.dar.lan at DAR.LAN
       10    2 nfs/server.dar.lan at DAR.LAN

I saw I had two extra older kt's so I used kadmin.local to remove them 
with modprinc. Not sure where they came from. . .

I again tried to mount, this time using -vvv in /etc/sysconfig/nfs for 
rpcgssd, rpcsvcgssd, and rpcbind and /var/log/messages output this on 
the server (I'll only paste the data from one mount attempt as there is 
two mounts and they're complaining identically.):

Feb  3 12:25:32 server rpc.svcgssd[4796]: leaving poll
Feb  3 12:25:32 server rpc.svcgssd[4796]: handling null request
Feb  3 12:25:32 server rpc.svcgssd[4796]: svcgssd_limit_krb5_enctypes: 
Calling gss_set_allowable_enctypes with 7 enctypes from the kernel
Feb  3 12:25:32 server rpc.svcgssd[4796]: WARNING: 
gss_accept_sec_context failed
Feb  3 12:25:32 server rpc.svcgssd[4796]: ERROR: GSS-API: error in 
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS 
failure.  Minor code may provide more information) - Wrong principal in 
request
Feb  3 12:25:32 server rpc.svcgssd[4796]: sending null reply
Feb  3 12:25:32 server rpc.svcgssd[4796]: writing message: \x 
\x6082025f06092a864886f71201020201006e82024e3082024aa003020105a10302010ea20703050020000000a382015a6182015630820152a003020105a1091b074441522e4c414ea220301ea003020103a11730151b036e66731b0e7365727665722e6461722e6c616ea382011c30820118a003020112a103020103a282010a048201063acb411e685126d45ffc67763e9d9fb3eaa42765e44ad17b924d930583f95f8169980758f7d7ac59b5668c40a6a4c0aadee0e4a655a29343e09b69922cf65e2bf639b30fa764d415d3e1207da584b0d3d4ffb668d0d6fbcf52a7eed73cf9f51dd777096647e13931c30a6929115f8d1244086a78fa35fbe4073c195be3f49ba34ffe04bd3ae0bba9f8d9713d931f129fa0087872514f5aa4b0f933549b27cd45bcda4460d562b9b9dec90e5d358d6824aad6e46f50bbd03b35ac80df8b65f771bacf3ab7c96336f3051833d11fe283506a20c3eeae9d7df743a634e9928443cafb088a2adb083d2fa32eec78934a27e7d3358a451dd5ba36a94a5fdeb255aa5e884230069bdda481d63081d3a003020112a281cb0481c802b37853075fe8f79de1d93289e493dd95e7724a050d44cc629521c0a1504d2a33589d4e13c4941a9451b4d2cfb74129ac2943664b9adb01b89d8746fd531c251fbe87660c9305d73a18fb3166907ac85a0c38fe59b475899f0f69b4193311cab6ed19ca0ce1f2a0dfc7b7a04d2bb1195406dc6d846f3535db5c083ade0a4dfa0c5d4466ee10fd04d72325192fd8473e05d0318b390d6c87c440ca5eabdc3017fec828c29543b3414fac312b597e0ea4726cb33fe825feef00527e14d5f426cc7781dcd3dd0a0969 
1486142792 851968 2529639056 \x \x
REPEATED 3x . . .


