Interesting information from debugging 'rpc.gssd' running on client: Do I need special principal for user 'longina' accessing nfs share? ======================================================= jedi rpc.gssd[487]: handling gssd upcall (/run/rpc_pipefs/nfs/clnt8)
jedi rpc.gssd[487]: handle_gssd_upcall: 'mech=krb5 uid=332405654 enctypes=18,17,16,23,3,1,2 ' jedi rpc.gssd[487]: handling krb5 upcall (/run/rpc_pipefs/nfs/clnt8) jedi rpc.gssd[487]: process_krb5_upcall: service is '<null>' jedi rpc.gssd[487]: creating context using fsuid 332405654 (save_uid 0) jedi rpc.gssd[487]: creating tcp client for server jota.nat.c.example.com jedi rpc.gssd[487]: DEBUG: port already set to 2049 jedi rpc.gssd[487]: creating context with server nfs@jota.nat.c.example.com jedi rpc.gssd[487]: WARNING: Failed to create krb5 context for user with uid 332405654 for server jota.nat.c.example.com jedi rpc.gssd[487]: getting credentials for client with uid 332405654 for server jota.nat.c.example.com jedi rpc.gssd[487]: CC '/tmp/krb5cc_332405654_nRduU6' being considered, with preferred realm 'NAT.C.EXAMPLE.COM' jedi rpc.gssd[487]: CC 'FILE:/tmp/krb5cc_332405654_nRduU6'(longina@NAT.C.EXAMPLE.COM) passed all checks and has mtime of 139\ 4639897 jedi rpc.gssd[487]: CC '/tmp/krb5ccmachine_NAT.C.EXAMPLE.COM' being considered, with preferred realm 'NAT.C.EXAMPLE.COM' jedi rpc.gssd[487]: CC '/tmp/krb5ccmachine_NAT.C.EXAMPLE.COM' owned by 0, not 332405654 jedi rpc.gssd[487]: using FILE:/tmp/krb5cc_332405654_nRduU6 as credentials cache for client with uid 332405654 for server jo\ ta.nat.c.example.com jedi rpc.gssd[487]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_332405654_nRduU6 jedi rpc.gssd[487]: creating context using fsuid 332405654 (save_uid 0) jedi rpc.gssd[487]: creating tcp client for server jota.nat.c.example.com jedi rpc.gssd[487]: DEBUG: port already set to 2049 jedi rpc.gssd[487]: creating context with server nfs@jota.nat.c.example.com jedi rpc.gssd[487]: WARNING: Failed to create krb5 context for user with uid 332405654 for server jota.nat.c.example.com jedi rpc.gssd[487]: getting credentials for client with uid 332405654 for server jota.nat.c.example.com jedi rpc.gssd[487]: WARNING: Failed to create krb5 context for user with uid 332405654 for server jota.nat.c.example.com jedi rpc.gssd[487]: doing error downcallaccessing homedir?
jedi rpc.gssd[487]: handling gssd upcall (/run/rpc_pipefs/nfs/clnt8) jedi rpc.gssd[487]: handle_gssd_upcall: 'mech=krb5 uid=332405654 enctypes=18,17,16,23,3,1,2 ' jedi rpc.gssd[487]: handling krb5 upcall (/run/rpc_pipefs/nfs/clnt8) jedi rpc.gssd[487]: process_krb5_upcall: service is '<null>' jedi rpc.gssd[487]: creating context using fsuid 332405654 (save_uid 0) jedi rpc.gssd[487]: creating tcp client for server jota.nat.c.example.com jedi rpc.gssd[487]: DEBUG: port already set to 2049 jedi rpc.gssd[487]: creating context with server nfs@jota.nat.c.example.com jedi rpc.gssd[487]: WARNING: Failed to create krb5 context for user with uid 332405654 for server jota.nat.c.example.com jedi rpc.gssd[487]: getting credentials for client with uid 332405654 for server jota.nat.c.example.com jedi rpc.gssd[487]: CC '/tmp/krb5cc_332405654_nRduU6' being considered, with preferred realm 'NAT.C.EXAMPLE.COM' jedi rpc.gssd[487]: CC 'FILE:/tmp/krb5cc_332405654_nRduU6'(longina@NAT.C.EXAMPLE.COM) passed all checks and has mtime of 139\ 4639897 jedi rpc.gssd[487]: CC '/tmp/krb5ccmachine_NAT.C.EXAMPLE.COM' being considered, with preferred realm 'NAT.C.EXAMPLE.COM' jedi rpc.gssd[487]: CC '/tmp/krb5ccmachine_NAT.C.EXAMPLE.COM' owned by 0, not 332405654 jedi rpc.gssd[487]: using FILE:/tmp/krb5cc_332405654_nRduU6 as credentials cache for client with uid 332405654 for server jo\ ta.nat.c.example.com jedi rpc.gssd[487]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_332405654_nRduU6 jedi rpc.gssd[487]: creating context using fsuid 332405654 (save_uid 0) jedi rpc.gssd[487]: creating tcp client for server jota.nat.c.example.com jedi rpc.gssd[487]: DEBUG: port already set to 2049 jedi rpc.gssd[487]: creating context with server nfs@jota.nat.c.example.com jedi rpc.gssd[487]: WARNING: Failed to create krb5 context for user with uid 332405654 for server jota.nat.c.example.com jedi rpc.gssd[487]: getting credentials for client with uid 332405654 for server jota.nat.c.example.com jedi rpc.gssd[487]: WARNING: Failed to create krb5 context for user with uid 332405654 for server jota.nat.c.example.com jedi rpc.gssd[487]: doing error downcall
Mange hilsner Longina
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of John Hodrien Sent: 12. marts 2014 11:54 To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] no permission -sssd-1.11.1 Trusty automount nfs4+krb
On Wed, 12 Mar 2014, Longina Przybyszewska wrote:
I login from GUI (lightdm) and ssh with AD passwd - in both cases no permissions. SSh allows me to login to "/". GUI throw my away.
I use AD as provider for everything Ssh jedi.nat.c.example.com Last login: Wed Mar 12 09:43:32 2014 from ariadne.a.example.org Could not chdir to home directory /home/longina: Permission denied -bash: /home/longina/.bash_profile: Permission denied longina@jedi:/$ klist Ticket cache: FILE:/tmp/krb5cc_332405654_RsFXEu Default principal: longina@NAT.C.EXAMPLE.ORG
Valid starting Expires Service principal 03/12/2014 11:27:21 03/12/2014 21:27:21 krbtgt/NAT.C.EXAMPLE.ORG@NAT.C.EXAMPLE.ORG renew until 03/13/2014 11:27:21 03/12/2014 11:27:22 03/12/2014 21:27:21 nfs/jota.nat.example.org@NAT.C.EXAMPLE.ORG renew until 03/13/2014 11:27:21 longina@jedi:/$
Your principal is what you expect, you're getting a service principal for what you expect to be connecting to, but you're getting permission denied at the far end.
rpc.idmapd issues on the server?
Have you run that with debugging and seen what it's up to?
jh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users