Bug 1032787
| Summary: | On 5.10 client ,kinit as valid ipa user then ssh to Server still requires root password | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Xiyang Dong <xdong> |
| Component: | ipa | Assignee: | Martin Kosek <mkosek> |
| Status: | CLOSED NOTABUG | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | dpal, rcritten |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-11-20 20:50:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Xiyang Dong
2013-11-20 20:30:53 UTC
Do I read it right that you are sshing using root rather then testusr? Given the output, it seems that way. ssh does not magically figure out the user from a Kerberos ticket. Closing the bug. Yi, please try ssh testusr@$MASTER instead and see if that works. If not, please feel free to reopen the bug. ssh testusr@$MASTER works in this 7.0 server 5.10 client env.
In other envs I've tested such as 7.0 server 7.0 client or 6.5 server 5.10 client, ssh with root does not require a password tho.
[root@ibm-ls41-02 ~]# echo $MASTER
ibm-x3650m4-01-vm-04.testrelm.com
[root@ibm-ls41-02 ~]# ssh $MASTER
Last login: Wed Nov 20 12:38:09 2013 from ibm-ls41-02.rhts.eng.bos.redhat.com
** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **
This System is reserved by xdong.
To return this system early. You can run the command: return2beaker.sh
Ensure you have your logs off the system before returning to Beaker
To extend your reservation time. You can run the command:
extendtesttime.sh
This is an interactive script. You will be prompted for how many
hours you would like to extend the reservation.
You should verify the watchdog was updated succesfully after
you extend your reservation.
https://beaker.engineering.redhat.com/recipes/1140280
For ssh, kvm, serial and power control operations please look here:
https://beaker.engineering.redhat.com/view/ibm-x3650m4-01-vm-04.testrelm.com
Beaker Test information:
HOSTNAME=ibm-x3650m4-01-vm-04.testrelm.com
JOBID=547950
RECIPEID=1140280
RESULT_SERVER=127.0.0.1:7091
DISTRO=RedHatEnterpriseLinux-6.5
ARCHITECTURE=x86_64
Job Whiteboard: Client certification :: RHEL 5.10 i386 IPA CLient :: RHEL6.5 IPA SERVER
Recipe Whiteboard: IPA MASTER
** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **
[root@ibm-x3650m4-01-vm-04 ~]# logout
Connection to ibm-x3650m4-01-vm-04.testrelm.com closed.
Forgot to paste the tkt info : [root@ibm-ls41-02 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: one Valid starting Expires Service principal 11/20/13 12:35:55 11/21/13 12:35:52 krbtgt/TESTRELM.COM 11/20/13 12:36:59 11/21/13 12:35:52 host/ibm-x3650m4-01-vm-04.testrelm.com Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached I do think prompting for root passwd when we kinit as non-root ipa user and ssh to server makes more sense.But somehow it doesn't behave same way in some test envs I mentioned above. Ahh after checking with Nalin I found that I checked the ticket in a wrong way. I ssh to the client and klist in the shell window ,in which $KRB5CCNAME is not set.I did GDM login and check directly instead, it worked fine. Closing as not a bug. |