handle_gssd_upcall: 'mech=krb5 uid=1011 enctypes=18,17,16,23,3,1,2 '(nfs/clnt0)
krb5_not_machine_creds: uid 1011 tgtname (null)(Unspecified GSS failure. Minor code may provide more information) - No Kerberos credentials available: Credentials cache permissions incorrect (filename: /tmp/krb5cc_1004)
ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE
looking for client creds with uid 1011 for server sea.eecs.yorku.cain /tmp
CC '/tmp/krb5cc_1004' being considered, with preferred realm'AD.EECS.YORKU.CA'
CC '/tmp/krb5cc_1004' owned by 1004, not 1011preferred realm 'AD.EECS.YORKU.CA'
CC '/tmp/krb5ccmachine_AD.EECS.YORKU.CA' being considered, with
CC '/tmp/krb5ccmachine_AD.EECS.YORKU.CA' owned by 0, not 1011'AD.EECS.YORKU.CA'
CC '/tmp/krb5cc_0' being considered, with preferred realm
CC '/tmp/krb5cc_0' owned by 0, not 1011in /run/user/%U
looking for client creds with uid 1011 for server sea.eecs.yorku.ca
Error doing scandir on directory '/run/user/1011': No such file ordirectory
doing error downcall(nfs/clnt0)
handle_gssd_upcall: 'mech=krb5 uid=1011 enctypes=18,17,16,23,3,1,2 '
krb5_not_machine_creds: uid 1011 tgtname (null)(Unspecified GSS failure. Minor code may provide more information) - No Kerberos credentials available: Credentials cache permissions incorrect (filename: /tmp/krb5cc_1004)
ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE
looking for client creds with uid 1011 for server sea.eecs.yorku.cain /tmp
CC '/tmp/krb5cc_1004' being considered, with preferred realm'AD.EECS.YORKU.CA'
CC '/tmp/krb5cc_1004' owned by 1004, not 1011preferred realm 'AD.EECS.YORKU.CA'
CC '/tmp/krb5ccmachine_AD.EECS.YORKU.CA' being considered, with
CC '/tmp/krb5ccmachine_AD.EECS.YORKU.CA' owned by 0, not 1011'AD.EECS.YORKU.CA'
CC '/tmp/krb5cc_0' being considered, with preferred realm
CC '/tmp/krb5cc_0' owned by 0, not 1011in /run/user/%U
looking for client creds with uid 1011 for server sea.eecs.yorku.ca
Error doing scandir on directory '/run/user/1011': No such file ordirectory
doing error downcall
handle_gssd_upcall: 'mech=krb5 uid=1011 enctypes=18,17,16,23,3,1,2 '(nfs/clnt0)
krb5_not_machine_creds: uid 1011 tgtname (null)(Unspecified GSS failure. Minor code may provide more information) - No Kerberos credentials available: Credentials cache permissions incorrect (filename: /tmp/krb5cc_1004)
ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE
looking for client creds with uid 1011 for server sea.eecs.yorku.cain /tmp
CC '/tmp/krb5cc_1004' being considered, with preferred realm'AD.EECS.YORKU.CA'
CC '/tmp/krb5cc_1004' owned by 1004, not 1011'AD.EECS.YORKU.CA'
CC '/tmp/krb5cc_1011.9bpz551G' being considered, with preferred realm
CC 'FILE:/tmp/krb5cc_1011.9bpz551G'(tdb@AD.EECS.YORKU.CA) passed allchecks and has mtime of 1621645808
CC '/tmp/krb5ccmachine_AD.EECS.YORKU.CA' being considered, withpreferred realm 'AD.EECS.YORKU.CA'
CC '/tmp/krb5ccmachine_AD.EECS.YORKU.CA' owned by 0, not 1011'AD.EECS.YORKU.CA'
CC '/tmp/krb5cc_0' being considered, with preferred realm
CC '/tmp/krb5cc_0' owned by 0, not 1011with uid 1011 for server sea.eecs.yorku.ca
using FILE:/tmp/krb5cc_1011.9bpz551G as credentials cache for client
using gss_krb5_ccache_name to select krb5 ccacheFILE:/tmp/krb5cc_1011.9bpz551G
creating tcp client for server sea.eecs.yorku.ca
DEBUG: port already set to 2049
creating context with server nfs@sea.eecs.yorku.ca
DEBUG: serialize_krb5_ctx: lucid version!
prepare_krb5_rfc4121_buffer: protocol 1
prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32 doing downcall: lifetime_rec=36000 acceptor=nfs@sea.eecs.yorku.ca
Hi.
I'm unable to get ksu working wth krb5 NFSv4, and can't quite figure out
why.
I am logged into a RHEL7 system as a user "jas" (uid 1004) with working Kerberos (Samba AD implementation).
I want to switch from user jas to user tdb (uid 1011) using ksu.
I set up a .k5login file in tdb account containing jas@AD.EECS.YORKU.CA
If tdb home directory is mounted with sec=sys, as jas I can "ksu tdb"
and it works every time.
If tdb home directory is mounted with sec=krb5, ksu wants me to enter a password.
(Note that as jas I can still cat ~tdb/.k5login).
