[debian-lan-devel] Softupdate wheezy

Andreas B. Mundt andi.mundt at web.de
Fri Apr 19 15:44:07 UTC 2013 

Hi Julien,

On Fri, Apr 19, 2013 at 05:11:19PM +0200, Julien Lambot wrote:

> Following to my softupdate (and dumb cp error) I continued the setup.
> Everything was OK until the workstation01 has been successfully deployed (I
> skipped workstation00)
>
> The client didn't resolved the mainserver's IP and I had the following
> error in the logs
> rpc.gssd ERROR unable to resolve 10.10.12.10 to hostname
> (I changed the SERVER_A ip to suit my network's needs)
> It has been worked around by modifying client's /etc/hosts file with
> 10.10.12.10 mainserver.intern
>
> Then, the logon worked. Though, the session closes automatically and I
> don't find anything relevant in the logs. Some errors are well found
> underneath but as I don't get the whole authentication process yet, it's
> quite difficult to trace the right cause. Is the pan_gnome_keyring a
> mandatory module?
>

Just a quick shot in the dark:  Can you check if the Kerberos Keytab
for the machine has been deployed?  If you point a browser to
<URL:http://www.intern>, you should find a link to the Incinga
monitoring page.  There should be a test for the keytab.

You can copy the keytab again with the command

    debian-lan key2machine workstation01

to the host "workstation01".  The keys are in /root/installation/, and
after copying they are renamed, so if the key is missing, check the
/root/installation/ directory.

Without the key, the home drectories cannot be mounted.  You can only
login on the console, with / as home directory.  (This is a good test
if the kerberos authentication works.)


> - NTP seems OK on both mainserver and workstation01
> - ssh login on workstation01 with test user is ok
> - krb preauth is not ok (but I'm new to this topic) though, reverse lookup
> is fine.
> - test user is well known within kerberos
> e.g.: kadmin -p admin -q "list_principals"
> returns:
>  trober at INTERN )
> - test user's home dir is not created (user made from Gosa "default user"
> template. When logging in by ssh, home path is ok /srv/nfsv4/home0/trober,
> but directory "disappear"
> - user created without Gosa template - same issue (logon ok, but session
> closes immediately)
> - user created with debian-lan adduser - ibid.
>
> The whole configuration looks very promising and I'm interested in
> integrating samba afterwards, so I really want it to run seamlessly!
> Thanks for all the work Andy.
>

Hm, these are strange issues I never saw, we'll find out what's going on.


>
>
> auth.log:
>
> Apr 19 16:30:11 workstation01 lightdm: pam_krb5(lightdm:auth): user trober
> authenticated as trober at INTERN
> Apr 19 16:30:11 workstation01 lightdm: pam_unix(lightdm:session): session
> closed for user lightdm
> Apr 19 16:30:11 workstation01 lightdm: pam_unix(lightdm:session): session
> opened for user trober by (uid=0)
> Apr 19 16:30:11 workstation01 gnome-keyring-daemon[5039]: couldn't create
> socket directory: No such file or directory
> Apr 19 16:30:11 workstation01 gnome-keyring-daemon[5039]: couldn't bind to
> control socket: /lan/mainserver/home0/trober/.cache/keyring-SAbqan/control:
> No such file or directory
> Apr 19 16:30:11 workstation01 lightdm: pam_unix(lightdm:session): session
> opened for user lightdm by (uid=0)
> Apr 19 16:30:12 workstation01 dbus[2201]: [system] Rejected send message, 2
> matched rules; type="method_call", sender=":1.39" (uid=106 pid=5077
> comm="/usr/sbin/lightdm-gtk-greeter ")
> interface="org.freedesktop.DBus.Properties" member="GetAll" error
> name="(unset)" requested_reply="0" destination=":1.4" (uid=0 pid=2762
> comm="/usr/sbin/console-kit-daemon --no-daemon ")
>

IIRC the gnome-keyring-daemon warnign is not a problem.


> kdc.log
>
> Apr 19 16:30:10 mainserver krb5kdc[3195](info): AS_REQ (4 etypes {18 17 16
> 23}) 10.10.12.51: NEEDED_PREAUTH: trober at INTERN for krbtgt/INTERN at INTERN,
> Additional pre-authentication required
> Apr 19 16:30:10 mainserver krb5kdc[3195](info): AS_REQ (4 etypes {18 17 16
> 23}) 10.10.12.51: ISSUE: authtime 1366381810, etypes {rep=18 tkt=18
> ses=18}, trober at INTERN for krbtgt/INTERN at INTERN
> Apr 19 16:30:10 mainserver krb5kdc[3195](info): TGS_REQ (4 etypes {18 17 16
> 23}) 10.10.12.51: ISSUE: authtime 1366381810, etypes {rep=18 tkt=18
> ses=18}, trober at INTERN for host/workstation01.intern at INTERN
>
> daemon.log
> Apr 19 16:38:24 mainserver nslcd[3164]: [efd79f]
> <passwd="nfs/workstation01.intern"> request denied by validnames option
>

I see this nslcd warning too, no problem here.

> kern.log
> Apr 19 16:19:32 mainserver kernel: [ 1629.454832] sha1_ssse3: Using AVX
> optimized SHA-1 implementation
> Apr 19 16:19:32 workstation01 kernel: [  167.952990] sha1_ssse3: Neither
> AVX nor SSSE3 is available/usable.
>
>
> Thanks for any advice and sorry to bother list with that.
>

No problem, that's what the list is for, and finally everybody will
profit from the solutions.

For the moment I am a bit short in time, but perhaps you get a bit
further with the comments above.

Best regards,

     Andi

More information about the debian-lan-devel mailing list