freeipa team mailing list archive
-
freeipa team
-
Mailing list archive
-
Message #00951
[Bug 1843500] [NEW] freeipa-client not receiving kerberos ticket for NFS home directories
Public bug reported:
- freeipa-client 4.7.0~pre1+git20180411-2ubuntu2
- ubuntu 18.04 fully updated
- freeipa-server 4.6.4 10.el7.centos.3
- home directory is on Debian NFS server. The NFS server is a member of the IPA domain.
- home directory is automounted from automount definition on IPA domain.
- IPA automount key: * : -fstype=nfs4,nfsvers=4.2,sec=krb5,rw,sync alioth.logisys.ht:/users/&
The following is what I am observing. I can't be sure it's replicable. I
mean it happens on my network but I have yet to see a similar
description on Google.
- Turn on the client machine. Login. Work.
- At this point, klist will show 2 kerberos tickets:
Default principal: philippe@xxxxxxxxxxxxxxx
Valid starting Expires Service principal
09/10/2019 06:44:26 09/11/2019 06:44:26 krbtgt/IPA.EXAMPLE.COM@xxxxxxxxxxxxxxx
09/10/2019 06:44:27 09/11/2019 06:44:27 nfs/alioth.example.com@xxxxxxxxxxxxxxx
- Logout.
- Login as admin user, then issue:
sudo -u philippe klist
for the same result as above.
- After a few hours, login.
- The login is successful but my home directory is unreachable and not
mounted.
- Logout and login again as an admin user, then issue:
sudo -u philippe klist
Default principal: philippe@xxxxxxxxxxxxxxx
Valid starting Expires Service principal
09/10/2019 11:54:32 09/11/2019 11:54:32 krbtgt/IPA.EXAMPLE.COM@xxxxxxxxxxxxxxx
There is no ticket for the NFS server. I have verified that those
tickets are issued with 24 hours validity. The tickets are supposedly
not destroyed by the system in case the user has CRON jobs to run. So
the NFS ticket is expired by the system but the TGT is kept around. My
expectations would be on that login, the client would request a new NFS
ticket. I think it does but the server denies it.
What I have tried:
- kdestroy on logout does not work. A new login will not connect to the home directory.
- Restart autofs, sssd, kerberos on the client.
- I changed the Kerberos keyring location on the client to a FILE.
- Between logins, restart the NFS server processes.
- Between logins, reboot the NFS server.
- Between logins, reboot the IPA server (including the backup).
So far the only thing that works reliably is rebooting the client
machine.
Please note that as far as I can tell, the absence of the NFS ticket may
not be an issue. It's just that it's too much of a coincidence. But I
don't know nearly enough about kerberos and sssd to dive in that rabbit
hole.
I hope this is clear enough. Anyway, just holler for more info.
Thanks in advance,
Philippe
** Affects: freeipa (Ubuntu)
Importance: Undecided
Status: New
** Attachment added: "krb5.conf + sssd.conf"
https://bugs.launchpad.net/bugs/1843500/+attachment/5287865/+files/conf.tgz
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1843500
Title:
freeipa-client not receiving kerberos ticket for NFS home directories
Status in freeipa package in Ubuntu:
New
Bug description:
- freeipa-client 4.7.0~pre1+git20180411-2ubuntu2
- ubuntu 18.04 fully updated
- freeipa-server 4.6.4 10.el7.centos.3
- home directory is on Debian NFS server. The NFS server is a member of the IPA domain.
- home directory is automounted from automount definition on IPA domain.
- IPA automount key: * : -fstype=nfs4,nfsvers=4.2,sec=krb5,rw,sync alioth.logisys.ht:/users/&
The following is what I am observing. I can't be sure it's replicable.
I mean it happens on my network but I have yet to see a similar
description on Google.
- Turn on the client machine. Login. Work.
- At this point, klist will show 2 kerberos tickets:
Default principal: philippe@xxxxxxxxxxxxxxx
Valid starting Expires Service principal
09/10/2019 06:44:26 09/11/2019 06:44:26 krbtgt/IPA.EXAMPLE.COM@xxxxxxxxxxxxxxx
09/10/2019 06:44:27 09/11/2019 06:44:27 nfs/alioth.example.com@xxxxxxxxxxxxxxx
- Logout.
- Login as admin user, then issue:
sudo -u philippe klist
for the same result as above.
- After a few hours, login.
- The login is successful but my home directory is unreachable and not
mounted.
- Logout and login again as an admin user, then issue:
sudo -u philippe klist
Default principal: philippe@xxxxxxxxxxxxxxx
Valid starting Expires Service principal
09/10/2019 11:54:32 09/11/2019 11:54:32 krbtgt/IPA.EXAMPLE.COM@xxxxxxxxxxxxxxx
There is no ticket for the NFS server. I have verified that those
tickets are issued with 24 hours validity. The tickets are supposedly
not destroyed by the system in case the user has CRON jobs to run. So
the NFS ticket is expired by the system but the TGT is kept around. My
expectations would be on that login, the client would request a new
NFS ticket. I think it does but the server denies it.
What I have tried:
- kdestroy on logout does not work. A new login will not connect to the home directory.
- Restart autofs, sssd, kerberos on the client.
- I changed the Kerberos keyring location on the client to a FILE.
- Between logins, restart the NFS server processes.
- Between logins, reboot the NFS server.
- Between logins, reboot the IPA server (including the backup).
So far the only thing that works reliably is rebooting the client
machine.
Please note that as far as I can tell, the absence of the NFS ticket
may not be an issue. It's just that it's too much of a coincidence.
But I don't know nearly enough about kerberos and sssd to dive in that
rabbit hole.
I hope this is clear enough. Anyway, just holler for more info.
Thanks in advance,
Philippe
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1843500/+subscriptions
Follow ups
