9:06 a.m.
I am confronted with a relatively strange behaviour regarding ipa and
automounting. We are using automounted home shares on some of our systems.
On two almost identical systems I cannot chdir (permission denied) to
user A's home directory on server 1 but chdir to user B's home directory
works. On server 2 it is the exact opposite. On a third server chdir
does not work for both users.
I would highly appreciate any tips on how to debug this issue.
Cheers,
Ronald
1:45 a.m.
On 14.09.20 16:06, Ronald Wimmer via FreeIPA-users wrote:
I am confronted with a relatively strange behaviour regarding ipa and
automounting. We are using automounted home shares on some of our systems.
On two almost identical systems I cannot chdir (permission denied) to
user A's home directory on server 1 but chdir to user B's home directory
works. On server 2 it is the exact opposite. On a third server chdir
does not work for both users.
A manual "kinit userA" seems to solve the problem as the user had no
Kerberos credentials? But why? Why was a Kerberos ticket not fetched
automatically?
Cheers,
Ronald
8:48 a.m.
Ronald Wimmer via FreeIPA-users wrote:
On 14.09.20 16:06, Ronald Wimmer via FreeIPA-users wrote:
> I am confronted with a relatively strange behaviour regarding ipa and
> automounting. We are using automounted home shares on some of our
> systems.
>
> On two almost identical systems I cannot chdir (permission denied) to
> user A's home directory on server 1 but chdir to user B's home
> directory works. On server 2 it is the exact opposite. On a third
> server chdir does not work for both users.
A manual "kinit userA" seems to solve the problem as the user had no
Kerberos credentials? But why? Why was a Kerberos ticket not fetched
automatically?
How did the user login to the system?
rob
8:53 a.m.
On 15.09.20 15:48, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
> On 14.09.20 16:06, Ronald Wimmer via FreeIPA-users wrote:
>> I am confronted with a relatively strange behaviour regarding ipa and
>> automounting. We are using automounted home shares on some of our
>> systems.
>>
>> On two almost identical systems I cannot chdir (permission denied) to
>> user A's home directory on server 1 but chdir to user B's home
>> directory works. On server 2 it is the exact opposite. On a third
>> server chdir does not work for both users.
>
> A manual "kinit userA" seems to solve the problem as the user had no
> Kerberos credentials? But why? Why was a Kerberos ticket not fetched
> automatically?
How did the user login to the system?
SSH.
Sometimes I did a "su - myIpaUser" from a root shell. Is this supposed
to work or does it only work when the user has a valid ticket (from a
previous login)?
(Does it make a difference when I have no Kerberos ticket on the
originating system and I am forced to enter the users password upon
login? Both cases should result in obtaining a Kerberos ticket,
shouldn't they?)
Cheers,
Ronald
9:39 a.m.
On ti, 15 syys 2020, Ronald Wimmer via FreeIPA-users wrote:
On 15.09.20 15:48, Rob Crittenden via FreeIPA-users wrote:
>Ronald Wimmer via FreeIPA-users wrote:
>>On 14.09.20 16:06, Ronald Wimmer via FreeIPA-users wrote:
>>>I am confronted with a relatively strange behaviour regarding ipa and
>>>automounting. We are using automounted home shares on some of our
>>>systems.
>>>
>>>On two almost identical systems I cannot chdir (permission denied) to
>>>user A's home directory on server 1 but chdir to user B's home
>>>directory works. On server 2 it is the exact opposite. On a third
>>>server chdir does not work for both users.
>>
>>A manual "kinit userA" seems to solve the problem as the user had no
>>Kerberos credentials? But why? Why was a Kerberos ticket not fetched
>>automatically?
>
>How did the user login to the system?
SSH.
Sometimes I did a "su - myIpaUser" from a root shell. Is this supposed
to work or does it only work when the user has a valid ticket (from a
previous login)?
The latter.
(Does it make a difference when I have no Kerberos ticket on the
originating system and I am forced to enter the users password upon
login? Both cases should result in obtaining a Kerberos ticket,
shouldn't they?)
It depends. A lot, actually:
- If your SSH client allows forwarding a TGT and KDC allows it too,
then login with Kerberos ticket to SSH server might give you a
working TGT on the server side. SSSD on the server side is not
involved here as Kerberos authentication is handled completely by SSH
server.
- if you login with password over SSH and you have PAM authentication
enabled in SSH server configuration, SSSD might get you a new
Kerberos ticket in the user's ccache on the server side.
In either case, 'su - ...' is not giving you any Kerberos ticket unless
it exists already in the target environment. For example, if your system
is configured to use session-specific KEYRING credentials cache
collection, then 'su - ...' will never be able to access user's ccache
from another session. A default in RHEL 7 is to use KEYRING with
persistent ccache, not session-specific one. A default in RHEL 8 is to
use KCM: which is also persistent and gives access to user's ticket from
any session he/she did open.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
10:02 a.m.
