unable to access kerberized nfs4 shares with keyring ccache
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
freeipa (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
nfs-utils (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
# Problem
With default `ipa-client-
# Steps to reproduce
1. Set up FreeIPA server on CentOS 7 per default docs
2. Set up two Ubuntu 16.04 hosts, one `server.domain.tld` one `client.
3. Create principals `nfs/server.
4. Create user in FreeIPA `testuser`
5. Install `nfs-kernel-server` on `server.domain.tld` and share `/srv/nfs4`: `/srv/nfs4 *(sec=krb5i,
6. Create some files and directories in `/srv/nfs4` owned by `testuser:testuser`
7. Install `nfs-common` on `client.domain.tld` and mount: `mount -t nfs4 server.domain.tld:/ /srv/nfs4`
8. Log in as `testuser` and `kinit testuser` if necessary
9. `cd /srv/nfs4; ls /srv/nfs4; touch /srv/nfs4/
# Expected result
Changing of working directory to `/srv/nfs4`, listing directory contents and creating new file
# Actual result
`Permission denied`
# Reason
After quite some time debugging I found that `gssd` in Ubuntu 16.04 cannot read kernel persistent keyrings for kerberos' ccache. Removing the line `default_
This config file is created by `ipa-client-
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: freeipa-client 4.3.1-0ubuntu1
ProcVersionSign
Uname: Linux 4.4.0-101-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.12
Architecture: amd64
Date: Tue Nov 21 12:41:59 2017
JournalErrors:
Error: command ['journalctl', '-b', '--priority=
Users in the 'systemd-journal' group can see all messages. Pass -q to
turn off this notice.
No journal files were opened due to insufficient permissions.
SourcePackage: freeipa
UpgradeStatus: No upgrade log present (probably fresh install)
Status changed to 'Confirmed' because the bug affects multiple users.