[Freeipa-users] IPA,NFS4,krb5p Ticket expired error

Dmitri Pal dpal at redhat.com
Tue Feb 26 19:30:01 UTC 2013 

On 02/26/2013 02:03 PM, Johan Petersson wrote:
> Hi,
>
> I have a IPA server, NFS4 Server sharing home directories with autofs
> and krb5p as only valid authentication.
> Mail Postfix/Dovecot both with startTLS and GSSAPI.
> All servers and clients are Red Hat 6.3 and updated with latest kernel
> and everything else.
>
> If i start and log in locally as user1 on a IPA Client machine
> everything works perfect including mail and home directory initially.
> I then start experience errors when trying to ssh other servers as ssh
> user1 at mail.example.com.
> Nothing happens, no password question, nothing until i have to ctrl-c
> (tried leaving it overnight - still same).
> Mail stops working, thunderbird complain about expired credentials.
> If i use ssh as root to the server and then try either: su user1 or su
> - user1 both get same result as ssh user1.
> Sometimes a su have actually worked and i can browse to my
> mounted home directory but get permission denied when trying to access.
> id works and permissions on home directory shows ok but can't access
> anyway.
>
> The only thing i have found helping is to logout user1 on the client,
> login root and then ssh as user1.
> In that case i get password question and it works with home directory.
> If i logout root then, login user1 then mail, ssh and su works again
> for some time.
>
> I guess the credential renewal works in that case.
>
> Firewalls turned off, tried setenforce=0 and autofs on debug log mode
> but find nothing.
>
> Even sshd logging on and verbose ssh shows nothing wrong.
> It is like everything works but a expired ticket or something similar
> generate the error, tickets are new though and should be valid.
>
> Only error messages i have been able to find is:
>
> IPA server /var/log/messages show:
> rpc.gssd[1116]: Error doing stat on file '/tmp/krb5cc_48' 
>
> automount[1197]: sasl_log_func:98: GSSAPI Error: Unspecified GSS
> failure. Minor code may provide more information (Ticket expired)
>
> Anyone have a idea what this could be and how to solve it?
>
> I am really thankful for any help.
>
> Regards,
> Johan.
>

This looks very much as if when you ssh into the remote system the home
directory NFS mount fails.
Can you try to configure a local directory and see if the problem goes
away? If this helps then I would see what is going on with the NFS
client on the system.

Also I do not know how your SSH is configured. Does it actually delegate
the ticket?
AFAIU the system you SSH into needs to have a TGT to be able to mount an
NFS share on behalf of the user.
This is as far as I can go with what I know and what can be done without
actually looking at the logs on the system.

HTH


>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130226/7f1ca336/attachment.htm>

More information about the Freeipa-users mailing list