On Wed, 2013-09-11 at 21:34 -0400, Dmitri Pal wrote:
> On 09/11/2013 09:27 PM, Dean Hunter wrote:
>
> > On Wed, 2013-09-11 at 21:10 -0400, Dmitri Pal wrote:
> >
> > > On 09/11/2013 08:49 PM, Dean Hunter wrote:
> > >
> > > > On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote:
> > > >
> > > > > On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote:
> > > > > > On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote:
> > > > > > > On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote:
> > > > > > >
> > > > > > > > I do NOT believe this:
> > > > > > > > [dean@ipa2 ~]$ ssh dean@desktop2
> > > > > > > > Last login: Wed Sep 11 08:32:21 2013 from
> > > > > > > > ipa2.hunter.org
> > > > > > > > Could not chdir to home directory /home/net/dean:
> > > > > > > > Permission
> > > > > > > > denied
> > > > > > > > -bash: /home/net/dean/.bash_profile: Permission denied
> > > > > > > >
> > > > > > > > -bash-4.2$ logout
> > > > > > > > -bash: /home/net/dean/.bash_logout: Permission denied
> > > > > > > > Connection to desktop2 closed.
> > > > > > > >
> > > > > > > > [dean@ipa2 ~]$ su -
> > > > > > > > Password:
> > > > > > > >
> > > > > > > > [root@ipa2 ~]# ssh dean@desktop2
> > > > > > > > dean@desktop2's password:
> > > > > > > > Last login: Wed Sep 11 08:34:29 2013 from
> > > > > > > > ipa2.hunter.org
> > > > > > > >
> > > > > > > > [dean@desktop2 ~]$ logout
> > > > > > > > Connection to desktop2 closed.
> > > > > > > >
> > > > > > > > [root@ipa2 ~]# logout
> > > > > > > >
> > > > > > > > [dean@ipa2 ~]$ ssh dean@desktop2
> > > > > > > > Last login: Wed Sep 11 08:35:16 2013 from
> > > > > > > > ipa2.hunter.org
> > > > > > > >
> > > > > > > > [dean@desktop2 ~]$
> > > > > > > >
> > > > > > >
> > > > > > > Are you using a kerberized NFS mount ?
> > > > > > >
> > > > > > > I think what is happening is that when going via SSH rpc.gssd
> > > > > > > cannot
> > > > > > > find your ticket, ssh may be doing something "wrong" in this case.
> > > > > > >
> > > > > > > Simo.
> > > > > > >
> > > > > > Yes, I am using Kerberos with NFS.
> > > > > >
> > > > > > Should I report this as a bug?
> > > > > >
> > > > > We need to decide what component is faulty. It may be possible we can
> > > > > get it working somehow.
> > > > >
> > > > > When you ssh in what is the ccache ssh assign you ?
> > > > > can you run klist and post the output (sanitize it if needed) ?
> > > > >
> > > > > Simo.
> > > > >
> > > >
> > > > I hope this is what you requested:
> > > >
> > > > [dean@ipa2 ~]$ klist
> > > > Ticket cache: DIR::/run/user/1387400001/krb5cc/tktFDDxRR
> > > > Default principal: [email protected]
> > > >
> > > > Valid starting Expires Service principal
> > > > 09/11/13 19:43:28 09/12/13 19:43:28
> > > > krbtgt/[email protected]
> > > >
> > > > [dean@ipa2 ~]$ ssh dean@desktop2
> > > > Last login: Wed Sep 11 19:41:48 2013 from
> > > > ipa2.hunter.org
> > > > Could not chdir to home directory /home/net/dean:
> > > > Permission denied
> > > > -bash: /home/net/dean/.bash_profile: Permission denied
> > > >
> > > > -bash-4.2$ hostname
> > > > desktop2.hunter.org
> > > >
> > > > -bash-4.2$ klist
> > > > klist: No credentials cache found (ticket cache
> > > > FILE:/tmp/krb5cc_1387400001)
> > > >
> > > > -bash-4.2$ logout
> > > > -bash: /home/net/dean/.bash_logout: Permission denied
> > > > Connection to desktop2 closed.
> > > >
> > > > [dean@ipa2 ~]$ klist
> > > > Ticket cache: DIR::/run/user/1387400001/krb5cc/tktFDDxRR
> > > > Default principal: [email protected]
> > > >
> > > > Valid starting Expires Service principal
> > > > 09/11/13 19:43:28 09/12/13 19:43:28
> > > > krbtgt/[email protected]
> > > > 09/11/13 19:44:43 09/12/13 19:43:28
> > > > host/[email protected]
> > > >
> > > > [dean@ipa2 ~]$
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Freeipa-users mailing list
> > > > [email protected]
> > > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > >
> > > Do I get it right: you tried twice and the first time it did not
> > > work while the second it did?
> > > There might be a race condition mounting your home directory using
> > > your ticket.
> > >
> > >
> > > --
> > > Thank you,
> > > Dmitri Pal
> > >
> > > Sr. Engineering Manager for IdM portfolio
> > > Red Hat Inc.
> > >
> > >
> > > -------------------------------
> > > Looking to carve out IT costs?
> > > www.redhat.com/carveoutcosts/
> > >
> > >
> > > _______________________________________________
> > > Freeipa-users mailing list
> > > [email protected]
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> >
> > Starting clean after rebuilding ipa2 and desktop2 and a gdm login to
> > ipa2 as dean, if I "ssh dean@desktop2" it will consistently fail as
> > noted in my last note. However, if I:
> > 1. su -
> > 2. ssh dean@desktop2
> > 3. logout of dean@desktop2
> > 4. logout of root@ipa2
> > then "ssh dean@desktop2" succeeds!
> >
> > Does that answer your question? So I do not think there is a race.
> > It is more like the super user session leaves something behind that
> > was missing?
>
>
> Does it succeed if after step 3 but before step 4 you do kdestoy?
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
Hah! Even better, it works the first time and every time, if I start
with a kdestroy:
1. From Virtual Machine Manager open ipa2
2. Login as dean
3. Open a terminal
4. kdestroy
5. ssh dean@desktop2
6. logout
7. ssh dean@desktop2
8. logout
Now, the fun starts. Why do it do that?
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
