[Freeipa-users] Wrong principal in request in NFS mount
Matthew Carter
redbranchwarrior at gmail.com
Fri Feb 3 18:21:02 UTC 2017
So I have two test machines that I set up because of this same problem
on my secure offline network. One of the test machines is a server that
has FreeIPA and NFS running on it, the other test machine is a client
that mounts two NFS shares from the server using krb5i sec.
Upon initial install, everything works as it is supposed to. The domain
users can log in just fine, the mount mounts perfectly.
If I remove the client from the domain using:
ipa-client-automount --uninstall
ipa-client-install --uninstall
And then on the server:
ipa-client-automount --uninstall
ipa-server-install --uninstall
then delete the ca.crt, run sss -E (to clear the sssd caches), rm
/tmp/krb5*
and then reinstall the server:
ipa-server-install
service sshd restart
kinit admin
ipa service-add nfs/server.dar.lan
ipa-getkeytab -s server.dar.lan -p host/server.dar.lan -k
/etc/krb5.keytab
ipa-getkeytab -s server.dar.lan -p nfs/server.dar.lan -k
/etc/krb5.keytab
ipa-client-automount
and reinstall on the client:
ipa-client-install
ipa-client-automount
I believe I now have the same setup as I had before.
I can kinit and get a ticket:
Ticket cache: FILE:/tmp/krb5cc_615200000_TinxaO
Default principal: admin at DAR.LAN
Valid starting Expires Service principal
02/03/17 12:54:02 02/04/17 12:53:59 krbtgt/DAR.LAN at DAR.LAN
My domain users can log in to their desktops.
But I can't mount the shares.
I get:
mount.nfs4: timeout set for Fri Feb 3 12:58:36 2017
mount.nfs4: trying text-based options
'sec=krb5i,proto=tcp,port=2049,rsize=8192,wsize=8192,timeo=14,intr,addr=137.67.205.1,clientaddr=137.67.205.11'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting
server:/NFS_SHARE/USERS
mount.nfs4: timeout set for Fri Feb 3 12:58:36 2017
mount.nfs4: trying text-based options
'sec=krb5i,proto=tcp,port=2049,rsize=8192,wsize=8192,timeo=14,intr,addr=137.67.205.1,clientaddr=137.67.205.11'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting
server:/NFS_SHARE/admin
Originally I chased permissions, but when I started looking at
/var/log/messages on the server, I noticed that rpcgssd was complaining
about a wrong principal.
On the server I executed kadmin.local and then listprincs
K/M at DAR.LAN
krbtgt/DAR.LAN at DAR.LAN
kadmin/server.dar.lan at DAR.LAN
kadmin/admin at DAR.LAN
kadmin/changepw at DAR.LAN
ldap/server.dar.lan at DAR.LAN
host/server.dar.lan at DAR.LAN
HTTP/server.dar.lan at DAR.LAN
nfs/server.dar.lan at DAR.LAN
s_sharkey at DAR.LAN
host/as1.dar.lan at DAR.LAN
and then a getprinc on nfs/server.dar.lan at DAR.LAN:
Principal: nfs/server.dar.lan at DAR.LAN
Expiration date: [never]
Last password change: Thu Feb 02 15:31:24 EST 2017
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Feb 02 15:31:24 EST 2017
(nfs/server.dar.lan at DAR.LAN)
Last successful authentication: Thu Feb 02 16:52:16 EST 2017
Last failed authentication: Fri Feb 03 12:09:14 EST 2017
Failed password attempts: 1
Number of keys: 4
Key: vno 3, aes256-cts-hmac-sha1-96, no salt
Key: vno 3, aes128-cts-hmac-sha1-96, no salt
Key: vno 3, des3-cbc-sha1, no salt
Key: vno 3, arcfour-hmac, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
looking at my keytab, klist -ke /etc/krb5.keytab
1 2 host/server.dar.lan at DAR.LAN
2 1 nfs/server.dar.lan at DAR.LAN
3 3 host/server.dar.lan at DAR.LAN
4 3 host/server.dar.lan at DAR.LAN
5 3 host/server.dar.lan at DAR.LAN
6 3 host/server.dar.lan at DAR.LAN
7 2 nfs/server.dar.lan at DAR.LAN
8 2 nfs/server.dar.lan at DAR.LAN
9 2 nfs/server.dar.lan at DAR.LAN
10 2 nfs/server.dar.lan at DAR.LAN
I saw I had two extra older kt's so I used kadmin.local to remove them
with modprinc. Not sure where they came from. . .
