Red Hat Bugzilla – Bug 878462
Special case NFS related ticket to avoid attaching MS-PACs
Last modified: 2013-02-21 04:30:21 EST
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/3263 The current Linux NFS server is severely limited when it comes to handling kerberos tickets. Bsically any ticket bigger than 2k will cause it to fail authentication due to kernel->userspace upcall interface restrictions. Until we have additional support in IPA to indivdually mark principals to opt out of getting PACs attached we always prevent PACs from being attached to TGTs or Tickets where NFS is involved.
Please provide steps to reproduce and verify this
- Create new Ad user - try to mount export from a NFS server member of IPA domain, see that it succeeds using GSSAPI/Krb5 auth as that user. - unmount - logout - Add AD user to 500 groups - log in again - try to mount expot from NFS server, see authentication failure
Fixed upstream. master: 5269458f552380759c86018cd1f30b64761be92e ipa-3-0: 592dd9fccd1696bff5e604c6097b2a8785add295
[root@rasalghul ~]# exportfs -v /nfs-share <world>(rw,wdelay,root_squash,no_subtree_check,sec=krb5:krb5i:krb5p,rw,root_squash,no_all_squash) C:\Users\fuser>mount \\rasalghul.testrelm.com\nfs-share * Z: is now successfully connected to \\rasalghul.testrelm.com\nfs-share The command completed successfully. C:\Users\fuser>z: Z:\>dir Volume in drive Z has no label. Volume Serial Number is A3CD-75CC Directory of Z:\ 02/05/2013 01:33 PM <DIR> . 02/05/2013 01:33 PM 0 file2 02/05/2013 01:33 PM 0 file1 02/05/2013 01:33 PM <DIR> .. 2 File(s) 8,192 bytes 2 Dir(s) 3,941,351,424 bytes free * Unmount and Logout C:\Users\fuser>umount -a You have these active NFS connections: Z: \\rasalghul.testrelm.com\nfs-share Continuing will cancel the connections. Do you want to continue this operation? (Y/N) [N]:y Disconnecting Z: \\rasalghul.testrelm.com\nfs-share The command completed successfully. * Added User to 500 groups. Mount works as expected C:\Users\fuser>mount \\rasalghul.testrelm.com\nfs-share * Z: is now successfully connected to \\rasalghul.testrelm.com\nfs-share The command completed successfully. * Credential Cache increased a small amount for nfs ticket indicating that there is no PAC attached. [root@wazwan ~]# kdestroy [root@wazwan ~]# ll -h /tmp/k* ls: cannot access /tmp/k*: No such file or directory [root@wazwan ~]# kinit fuser@ADLAB.QE Password for fuser@ADLAB.QE: [root@wazwan ~]# ll -h /tmp/k* -rw-------. 1 root root 5.1K Feb 5 19:33 /tmp/krb5cc_0 [root@wazwan ~]# kvno ldap/wazwan.testrelm.com@TESTRELM.COM ldap/wazwan.testrelm.com@TESTRELM.COM: kvno = 2 [root@wazwan ~]# ll /tmp/k* -rw-------. 1 root root 15440 Feb 5 19:34 /tmp/krb5cc_0 [root@wazwan ~]# kvno nfs/wazwan.testrelm.com@TESTRELM.COM nfs/wazwan.testrelm.com@TESTRELM.COM: kvno = 1 [root@wazwan ~]# ll /tmp/k* -rw-------. 1 root root 15967 Feb 5 19:34 /tmp/krb5cc_0
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html