On 15.09.20 16:39, Alexander Bokovoy via FreeIPA-users wrote:
On ti, 15 syys 2020, Ronald Wimmer via FreeIPA-users wrote:
> On 15.09.20 15:48, Rob Crittenden via FreeIPA-users wrote:
>> Ronald Wimmer via FreeIPA-users wrote:
>>> On 14.09.20 16:06, Ronald Wimmer via FreeIPA-users wrote:
>>>> I am confronted with a relatively strange behaviour regarding ipa and
>>>> automounting. We are using automounted home shares on some of our
>>>> systems.
>>>>
>>>> On two almost identical systems I cannot chdir (permission denied) to
>>>> user A's home directory on server 1 but chdir to user B's home
>>>> directory works. On server 2 it is the exact opposite. On a third
>>>> server chdir does not work for both users.
>>>
>>> A manual "kinit userA" seems to solve the problem as the user had
no
>>> Kerberos credentials? But why? Why was a Kerberos ticket not fetched
>>> automatically?
>>
>> How did the user login to the system?
>
> SSH.
>
> Sometimes I did a "su - myIpaUser" from a root shell. Is this supposed
> to work or does it only work when the user has a valid ticket (from a
> previous login)?
The latter.
> (Does it make a difference when I have no Kerberos ticket on the
> originating system and I am forced to enter the users password upon
> login? Both cases should result in obtaining a Kerberos ticket,
> shouldn't they?)
It depends. A lot, actually:
- If your SSH client allows forwarding a TGT and KDC allows it too,
then login with Kerberos ticket to SSH server might give you a
working TGT on the server side. SSSD on the server side is not
involved here as Kerberos authentication is handled completely by SSH
server.
- if you login with password over SSH and you have PAM authentication
enabled in SSH server configuration, SSSD might get you a new
Kerberos ticket in the user's ccache on the server side.
So. Let me try to summarize this for myself. When I want a kerberized
NFS share to be accessible the user must have a valid Kerberos ticket,
right? This can be either obtained through SSHD, could be delegated from
the originating system or it could be fetched on the target system by
SSSD. Is this correct?
Cheers,
Ronald
10:19 a.m.
On ti, 15 syys 2020, Ronald Wimmer via FreeIPA-users wrote:
On 15.09.20 16:39, Alexander Bokovoy via FreeIPA-users wrote:
>On ti, 15 syys 2020, Ronald Wimmer via FreeIPA-users wrote:
>>On 15.09.20 15:48, Rob Crittenden via FreeIPA-users wrote:
>>>Ronald Wimmer via FreeIPA-users wrote:
>>>>On 14.09.20 16:06, Ronald Wimmer via FreeIPA-users wrote:
>>>>>I am confronted with a relatively strange behaviour regarding ipa and
>>>>>automounting. We are using automounted home shares on some of our
>>>>>systems.
>>>>>
>>>>>On two almost identical systems I cannot chdir (permission denied) to
>>>>>user A's home directory on server 1 but chdir to user B's
home
>>>>>directory works. On server 2 it is the exact opposite. On a third
>>>>>server chdir does not work for both users.
>>>>
>>>>A manual "kinit userA" seems to solve the problem as the user
had no
>>>>Kerberos credentials? But why? Why was a Kerberos ticket not fetched
>>>>automatically?
>>>
>>>How did the user login to the system?
>>
>>SSH.
>>
>>Sometimes I did a "su - myIpaUser" from a root shell. Is this
>>supposed to work or does it only work when the user has a valid
>>ticket (from a previous login)?
>
>The latter.
>
>>(Does it make a difference when I have no Kerberos ticket on the
>>originating system and I am forced to enter the users password
>>upon login? Both cases should result in obtaining a Kerberos
>>ticket, shouldn't they?)
>
>It depends. A lot, actually:
>
> Â - If your SSH client allows forwarding a TGT and KDC allows it too,
> Â Â then login with Kerberos ticket to SSH server might give you a
> Â Â working TGT on the server side. SSSD on the server side is not
> Â Â involved here as Kerberos authentication is handled completely by SSH
> Â Â server.
>
> Â - if you login with password over SSH and you have PAM authentication
> Â Â enabled in SSH server configuration, SSSD might get you a new
> Â Â Kerberos ticket in the user's ccache on the server side.
So. Let me try to summarize this for myself. When I want a kerberized
NFS share to be accessible the user must have a valid Kerberos ticket,
right? This can be either obtained through SSHD, could be delegated
from the originating system or it could be fetched on the target
system by SSSD. Is this correct?
More or less, yes.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
9:05 a.m.
