Bug 878462
Summary: | Special case NFS related ticket to avoid attaching MS-PACs | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Dmitri Pal <dpal> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 6.4 | CC: | jgalipea, mkosek, sbose, sgoveas, ssorce, tlavigne |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-3.0.0-10.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-21 09:30:21 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 886216 |
Description
Dmitri Pal
2012-11-20 13:44:50 UTC
Please provide steps to reproduce and verify this - Create new Ad user - try to mount export from a NFS server member of IPA domain, see that it succeeds using GSSAPI/Krb5 auth as that user. - unmount - logout - Add AD user to 500 groups - log in again - try to mount expot from NFS server, see authentication failure Fixed upstream. master: 5269458f552380759c86018cd1f30b64761be92e ipa-3-0: 592dd9fccd1696bff5e604c6097b2a8785add295 [root@rasalghul ~]# exportfs -v /nfs-share <world>(rw,wdelay,root_squash,no_subtree_check,sec=krb5:krb5i:krb5p,rw,root_squash,no_all_squash) C:\Users\fuser>mount \\rasalghul.testrelm.com\nfs-share * Z: is now successfully connected to \\rasalghul.testrelm.com\nfs-share The command completed successfully. C:\Users\fuser>z: Z:\>dir Volume in drive Z has no label. Volume Serial Number is A3CD-75CC Directory of Z:\ 02/05/2013 01:33 PM <DIR> . 02/05/2013 01:33 PM 0 file2 02/05/2013 01:33 PM 0 file1 02/05/2013 01:33 PM <DIR> .. 2 File(s) 8,192 bytes 2 Dir(s) 3,941,351,424 bytes free * Unmount and Logout C:\Users\fuser>umount -a You have these active NFS connections: Z: \\rasalghul.testrelm.com\nfs-share Continuing will cancel the connections. Do you want to continue this operation? (Y/N) [N]:y Disconnecting Z: \\rasalghul.testrelm.com\nfs-share The command completed successfully. * Added User to 500 groups. Mount works as expected C:\Users\fuser>mount \\rasalghul.testrelm.com\nfs-share * Z: is now successfully connected to \\rasalghul.testrelm.com\nfs-share The command completed successfully. * Credential Cache increased a small amount for nfs ticket indicating that there is no PAC attached. [root@wazwan ~]# kdestroy [root@wazwan ~]# ll -h /tmp/k* ls: cannot access /tmp/k*: No such file or directory [root@wazwan ~]# kinit fuser Password for fuser: [root@wazwan ~]# ll -h /tmp/k* -rw-------. 1 root root 5.1K Feb 5 19:33 /tmp/krb5cc_0 [root@wazwan ~]# kvno ldap/wazwan.testrelm.com ldap/wazwan.testrelm.com: kvno = 2 [root@wazwan ~]# ll /tmp/k* -rw-------. 1 root root 15440 Feb 5 19:34 /tmp/krb5cc_0 [root@wazwan ~]# kvno nfs/wazwan.testrelm.com nfs/wazwan.testrelm.com: kvno = 1 [root@wazwan ~]# ll /tmp/k* -rw-------. 1 root root 15967 Feb 5 19:34 /tmp/krb5cc_0 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html |