Bug 878462
| Summary: | Special case NFS related ticket to avoid attaching MS-PACs | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Dmitri Pal <dpal> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.4 | CC: | jgalipea, mkosek, sbose, sgoveas, ssorce, tlavigne |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-3.0.0-10.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-21 09:30:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 886216 | ||
|
Description
Dmitri Pal
2012-11-20 13:44:50 UTC
Please provide steps to reproduce and verify this - Create new Ad user - try to mount export from a NFS server member of IPA domain, see that it succeeds using GSSAPI/Krb5 auth as that user. - unmount - logout - Add AD user to 500 groups - log in again - try to mount expot from NFS server, see authentication failure Fixed upstream. master: 5269458f552380759c86018cd1f30b64761be92e ipa-3-0: 592dd9fccd1696bff5e604c6097b2a8785add295 [root@rasalghul ~]# exportfs -v
/nfs-share <world>(rw,wdelay,root_squash,no_subtree_check,sec=krb5:krb5i:krb5p,rw,root_squash,no_all_squash)
C:\Users\fuser>mount \\rasalghul.testrelm.com\nfs-share *
Z: is now successfully connected to \\rasalghul.testrelm.com\nfs-share
The command completed successfully.
C:\Users\fuser>z:
Z:\>dir
Volume in drive Z has no label.
Volume Serial Number is A3CD-75CC
Directory of Z:\
02/05/2013 01:33 PM <DIR> .
02/05/2013 01:33 PM 0 file2
02/05/2013 01:33 PM 0 file1
02/05/2013 01:33 PM <DIR> ..
2 File(s) 8,192 bytes
2 Dir(s) 3,941,351,424 bytes free
* Unmount and Logout
C:\Users\fuser>umount -a
You have these active NFS connections:
Z: \\rasalghul.testrelm.com\nfs-share
Continuing will cancel the connections.
Do you want to continue this operation? (Y/N) [N]:y
Disconnecting Z: \\rasalghul.testrelm.com\nfs-share
The command completed successfully.
* Added User to 500 groups. Mount works as expected
C:\Users\fuser>mount \\rasalghul.testrelm.com\nfs-share *
Z: is now successfully connected to \\rasalghul.testrelm.com\nfs-share
The command completed successfully.
* Credential Cache increased a small amount for nfs ticket indicating that there is no PAC attached.
[root@wazwan ~]# kdestroy
[root@wazwan ~]# ll -h /tmp/k*
ls: cannot access /tmp/k*: No such file or directory
[root@wazwan ~]# kinit fuser
Password for fuser:
[root@wazwan ~]# ll -h /tmp/k*
-rw-------. 1 root root 5.1K Feb 5 19:33 /tmp/krb5cc_0
[root@wazwan ~]# kvno ldap/wazwan.testrelm.com
ldap/wazwan.testrelm.com: kvno = 2
[root@wazwan ~]# ll /tmp/k*
-rw-------. 1 root root 15440 Feb 5 19:34 /tmp/krb5cc_0
[root@wazwan ~]# kvno nfs/wazwan.testrelm.com
nfs/wazwan.testrelm.com: kvno = 1
[root@wazwan ~]# ll /tmp/k*
-rw-------. 1 root root 15967 Feb 5 19:34 /tmp/krb5cc_0
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html |