Feb  3 12:25:32 server rpc.svcgssd[4796]: finished handling null request
Feb  3 12:25:32 server audispd: node=server type=SYSCALL 
msg=audit(1486142732.066:592): arch=c000003e syscall=87 success=yes 
exit=0 a0=2110480 a1=c2 a2=1a a3=f items=2 ppid=1 pid=4525 auid=500 
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 
tty=(none) ses=1 comm="gnome-terminal" exe="/usr/bin/gnome-terminal" 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="delete"
Feb  3 12:25:32 server audispd: node=server type=CWD 
msg=audit(1486142732.066:592):  cwd="/home/adminnt"
Feb  3 12:25:32 server rpc.svcgssd[4796]: entering poll
Feb  3 12:25:34 as1 audispd: node=as1 type=SYSCALL 
msg=audit(1486142734.451:79839): arch=c000003e syscall=165 success=no 
exit=-13 a0=7ffcb5014564 a1=7f00d8823ea0 a2=7f00d72133f6 a3=0 items=17 
ppid=7132 pid=7133 auid=615200000 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="mount.nfs4" 
exe="/sbin/mount.nfs" 
subj=unconfined_u:unconfined_r:unconfined_mount_t:s0-s0:c0.c1023 
key="export"
Feb  3 12:25:34 as1 audispd: node=as1 type=CWD 
msg=audit(1486142734.451:79839):  cwd="/usr"
Feb  3 12:25:34 as1 audispd: node=as1 type=PATH 
msg=audit(1486142734.451:79839): item=0 name="/NFS_SHARE" inode=654083 
dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 
obj=unconfined_u:object_r:default_t:s0 nametype=NORMAL
Feb  3 12:25:34 as1 audispd: node=as1 type=PATH 
msg=audit(1486142734.451:79839): item=1 name=(null) inode=103 dev=00:12 
mode=040555 ouid=0 ogid=0 rdev=00:00 
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=NORMAL
Feb  3 12:25:34 as1 audispd: node=as1 type=PATH 
msg=audit(1486142734.451:79839): item=2 name=(null) inode=103 dev=00:12 
mode=040555 ouid=0 ogid=0 rdev=00:00 
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
Feb  3 12:25:34 as1 audispd: node=as1 type=PATH 
msg=audit(1486142734.451:79839): item=3 name=(null) inode=280 dev=00:12 
mode=040555 ouid=0 ogid=0 rdev=00:00 
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
Feb  3 12:25:34 as1 audispd: node=as1 type=PATH 
msg=audit(1486142734.451:79839): item=4 name=(null) inode=280 dev=00:12 
mode=040555 ouid=0 ogid=0 rdev=00:00 
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
Feb  3 12:25:34 as1 audispd: node=as1 type=PATH 
msg=audit(1486142734.451:79839): item=5 name=(null) inode=281 dev=00:12 
mode=0100400 ouid=0 ogid=0 rdev=00:00 
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
Feb  3 12:25:34 as1 audispd: node=as1 type=PATH 
msg=audit(1486142734.451:79839): item=6 name=(null) inode=280 dev=00:12 
mode=040555 ouid=0 ogid=0 rdev=00:00 
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
Feb  3 12:25:34 as1 audispd: node=as1 type=PATH 
msg=audit(1486142734.451:79839): item=7 name=(null) inode=282 dev=00:12 
mode=010600 ouid=0 ogid=0 rdev=00:00 
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
Feb  3 12:25:34 as1 audispd: node=as1 type=PATH 
msg=audit(1486142734.451:79839): item=8 name=(null) inode=280 dev=00:12 
mode=040555 ouid=0 ogid=0 rdev=00:00 
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
Feb  3 12:25:34 as1 audispd: node=as1 type=PATH 
msg=audit(1486142734.451:79839): item=9 name=(null) inode=283 dev=00:12 
mode=010600 ouid=0 ogid=0 rdev=00:00 
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
Feb  3 12:25:34 as1 audispd: node=as1 type=PATH 
msg=audit(1486142734.451:79839): item=10 name=(null) inode=280 dev=00:12 
mode=040555 ouid=0 ogid=0 rdev=00:00 
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
Feb  3 12:25:34 as1 audispd: node=as1 type=PATH 
msg=audit(1486142734.451:79839): item=11 name=(null) inode=284 dev=00:12 
mode=010600 ouid=0 ogid=0 rdev=00:00 
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
Feb  3 12:25:34 as1 audispd: node=as1 type=PATH 
msg=audit(1486142734.451:79839): item=12 name=(null) inode=103 dev=00:12 
mode=040555 ouid=0 ogid=0 rdev=00:00 
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=NORMAL
Feb  3 12:25:34 as1 audispd: node=as1 type=PATH 
msg=audit(1486142734.451:79839): item=13 name=(null) inode=103 dev=00:12 
mode=040555 ouid=0 ogid=0 rdev=00:00 
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
Feb  3 12:25:34 as1 audispd: node=as1 type=PATH 
msg=audit(1486142734.451:79839): item=14 name=(null) inode=285 dev=00:12 
mode=040555 ouid=0 ogid=0 rdev=00:00 
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
Feb  3 12:25:34 as1 audispd: node=as1 type=PATH 
msg=audit(1486142734.451:79839): item=15 name=(null) inode=285 dev=00:12 
mode=040555 ouid=0 ogid=0 rdev=00:00 
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
Feb  3 12:25:34 as1 audispd: node=as1 type=PATH 
msg=audit(1486142734.451:79839): item=16 name=(null) inode=286 dev=00:12 
mode=0100400 ouid=0 ogid=0 rdev=00:00 
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE


I apoligize for the wall o' words, but you know how log files can be.

So my setup naming conventions is exactly as during the initial install 
which worked. The config files shouldn't have changed. It seems as if 
the principal name, KVNO, and the keytab match up. Did something not get 
cleaned properly?

Currently I can mount just fine without krb5i security, but my Govt STIG 
requires it for NFS mounts and I'm stuck.


Thanks for any help!


Matt


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170203/7f014813/attachment.htm>

More information about the Freeipa-users mailing list