On 15.09.20 17:19, Alexander Bokovoy via FreeIPA-users wrote:
[...]
>> Â Â Kerberos ticket in the user's ccache on the server side.
>
> So. Let me try to summarize this for myself. When I want a kerberized
> NFS share to be accessible the user must have a valid Kerberos ticket,
> right? This can be either obtained through SSHD, could be delegated
> from the originating system or it could be fetched on the target
> system by SSSD. Is this correct?
More or less, yes.
I need to understand the SSH scenario a little bit better. In some cases
the user can log in via SSH properly but he gets a "permission denied"
error. I did a kinit myUser and everything worked fine. In order to
reproduce the issue I tought it would be sufficient to do a kdestroy and
try to log in via SSH again but in that case I did not get a "permission
denied" error.
klist showed no ticket
klist: Credentials cache keyring
'persistent:1246620005:krb_ccache_1fh0ssy' not found
Where is this cached? (rpcgssd? rpcidmapd?)
Cheers,
Ronald
10:17 a.m.
On 15.09.20 17:19, Alexander Bokovoy via FreeIPA-users wrote:
On ti, 15 syys 2020, Ronald Wimmer via FreeIPA-users wrote:
> On 15.09.20 16:39, Alexander Bokovoy via FreeIPA-users wrote:
>> On ti, 15 syys 2020, Ronald Wimmer via FreeIPA-users wrote:
>>> On 15.09.20 15:48, Rob Crittenden via FreeIPA-users wrote:
>>>> Ronald Wimmer via FreeIPA-users wrote:
>>>>> On 14.09.20 16:06, Ronald Wimmer via FreeIPA-users wrote:
>>>>>> I am confronted with a relatively strange behaviour regarding ipa
>>>>>> and
>>>>>> automounting. We are using automounted home shares on some of
our
>>>>>> systems.
>>>>>>
>>>>>> On two almost identical systems I cannot chdir (permission
>>>>>> denied) to
>>>>>> user A's home directory on server 1 but chdir to user B's
home
>>>>>> directory works. On server 2 it is the exact opposite. On a
third
>>>>>> server chdir does not work for both users.
>>>>>
>>>>> A manual "kinit userA" seems to solve the problem as the
user had no
>>>>> Kerberos credentials? But why? Why was a Kerberos ticket not fetched
>>>>> automatically?
>>>>
>>>> How did the user login to the system?
>>>
>>> SSH.
>>>
>>> Sometimes I did a "su - myIpaUser" from a root shell. Is this
>>> supposed to work or does it only work when the user has a valid
>>> ticket (from a previous login)?
>>
>> The latter.
>>
>>> (Does it make a difference when I have no Kerberos ticket on the
>>> originating system and I am forced to enter the users password upon
>>> login? Both cases should result in obtaining a Kerberos ticket,
>>> shouldn't they?)
>>
>> It depends. A lot, actually:
>>
>> Â - If your SSH client allows forwarding a TGT and KDC allows it too,
>> Â Â then login with Kerberos ticket to SSH server might give you a
>> Â Â working TGT on the server side. SSSD on the server side is not
>> Â Â involved here as Kerberos authentication is handled completely
>> by SSH
>> Â Â server.
>>
>> Â - if you login with password over SSH and you have PAM authentication
>> Â Â enabled in SSH server configuration, SSSD might get you a new
>> Â Â Kerberos ticket in the user's ccache on the server side.
>
> So. Let me try to summarize this for myself. When I want a kerberized
> NFS share to be accessible the user must have a valid Kerberos ticket,
> right? This can be either obtained through SSHD, could be delegated
> from the originating system or it could be fetched on the target
> system by SSSD. Is this correct?
More or less, yes.
What I was trying to accomplish is very similar to
https://bugzilla.redhat.com/show_bug.cgi?id=1017651 where a user logs in
to an IPA client with SSH keys (pubkey in IPA). Is it still like in that
bug's thread that this won't work or would SSH trigger PAM and the
latter SSSD in order to fetch a Kerberos ticket.
If it still does not work I will got the way outlined in the thread:
1) Create a service principal 'prod'
2) Get keytab for it using ipa-getkeytab (the result is the equivalent of
your SSH key)
3) Place this keytab on the systems you log in and then manage production
from
4) Add kinit with this keytab to you bash profile
Cheers,
Ronald
10:32 a.m.