I again tried to mount, this time using -vvv in /etc/sysconfig/nfs for
rpcgssd, rpcsvcgssd, and rpcbind and /var/log/messages output this on
the server (I'll only paste the data from one mount attempt as there is
two mounts and they're complaining identically.):
Feb 3 12:25:32 server rpc.svcgssd[4796]: leaving poll
Feb 3 12:25:32 server rpc.svcgssd[4796]: handling null request
Feb 3 12:25:32 server rpc.svcgssd[4796]: svcgssd_limit_krb5_enctypes:
Calling gss_set_allowable_enctypes with 7 enctypes from the kernel
Feb 3 12:25:32 server rpc.svcgssd[4796]: WARNING:
gss_accept_sec_context failed
Feb 3 12:25:32 server rpc.svcgssd[4796]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
failure. Minor code may provide more information) - Wrong principal in
request
Feb 3 12:25:32 server rpc.svcgssd[4796]: sending null reply
Feb 3 12:25:32 server rpc.svcgssd[4796]: writing message: \x
\x6082025f06092a864886f71201020201006e82024e3082024aa003020105a10302010ea20703050020000000a382015a6182015630820152a003020105a1091b074441522e4c414ea220301ea003020103a11730151b036e66731b0e7365727665722e6461722e6c616ea382011c30820118a003020112a103020103a282010a048201063acb411e685126d45ffc67763e9d9fb3eaa42765e44ad17b924d930583f95f8169980758f7d7ac59b5668c40a6a4c0aadee0e4a655a29343e09b69922cf65e2bf639b30fa764d415d3e1207da584b0d3d4ffb668d0d6fbcf52a7eed73cf9f51dd777096647e13931c30a6929115f8d1244086a78fa35fbe4073c195be3f49ba34ffe04bd3ae0bba9f8d9713d931f129fa0087872514f5aa4b0f933549b27cd45bcda4460d562b9b9dec90e5d358d6824aad6e46f50bbd03b35ac80df8b65f771bacf3ab7c96336f3051833d11fe283506a20c3eeae9d7df743a634e9928443cafb088a2adb083d2fa32eec78934a27e7d3358a451dd5ba36a94a5fdeb255aa5e884230069bdda481d63081d3a003020112a281cb0481c802b37853075fe8f79de1d93289e493dd95e7724a050d44cc629521c0a1504d2a33589d4e13c4941a9451b4d2cfb74129ac2943664b9adb01b89d8746fd531c251fbe87660c9305d73a18fb3166907ac85a0c38fe59b475899f0f69b4193311cab6ed19ca0ce1f2a0dfc7b7a04d2bb1195406dc6d846f3535db5c083ade0a4dfa0c5d4466ee10fd04d72325192fd8473e05d0318b390d6c87c440ca5eabdc3017fec828c29543b3414fac312b597e0ea4726cb33fe825feef00527e14d5f426cc7781dcd3dd0a0969
1486142792 851968 2529639056 \x \x
REPEATED 3x . . .
Feb 3 12:25:32 server rpc.svcgssd[4796]: finished handling null request
Feb 3 12:25:32 server audispd: node=server type=SYSCALL
msg=audit(1486142732.066:592): arch=c000003e syscall=87 success=yes
exit=0 a0=2110480 a1=c2 a2=1a a3=f items=2 ppid=1 pid=4525 auid=500
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
tty=(none) ses=1 comm="gnome-terminal" exe="/usr/bin/gnome-terminal"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="delete"
Feb 3 12:25:32 server audispd: node=server type=CWD
msg=audit(1486142732.066:592): cwd="/home/adminnt"
Feb 3 12:25:32 server rpc.svcgssd[4796]: entering poll
Feb 3 12:25:34 as1 audispd: node=as1 type=SYSCALL
msg=audit(1486142734.451:79839): arch=c000003e syscall=165 success=no
exit=-13 a0=7ffcb5014564 a1=7f00d8823ea0 a2=7f00d72133f6 a3=0 items=17
ppid=7132 pid=7133 auid=615200000 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="mount.nfs4"
exe="/sbin/mount.nfs"
subj=unconfined_u:unconfined_r:unconfined_mount_t:s0-s0:c0.c1023
key="export"
Feb 3 12:25:34 as1 audispd: node=as1 type=CWD
msg=audit(1486142734.451:79839): cwd="/usr"
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=0 name="/NFS_SHARE" inode=654083
dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
obj=unconfined_u:object_r:default_t:s0 nametype=NORMAL
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=1 name=(null) inode=103 dev=00:12
mode=040555 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=NORMAL
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=2 name=(null) inode=103 dev=00:12
mode=040555 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=3 name=(null) inode=280 dev=00:12
mode=040555 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=4 name=(null) inode=280 dev=00:12
mode=040555 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=5 name=(null) inode=281 dev=00:12
mode=0100400 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=6 name=(null) inode=280 dev=00:12
mode=040555 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=7 name=(null) inode=282 dev=00:12
mode=010600 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=8 name=(null) inode=280 dev=00:12
mode=040555 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=9 name=(null) inode=283 dev=00:12
mode=010600 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=10 name=(null) inode=280 dev=00:12
mode=040555 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=11 name=(null) inode=284 dev=00:12
mode=010600 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=12 name=(null) inode=103 dev=00:12
mode=040555 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=NORMAL
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=13 name=(null) inode=103 dev=00:12
mode=040555 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=14 name=(null) inode=285 dev=00:12
mode=040555 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=15 name=(null) inode=285 dev=00:12
mode=040555 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=16 name=(null) inode=286 dev=00:12
mode=0100400 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
I apoligize for the wall o' words, but you know how log files can be.
So my setup naming conventions is exactly as during the initial install
which worked. The config files shouldn't have changed. It seems as if
the principal name, KVNO, and the keytab match up. Did something not get
cleaned properly?
Currently I can mount just fine without krb5i security, but my Govt STIG
requires it for NFS mounts and I'm stuck.
Thanks for any help!
Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170203/7f014813/attachment.htm>
More information about the Freeipa-users
mailing list