Appreciate the help.
Not sure if it's a client issue? We were running into an issue with Kerberos ticket
sizes over 2K, so that's why I've been looking into RHEL 7 with gssproxy. This
user has a ticket under 2K, so it works fine on a RHEL 6 NFS Server.
Client:
$ getent passwd 55555555
svc9u998:x:55555555:1003:Unix Isilon/NIS/NAS test id:/nfs/home6/trpapp/svc9u998:/bin/ksh
NFS Server:
(rhel7nfsclient)# getent passwd 55555555
svc9u998:x:55555555:1003:Unix Isilon/NIS/NAS test id:/nfs/home6/trpapp/svc9u998:/bin/ksh
Here's the dir permissions.
(rhel7nfsclient)# more /etc/exports
/nfsv3kb5 *(rw,sec=sys:krb5:krb5p:krb5i,sync,no_root_squash)
(rhel7nfsclient)# showmount -e
Export list for rhel7nfsclient:
/nfsv3kb5 *
(rhel7nfsclient)# ls -ld /nfsv3kb5
drwxrwxrwx 2 root root 4096 Jan 9 11:55 /nfsv3kb5
(labisilon1)# ls -ld /rhel7nfsclient
drwxrwxrwx 2 root root 4096 Jan 7 16:36 /rhel7nfsclient
Thanks again.
-----Original Message-----
From: Simo Sorce [mailto:simo@redhat.com]
Sent: Friday, January 09, 2015 12:25 PM
To: Cicone, Anthony
Cc: 'gss-proxy(a)lists.fedorahosted.org'
Subject: Re: [gssproxy] Failed to create krb5 context for user with uid 55555555 for
server rhel7nfsclient
On Fri, 9 Jan 2015 17:01:24 +0000
"Cicone, Anthony" <anthony_cicone(a)troweprice.com> wrote:
Hello List,
I've been working on setting up a RHEL 7.1 NFS Server to share out
Kerberos mounts, using gssproxy. I have a RHEL 6.4 client that I'm
trying to mount the Kerberos share on.
Here is the gssproxy.conf config on the the NFS server:
(rhel7nfsclient)# more /etc/gssproxy/gssproxy.conf [gssproxy]
[service/nfs-server]
mechs = krb5
socket = /run/gssproxy.sock
cred_store = keytab:/etc/krb5.keytab
cred_store = ccache:FILE:/tmp/krb5cc_%U
trusted = yes
kernel_nfsd = yes
euid = 0
debug = true
I'm able to mount the share as the root user fine.
(labisilon1)# id
uid=0(root) gid=0(root) groups=0(root) (labisilon1)# mount -o
sec=krb5,vers=3
rhel7nfsclient:/nfsv3kb5 /rhel7nfsclient -vvv mount: fstab path:
"/etc/fstab" mount: mtab path: "/etc/mtab"
mount: lock path: "/etc/mtab~"
mount: temp path: "/etc/mtab.tmp"
mount: UID: 0
mount: eUID: 0
mount: no type was given - I'll assume nfs because of the colon
mount: spec: "rhel7nfsclient:/nfsv3kb5"
mount: node: "/rhel7nfsclient"
mount: types: "nfs"
mount: opts: "sec=krb5,vers=3"
final mount options: 'sec=krb5,vers=3'
mount: external mount: argv[0] = "/sbin/mount.nfs"
mount: external mount: argv[1] = "rhel7nfsclient:/nfsv3kb5"
mount: external mount: argv[2] = "/rhel7nfsclient"
mount: external mount: argv[3] = "-v"
mount: external mount: argv[4] = "-o"
mount: external mount: argv[5] = "rw,sec=krb5,vers=3"
mount.nfs: timeout set for Fri Jan 9 11:55:13 2015
mount.nfs: trying text-based options
'sec=krb5,vers=3,addr=10.68.36.149' mount.nfs: prog 100003, trying
vers=3, prot=6 mount.nfs: trying 10.68.36.149 prog 100003 vers 3 prot
TCP port 2049 mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 10.68.36.149 prog 100005 vers 3 prot UDP port 20048
rhel7nfsclient:/nfsv3kb5 on /rhel7nfsclient type nfs
(rw,sec=krb5,vers=3)
(labisilon1)# mount|grep nfs
rhel7nfsclient:/nfsv3kb5 on /rhel7nfsclient type nfs
(rw,sec=krb5,vers=3,addr=10.68.36.149)
(labisilon1)# cd /rhel7nfsclient
(labisilon1)# touch testfile
(labisilon1)# ls
Testfile
But, when I try to access the share, as a non-root user, I get the
"Permissioned denied" error.
$ whoami
svc9u998
$ mount|grep rhel7
rhel7nfsclient:/nfsv3kb5 on /rhel7nfsclient type nfs
(rw,sec=krb5,vers=3,addr=10.68.36.149) $ cd /rhel7nfsclient
-ksh: cd: /rhel7nfsclient: [Permission denied]
Here's error from the client gssd.
