Confirmed in bionic. This seems to be a known issue and needs further investigation to see if it was fixed upstream of if there is a workaround available. maybe via gss-proxy? Have to check.
-- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1733571 Title: unable to access kerberized nfs4 shares with keyring ccache Status in freeipa package in Ubuntu: Confirmed Status in nfs-utils package in Ubuntu: Confirmed Bug description: # Problem With default `ipa-client-install` method, users authenticated to kerberos cannot access kerberized nfs shares from other ipa joined ubuntu hosts, even though permissions are correct. # Steps to reproduce 1. Set up FreeIPA server on CentOS 7 per default docs 2. Set up two Ubuntu 16.04 hosts, one `server.domain.tld` one `client.domain.tld`, join both to FreeIPA 3. Create principals `nfs/server.domain.tld` and `nfs/client.domain.tld` 4. Create user in FreeIPA `testuser` 5. Install `nfs-kernel-server` on `server.domain.tld` and share `/srv/nfs4`: `/srv/nfs4 *(sec=krb5i,rw,fsid=root,crossmnt,no_subtree_check,root_squash)`, run `exportfs -rav` 6. Create some files and directories in `/srv/nfs4` owned by `testuser:testuser` 7. Install `nfs-common` on `client.domain.tld` and mount: `mount -t nfs4 server.domain.tld:/ /srv/nfs4` 8. Log in as `testuser` and `kinit testuser` if necessary 9. `cd /srv/nfs4; ls /srv/nfs4; touch /srv/nfs4/some_file` # Expected result Changing of working directory to `/srv/nfs4`, listing directory contents and creating new file # Actual result `Permission denied` # Reason After quite some time debugging I found that `gssd` in Ubuntu 16.04 cannot read kernel persistent keyrings for kerberos' ccache. Removing the line `default_ccache_name = KEYRING:persistent:%{uid}` from `/etc/krb5.conf` solved the issue. This config file is created by `ipa-client-install` in `configure_krb5_conf()` after `#configure KEYRING CCACHE if supported`. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: freeipa-client 4.3.1-0ubuntu1 ProcVersionSignature: Ubuntu 4.4.0-101.124-generic 4.4.95 Uname: Linux 4.4.0-101-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.12 Architecture: amd64 Date: Tue Nov 21 12:41:59 2017 JournalErrors: Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system. Users in the 'systemd-journal' group can see all messages. Pass -q to turn off this notice. No journal files were opened due to insufficient permissions. SourcePackage: freeipa UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1733571/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