KRB5CCNAME is FILE:/tmp/krb5cc_1004
rpc.gssd -vvv returns:
handle_gssd_upcall: 'mech=krb5 uid=1011 enctypes=18,17,16,23,3,1,2 '(nfs/clnt0)
krb5_not_machine_creds: uid 1011 tgtname (null)(Unspecified GSS failure. Minor code may provide more information) - No Kerberos credentials available: Credentials cache permissions incorrect (filename: /tmp/krb5cc_1004)
ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE
looking for client creds with uid 1011 for server sea.eecs.yorku.cain /tmp
CC '/tmp/krb5cc_1004' being considered, with preferred realm'AD.EECS.YORKU.CA'
CC '/tmp/krb5cc_1004' owned by 1004, not 1011preferred realm 'AD.EECS.YORKU.CA'
CC '/tmp/krb5ccmachine_AD.EECS.YORKU.CA' being considered, with
CC '/tmp/krb5ccmachine_AD.EECS.YORKU.CA' owned by 0, not 1011'AD.EECS.YORKU.CA'
CC '/tmp/krb5cc_0' being considered, with preferred realm
CC '/tmp/krb5cc_0' owned by 0, not 1011in /run/user/%U
looking for client creds with uid 1011 for server sea.eecs.yorku.ca
Error doing scandir on directory '/run/user/1011': No such file ordirectory
doing error downcall
handle_gssd_upcall: 'mech=krb5 uid=1011 enctypes=18,17,16,23,3,1,2 '(nfs/clnt0)
krb5_not_machine_creds: uid 1011 tgtname (null)(Unspecified GSS failure. Minor code may provide more information) - No Kerberos credentials available: Credentials cache permissions incorrect (filename: /tmp/krb5cc_1004)
ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE
looking for client creds with uid 1011 for server sea.eecs.yorku.cain /tmp
CC '/tmp/krb5cc_1004' being considered, with preferred realm'AD.EECS.YORKU.CA'
CC '/tmp/krb5cc_1004' owned by 1004, not 1011preferred realm 'AD.EECS.YORKU.CA'
CC '/tmp/krb5ccmachine_AD.EECS.YORKU.CA' being considered, with
CC '/tmp/krb5ccmachine_AD.EECS.YORKU.CA' owned by 0, not 1011'AD.EECS.YORKU.CA'
CC '/tmp/krb5cc_0' being considered, with preferred realm
CC '/tmp/krb5cc_0' owned by 0, not 1011in /run/user/%U
looking for client creds with uid 1011 for server sea.eecs.yorku.ca
Error doing scandir on directory '/run/user/1011': No such file ordirectory
doing error downcall
If I actually enter the password then /tmp/krb5cc_1011 shows up, and everything works.
handle_gssd_upcall: 'mech=krb5 uid=1011 enctypes=18,17,16,23,3,1,2 '(nfs/clnt0)
krb5_not_machine_creds: uid 1011 tgtname (null)(Unspecified GSS failure. Minor code may provide more information) - No Kerberos credentials available: Credentials cache permissions incorrect (filename: /tmp/krb5cc_1004)
ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE
looking for client creds with uid 1011 for server sea.eecs.yorku.cain /tmp
CC '/tmp/krb5cc_1004' being considered, with preferred realm'AD.EECS.YORKU.CA'
CC '/tmp/krb5cc_1004' owned by 1004, not 1011'AD.EECS.YORKU.CA'
CC '/tmp/krb5cc_1011.9bpz551G' being considered, with preferred realm
CC 'FILE:/tmp/krb5cc_1011.9bpz551G'(tdb@AD.EECS.YORKU.CA) passed allchecks and has mtime of 1621645808
CC '/tmp/krb5ccmachine_AD.EECS.YORKU.CA' being considered, withpreferred realm 'AD.EECS.YORKU.CA'
CC '/tmp/krb5ccmachine_AD.EECS.YORKU.CA' owned by 0, not 1011'AD.EECS.YORKU.CA'
CC '/tmp/krb5cc_0' being considered, with preferred realm
CC '/tmp/krb5cc_0' owned by 0, not 1011with uid 1011 for server sea.eecs.yorku.ca
using FILE:/tmp/krb5cc_1011.9bpz551G as credentials cache for client
using gss_krb5_ccache_name to select krb5 ccacheFILE:/tmp/krb5cc_1011.9bpz551G
creating tcp client for server sea.eecs.yorku.ca
DEBUG: port already set to 2049
creating context with server nfs@sea.eecs.yorku.ca
DEBUG: serialize_krb5_ctx: lucid version!
prepare_krb5_rfc4121_buffer: protocol 1
prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32 doing downcall: lifetime_rec=36000 acceptor=nfs@sea.eecs.yorku.ca
Is ksu just verifying that I'm a valid kerberos user, and that a switch
can be made to the new uid, then changing the uid with setuid only, in
which case Kerberos NFS won't work, or, is it supposed to import the
ticket for destination user as well?
If I enter the password when prompted, I can write files as the
destination user tdb, but I don't want to enter a password.
As a side note, if I set an ACL on the source users /tmp/krb5cc_1004
file to allow the destination user (1011) to read it (which I know is incorrect), then the ksu "works" successfully, but of course the
destination user can't write into the home directory anyway since the principal isn't present. It's not clear if this is a ksu issue, or
rpc.gssd and if this is fixable on my end or not.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 292 |
Nodes: | 16 (2 / 14) |
Uptime: | 187:50:21 |
Calls: | 6,616 |
Files: | 12,165 |
Messages: | 5,314,970 |