Ubuntu
nfs-utils package

unable to access kerberized nfs4 shares with keyring ccache

Bug #1733571 reported by Florian Heinle
26
This bug affects 5 people
Affects Status Importance Assigned to Milestone
freeipa (Ubuntu)
Invalid
Undecided
Unassigned
nfs-utils (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

# Problem

With default `ipa-client-install` method, users authenticated to kerberos cannot access kerberized nfs shares from other ipa joined ubuntu hosts, even though permissions are correct.

# Steps to reproduce

1. Set up FreeIPA server on CentOS 7 per default docs
2. Set up two Ubuntu 16.04 hosts, one `server.domain.tld` one `client.domain.tld`, join both to FreeIPA
3. Create principals `nfs/server.domain.tld` and `nfs/client.domain.tld`
4. Create user in FreeIPA `testuser`
5. Install `nfs-kernel-server` on `server.domain.tld` and share `/srv/nfs4`: `/srv/nfs4 *(sec=krb5i,rw,fsid=root,crossmnt,no_subtree_check,root_squash)`, run `exportfs -rav`
6. Create some files and directories in `/srv/nfs4` owned by `testuser:testuser`
7. Install `nfs-common` on `client.domain.tld` and mount: `mount -t nfs4 server.domain.tld:/ /srv/nfs4`
8. Log in as `testuser` and `kinit testuser` if necessary
9. `cd /srv/nfs4; ls /srv/nfs4; touch /srv/nfs4/some_file`

# Expected result

Changing of working directory to `/srv/nfs4`, listing directory contents and creating new file

# Actual result

`Permission denied`

# Reason

After quite some time debugging I found that `gssd` in Ubuntu 16.04 cannot read kernel persistent keyrings for kerberos' ccache. Removing the line `default_ccache_name = KEYRING:persistent:%{uid}` from `/etc/krb5.conf` solved the issue.

This config file is created by `ipa-client-install` in `configure_krb5_conf()` after `#configure KEYRING CCACHE if supported`.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: freeipa-client 4.3.1-0ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-101.124-generic 4.4.95
Uname: Linux 4.4.0-101-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.12
Architecture: amd64
Date: Tue Nov 21 12:41:59 2017
JournalErrors:
 Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system.
       Users in the 'systemd-journal' group can see all messages. Pass -q to
       turn off this notice.
 No journal files were opened due to insufficient permissions.
SourcePackage: freeipa
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Florian Heinle (tiax) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in freeipa (Ubuntu):
status: New → Confirmed
Changed in nfs-utils (Ubuntu):
status: New → Confirmed
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Confirmed in bionic. This seems to be a known issue and needs further investigation to see if it was fixed upstream of if there is a workaround available. maybe via gss-proxy? Have to check.

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

I don't think freeipa is to blame here

Changed in freeipa (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.