← Back to team overview

freeipa team mailing list archive

[Bug 1733571] [NEW] unable to access kerberized nfs4 shares with keyring ccache

 

Public bug reported:

# Problem

With default `ipa-client-install` method, users authenticated to
kerberos cannot access kerberized nfs shares from other ipa joined
ubuntu hosts, even though permissions are correct.

# Steps to reproduce

1. Set up FreeIPA server on CentOS 7 per default docs
2. Set up two Ubuntu 16.04 hosts, one `server.domain.tld` one `client.domain.tld`, join both to FreeIPA
3. Create principals `nfs/server.domain.tld` and `nfs/client.domain.tld`
4. Create user in FreeIPA `testuser`
5. Install `nfs-kernel-server` on `server.domain.tld` and share `/srv/nfs4`: `/srv/nfs4 *(sec=krb5i,rw,fsid=root,crossmnt,no_subtree_check,root_squash)`, run `exportfs -rav`
6. Create some files and directories in `/srv/nfs4` owned by `testuser:testuser`
7. Install `nfs-common` on `client.domain.tld` and mount: `mount -t nfs4 server.domain.tld:/ /srv/nfs4`
8. Log in as `testuser` and `kinit testuser` if necessary
9. `cd /srv/nfs4; ls /srv/nfs4; touch /srv/nfs4/some_file`

# Expected result

Changing of working directory to `/srv/nfs4`, listing directory contents
and creating new file

# Actual result

`Permission denied`

# Reason

After quite some time debugging I found that `gssd` in Ubuntu 16.04
cannot read kernel persistent keyrings for kerberos' ccache. Removing
the line `default_ccache_name = KEYRING:persistent:%{uid}` from
`/etc/krb5.conf` solved the issue.

This config file is created by `ipa-client-install` in
`configure_krb5_conf()` after `#configure KEYRING CCACHE if supported`.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: freeipa-client 4.3.1-0ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-101.124-generic 4.4.95
Uname: Linux 4.4.0-101-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.12
Architecture: amd64
Date: Tue Nov 21 12:41:59 2017
JournalErrors:
 Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system.
       Users in the 'systemd-journal' group can see all messages. Pass -q to
       turn off this notice.
 No journal files were opened due to insufficient permissions.
SourcePackage: freeipa
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: freeipa (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug xenial

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1733571

Title:
  unable to access kerberized nfs4 shares with keyring ccache

Status in freeipa package in Ubuntu:
  New

Bug description:
  # Problem

  With default `ipa-client-install` method, users authenticated to
  kerberos cannot access kerberized nfs shares from other ipa joined
  ubuntu hosts, even though permissions are correct.

  # Steps to reproduce

  1. Set up FreeIPA server on CentOS 7 per default docs
  2. Set up two Ubuntu 16.04 hosts, one `server.domain.tld` one `client.domain.tld`, join both to FreeIPA
  3. Create principals `nfs/server.domain.tld` and `nfs/client.domain.tld`
  4. Create user in FreeIPA `testuser`
  5. Install `nfs-kernel-server` on `server.domain.tld` and share `/srv/nfs4`: `/srv/nfs4 *(sec=krb5i,rw,fsid=root,crossmnt,no_subtree_check,root_squash)`, run `exportfs -rav`
  6. Create some files and directories in `/srv/nfs4` owned by `testuser:testuser`
  7. Install `nfs-common` on `client.domain.tld` and mount: `mount -t nfs4 server.domain.tld:/ /srv/nfs4`
  8. Log in as `testuser` and `kinit testuser` if necessary
  9. `cd /srv/nfs4; ls /srv/nfs4; touch /srv/nfs4/some_file`

  # Expected result

  Changing of working directory to `/srv/nfs4`, listing directory
  contents and creating new file

  # Actual result

  `Permission denied`

  # Reason

  After quite some time debugging I found that `gssd` in Ubuntu 16.04
  cannot read kernel persistent keyrings for kerberos' ccache. Removing
  the line `default_ccache_name = KEYRING:persistent:%{uid}` from
  `/etc/krb5.conf` solved the issue.

  This config file is created by `ipa-client-install` in
  `configure_krb5_conf()` after `#configure KEYRING CCACHE if
  supported`.

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: freeipa-client 4.3.1-0ubuntu1
  ProcVersionSignature: Ubuntu 4.4.0-101.124-generic 4.4.95
  Uname: Linux 4.4.0-101-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.12
  Architecture: amd64
  Date: Tue Nov 21 12:41:59 2017
  JournalErrors:
   Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system.
         Users in the 'systemd-journal' group can see all messages. Pass -q to
         turn off this notice.
   No journal files were opened due to insufficient permissions.
  SourcePackage: freeipa
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1733571/+subscriptions


Follow ups