These lines come up on every server i try connecting to when using -vvv for rpcgssapi on the server:
Feb 27 14:46:22 mail rpc.gssd[2210]: CC file '/tmp/krb5cc_1644800003_8T4y9x' being considered, with preferred realm 'TEST.NET' Feb 27 14:46:22 mail rpc.gssd[2210]: CC file '/tmp/krb5cc_1644800003_8T4y9x' is expired or corrupt Feb 27 14:46:22 mail rpc.gssd[2210]: WARNING: Failed to create krb5 context for user with uid 1644800003 for server share.test.net Feb 27 14:46:22 mail rpc.gssd[2210]: doing error downcall the user with uid 1644800003 is the one i try connect with and are logged in locally on connecting client. Also on the IPA server i get this line on every connection attempt to any server: rpc.gssd[1116]: Error doing stat on file '/tmp/krb5cc_48' Regards, Johan ________________________________________ From: Rob Crittenden [[email protected]] Sent: Wednesday, February 27, 2013 21:10 To: Johan Petersson Cc: [email protected]; [email protected] Subject: Re: [Freeipa-users] IPA,NFS4,krb5p Ticket expired error Johan Petersson wrote: > > A typo from me, it is 192.168.1/24 in exports. Do you have forwardable tickets? $ klist -f It should have F in the flags. If so, try adding -o 'GSSAPIDelegateCredentials yes' into your ssh/slogin line to see if that helps. This should forward your credentials. rob > > Regards > Johan > > ______________________________________ > From: Rob Townley [[email protected]] > Sent: Wednesday, February 27, 2013 18:12 > To: Johan Petersson > Cc: [email protected]; [email protected] > Subject: Re: [Freeipa-users] IPA,NFS4,krb5p Ticket expired error > > /etc/exports does not look right. > Try 192.168.1.0/24<http://192.168.1.0/24> > or change to asterisk * > > On Wednesday, February 27, 2013, Johan Petersson > <[email protected]<mailto:[email protected]>> wrote: >> I think you are right, ssh always works to the nfs server and i believe that >> is because the home directory is situated there. >> >> All ssh/sshd configuration are default from IPA Client install. >> Only things changed are the necessary autofs configuration and that is >> straight from the manual. >> >> I use strict NFS4 with port 2049 only open. (tried all firewalls and selinux >> disabled, no difference) >> Home directory is exported as: >> /nethomes 192.168.1.0(rw,sync,sec=krb5p) >> >> IPA autofs map >> default/auto_nethome * -fstype=nfs4 -sec=krb5p,rw,soft, >> share.test.net:/nethomes/& >> >> -fstype=nfs4 i had to use to get autofs working, through firewall and only >> port 2049 open it got crazy otherwise rambling about nfs2 and3 >> -sec=krb5p i had to put in autofs map since otherwise autofs ignored >> settings in exports and tried empty -o when mounting and thus failed because >> no kerberos auth. >> >> I have updated everything to RHEL 6.4 now but no change. >> >> Thunderbird complains that my ticket was not accepted. >> >> NFS server shows this in logs: >> rpc.gssd[2060]: ERROR: failed to read service info >> rpc.gssd[2060]: WARNING: can't create tcp rpc_clnt to server >> laptop1.test.net<http://laptop1.test.net> for user with uid 0: RPC: Remote >> system error - No route to host >> >> Network is fine and all firewalls down. >> Do you want any other logs beside debug autofs? >> >> Thanks for the help. >> >> Regards, >> Johan. >> >> >> >> ________________________________ >> From: >> [email protected]<mailto:[email protected]> >> [[email protected]<mailto:[email protected]>] >> on behalf of Dmitri Pal [[email protected]<mailto:[email protected]>] >> Sent: Tuesday, February 26, 2013 20:30 >> To: [email protected]<mailto:[email protected]> >> Subject: Re: [Freeipa-users] IPA,NFS4,krb5p Ticket expired error >> >> On 02/26/2013 02:03 PM, Johan Petersson wrote: >> >> Hi, >> I have a IPA server, NFS4 Server sharing home directories with autofs and >> krb5p as only valid authentication. >> Mail Postfix/Dovecot both with startTLS and GSSAPI. >> All servers and clients are Red Hat 6.3 and updated with latest kernel and >> everything else. >> If i start and log in locally as user1 on a IPA Client machine everything >> works perfect including mail and home directory initially. >> I then start experience errors when trying to ssh other servers as ssh >> [email protected]<mailto:[email protected]>. >> Nothing happens, no password question, nothing until i have to ctrl-c (tried >> leaving it overnight - still same). >> Mail stops working, thunderbird complain about expired credentials. >> If i use ssh as root to the server and then try either: su user1 or su - >> user1 both get same result as ssh user1. >> Sometimes a su have actually worked and i can browse to my mounted home >> directory but get permission denied when trying to access. >> id works and permissions on home directory shows ok but can't access anyway. >> The only thing i have found helping is to logout user1 on the client, login >> root and then ssh as user1. >> In that case i get password question and it works with home directory. >> If i logout root then, login user1 then mail, ssh and su works again for >> some time. >> I guess the credential renewal works in that case. >> Firewalls turned off, tried setenforce=0 and autofs on debug log mode but >> find nothing. >> Even sshd logging on and verbose ssh shows nothing wrong. >> It is like everything works but a expired ticket or something similar >> generate the error, tickets are new though and should be valid. >> Only error messages i have been able to find is: >> IPA server /var/log/messages show: >> rpc.gssd[1116]: Error doing stat on file '/tmp/krb5cc_48' >> automount[1197]: sasl_log_func:98: GSSAPI Error: Unspecified GSS failure. >> Minor code may provide more information (Ticket expired) >> Anyone have a idea what this could be and how to solve it? >> I am really thankful for any help. >> Regards, >> Johan. >> >> This looks very much as if when you ssh into the remote system the home >> directory NFS mount fails. >> Can you try to configure a local directory and see if the problem goes away? >> If this helps then I would see what is going on with the NFS client on the >> system. >> >> Also I do not know how your SSH is configured. Does it actually delegate the >> ticket? >> AFAIU the system you SSH into needs to have a TGT to be able to mount an NFS >> share on behalf of the user. >> This is as far as I can go with what I know and what can be done without >> actually looking at the logs on the system. >> >> HTH >> >> >> >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected]<mailto:[email protected]> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT co > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