On to, 17 syys 2020, Ronald Wimmer wrote:
On 15.09.20 17:19, Alexander Bokovoy via FreeIPA-users wrote:
>On ti, 15 syys 2020, Ronald Wimmer via FreeIPA-users wrote:
>>On 15.09.20 16:39, Alexander Bokovoy via FreeIPA-users wrote:
>>>On ti, 15 syys 2020, Ronald Wimmer via FreeIPA-users wrote:
>>>>On 15.09.20 15:48, Rob Crittenden via FreeIPA-users wrote:
>>>>>Ronald Wimmer via FreeIPA-users wrote:
>>>>>>On 14.09.20 16:06, Ronald Wimmer via FreeIPA-users wrote:
>>>>>>>I am confronted with a relatively strange behaviour
>>>>>>>regarding ipa and
>>>>>>>automounting. We are using automounted home shares on some of
our
>>>>>>>systems.
>>>>>>>
>>>>>>>On two almost identical systems I cannot chdir
>>>>>>>(permission denied) to
>>>>>>>user A's home directory on server 1 but chdir to user
B's home
>>>>>>>directory works. On server 2 it is the exact opposite. On a
third
>>>>>>>server chdir does not work for both users.
>>>>>>
>>>>>>A manual "kinit userA" seems to solve the problem as the
user had no
>>>>>>Kerberos credentials? But why? Why was a Kerberos ticket not
fetched
>>>>>>automatically?
>>>>>
>>>>>How did the user login to the system?
>>>>
>>>>SSH.
>>>>
>>>>Sometimes I did a "su - myIpaUser" from a root shell. Is this
>>>>supposed to work or does it only work when the user has a
>>>>valid ticket (from a previous login)?
>>>
>>>The latter.
>>>
>>>>(Does it make a difference when I have no Kerberos ticket on
>>>>the originating system and I am forced to enter the users
>>>>password upon login? Both cases should result in obtaining a
>>>>Kerberos ticket, shouldn't they?)
>>>
>>>It depends. A lot, actually:
>>>
>>>ÃÂ - If your SSH client allows forwarding a TGT and KDC allows it too,
>>>ÃÂ ÃÂ then login with Kerberos ticket to SSH server might give you a
>>>ÃÂ ÃÂ working TGT on the server side. SSSD on the server side is not
>>>ÃÂ ÃÂ involved here as Kerberos authentication is handled
>>>completely by SSH
>>>ÃÂ ÃÂ server.
>>>
>>>ÃÂ - if you login with password over SSH and you have PAM authentication
>>>ÃÂ ÃÂ enabled in SSH server configuration, SSSD might get you a new
>>>ÃÂ ÃÂ Kerberos ticket in the user's ccache on the server side.
>>
>>So. Let me try to summarize this for myself. When I want a
>>kerberized NFS share to be accessible the user must have a valid
>>Kerberos ticket, right? This can be either obtained through SSHD,
>>could be delegated from the originating system or it could be
>>fetched on the target system by SSSD. Is this correct?
>
>More or less, yes.
What I was trying to accomplish is very similar to
https://bugzilla.redhat.com/show_bug.cgi?id=1017651 where a user logs
in to an IPA client with SSH keys (pubkey in IPA). Is it still like in
that bug's thread that this won't work or would SSH trigger PAM and
the latter SSSD in order to fetch a Kerberos ticket.
There is no way right now to obtain a TGT for user if user did not login
with Kerberos with forwardable TGT or with Password.
Technically, there is a way to have some service to use host/..
principal to perform protocol transition and request a ticket to itself
on behalf of a user (S4U2Self extension) and then request a ticket to
nfs/.. service (S4U2Proxy ..) using that ticket to self. This is, for
example, how server part of IPA framework does it if you enabled
certificate-based authentication for IPA users to Web UI, with the help
of mod_auth_gssapi on top of mod_ssl.
However, to be able to do so, KDC must be configured to allow the
service to operate on behalf of a user and SSH server needs to set this
up in its own code. There is no such implementation.
If it still does not work I will got the way outlined in the thread:
> 1) Create a service principal 'prod'
> 2) Get keytab for it using ipa-getkeytab (the result is the equivalent of
> your SSH key)
> 3) Place this keytab on the systems you log in and then manage production
> from
> 4) Add kinit with this keytab to you bash profile
This can definitely be done.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
6:34 a.m.
On 17.09.20 17:32, Alexander Bokovoy via FreeIPA-users wrote:
[...] If it still does not work I will got the way outlined in the
thread:
>
>> 1) Create a service principal 'prod'
>> 2) Get keytab for it using ipa-getkeytab (the result is the
>> equivalent of
>> your SSH key)
>> 3) Place this keytab on the systems you log in and then manage
>> production
>> from
>> 4) Add kinit with this keytab to you bash profile
This can definitely be done.
Unfortunately not, in my case. User homes are IPA automounted from a
kerberized NFS share. And that share holds my .bash_profile...
Cheers,
Ronald
1322
days inactive
1329
days old
freeipa-users@lists.fedorahosted.org
10 comments
3 participants
participants (3)
-
Alexander Bokovoy -
Rob Crittenden -
Ronald Wimmer