0770: 1491 335a e0fa 38e0 7d70 a7f4 f986 e173 ..3Z..8.}p.....s
0780: 23f4 5f68 af28 81d6 7494 88cb 6ae6 #._h.(..t...j.
rpcsec_gss: in authgss_marshal()
rpcsec_gss: xdr_rpc_gss_buf: encode success ((nil):0)
rpcsec_gss: xdr_rpc_gss_cred: encode success (v 1, proc 1, seq 0, svc
1, ctx (nil):0) rpcsec_gss: in authgss_wrap()
rpcsec_gss: xdr_rpc_gss_buf: encode success (0x7fdd087945a0:1934)
rpcsec_gss: xdr_rpc_gss_init_args: encode success (token
0x7fdd087945a0:1934) authgss_create_default: freeing name
0x7fdd08791290 WARNING: Failed to create krb5 context for user with
uid 55555555 for server
rhel7nfsclient.troweprice.com WARNING: Failed
to create krb5 context for user with uid 55555555 for server
rhel7nfsclient.troweprice.com doing error downcall
Seem like a client issue ?
I have debugging turned on for gssproxy, but it doesn't give me
much?
Jan 9 11:56:19 rhel7nfsclient rpc.gssd[3150]: Closing 'gssd' pipe for
/var/lib/nfs/rpc_pipefs/nfs/clnt1ff Jan 9 11:56:19 rhel7nfsclient
rpc.gssd[3150]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt1ff
Jan 9 11:56:19 rhel7nfsclient gssproxy: gp_rpc_execute: executing 9
(GSSX_ACCEPT_SEC_CONTEXT) for service "nfs-server", euid: 0,
socket: /run/gssproxy.sock
Just in case, what does 'getent passwd 55555555' give you on the server?
What are the permissions on the directory you try to access ?
Simo.
We're also using a a product called Centrify for our Kerberos
authentication.
# adinfo -C
Computer Account Diagnostics
Joined as: labisilon1
Trusted for Delegation: false
Use DES Key Only: false
Key Version: 2
Service Principal Names: nfs/labisilon1.our.domain
nfs/labisilon1
http/labisilon1.our.domain
http/labisilon1
host/labisilon1.our.domain
host/labisilon1
ftp/labisilon1.our.domain
ftp/labisilon1
cifs/labisilon1.our.domain
cifs/labisilon1
Supported Encryption Type(s): N/A
Operating System Version: 6.4 (Santiago)
I have current Kerberos tickets.
$ /usr/share/centrifydc/kerberos/bin/klist -e Ticket cache:
FILE:/tmp/krb5cc_55555555 Default principal:
svc9u998(a)CORP.OURDOMAIN.NET
Valid starting Expires Service principal
01/09/15 09:09:02 01/09/15 19:09:09
krbtgt/CORP.OURDOMAIN.NET(a)CORP.OURDOMAIN.NET renew until 01/10/15
09:09:02, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with
HMAC/md5 01/09/15 09:09:17 01/09/15 19:09:09
nfs/rhel7nfsclient.our.domain.com(a)CORP.OURDOMAIN.NET renew until
01/10/15 09:09:02, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour
with HMAC/md5
Thanks for your help.
T. Rowe Price (including T. Rowe Price Group, Inc. and its
affiliates) and its associates do not provide legal or tax advice.
Any tax-related discussion contained in this e-mail, including any
attachments, is not intended or written to be used, and cannot be
used, for the purpose of (i) avoiding any tax penalties or (ii)
promoting, marketing, or recommending to any other party any
transaction or matter addressed herein. Please consult your
independent legal counsel and/or professional tax advisor regarding
any legal or tax issues raised in this e-mail.
The contents of this e-mail and any attachments are intended solely
for the use of the named addressee(s) and may contain confidential
and/or privileged information. Any unauthorized use, copying,
disclosure, or distribution of the contents of this e-mail is strictly
prohibited by the sender and may be unlawful. If you are not the
intended recipient, please notify the sender immediately and delete
this e-mail.
_______________________________________________
gss-proxy mailing list
gss-proxy(a)lists.fedorahosted.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahoste
d.org_mailman_listinfo_gss-2Dproxy&d=AwICAg&c=NUhaNIajfB1frln1iJ2Yk7NG
56jrODI6LbjgSoSeFoE&r=nOOBjvIdjdZ7ZYxJJvgl_Mtni8onrC9tmav0U1vVyBE&m=Hn
-cq9pUGxPjqPvrwDU_jF-wZoTTuXVFkSd186Q80uc&s=BFisEOsMz5dslisZm3nTm59E0Q
US9wEN_bERSuYYQEk&e=
--
Simo Sorce * Red Hat, Inc * New York
T. Rowe Price (including T. Rowe Price Group, Inc. and its affiliates) and its associates
do not provide legal or tax advice. Any tax-related discussion contained in this e-mail,
including any attachments, is not intended or written to be used, and cannot be used, for
the purpose of (i) avoiding any tax penalties or (ii) promoting, marketing, or
recommending to any other party any transaction or matter addressed herein. Please
consult your independent legal counsel and/or professional tax advisor regarding any legal
or tax issues raised in this e-mail.
The contents of this e-mail and any attachments are intended solely for the use of the
named addressee(s) and may contain confidential and/or privileged information. Any
unauthorized use, copying, disclosure, or distribution of the contents of this e-mail is
strictly prohibited by the sender and may be unlawful. If you are not the intended
recipient, please notify the sender immediately and delete this e-mail.