gss-proxy

gss-proxy@lists.fedorahosted.org

297 discussions

[gssapi/gssproxy] add65e: Delay krb5 tracing setup in daemon mode
by Simo Sorce 24 Mar '26

24 Mar '26

Branch: refs/heads/main Home: https://github.com/gssapi/gssproxy Commit: add65e825283f3e34dd8652f565c343e8a605d9f https://github.com/gssapi/gssproxy/commit/add65e825283f3e34dd8652f565c343e8… Author: Simo Sorce <simo(a)redhat.com> Date: 2026-03-24 (Tue, 24 Mar 2026) Changed paths: M src/gp_debug.c M src/gp_debug.h M src/gssproxy.c Log Message: ----------- Delay krb5 tracing setup in daemon mode This delays the initialization of the krb5 tracing function until after daemonization when not running interactively. Setting it up earlier caused the trace reader thread to be killed during the fork. It also adds an early check to cache the state of the KRB5_TRACE environment variable, ensuring that gssproxy does not override or unset a user-provided trace configuration. Signed-off-by: Simo Sorce <simo(a)redhat.com> To unsubscribe from these emails, change your notification settings at https://github.com/gssapi/gssproxy/settings/notifications

1 0

[gssapi/gssproxy] d0a066: Try to obtain new cred if the cred from rpc.gssd o...
by yixiangzhike 23 Feb '26

23 Feb '26

Branch: refs/heads/main Home: https://github.com/gssapi/gssproxy Commit: d0a066023b48c116b3c2dcf5a14d7f24a0c185e2 https://github.com/gssapi/gssproxy/commit/d0a066023b48c116b3c2dcf5a14d7f24a… Author: yixiangzhike <yixiangzhike007(a)163.com> Date: 2026-02-23 (Mon, 23 Feb 2026) Changed paths: M src/gp_creds.c Log Message: ----------- Try to obtain new cred if the cred from rpc.gssd or other apps is defective. Rpc.gssd or other applications may use the cache configured with default_ccache_name(krb5. conf). If the cache file of gssproxy (cred_store=ccache: FILE: xxxxxx) is deleted, the gssproxy service returns an empty credential when processing a GSSX_ARG-ACQUIRE_CRED request, unless the user clears the default_ccache_name cache. However, users may not even be aware of the existence of the default_ccache_name cache. In this situation, it may be better for gssproxy to try to obtain new credentials. Signed-off-by: yixiangzhike <yixiangzhike007(a)163.com> To unsubscribe from these emails, change your notification settings at https://github.com/gssapi/gssproxy/settings/notifications

1 0

[gssapi/gssproxy] 753622: Remove unneeded include in configure script
by Alexey A Tikhonov 29 Jan '26

29 Jan '26

Branch: refs/heads/main Home: https://github.com/gssapi/gssproxy Commit: 75362245304c43715d50743d3e37dc1ce66b704b https://github.com/gssapi/gssproxy/commit/75362245304c43715d50743d3e37dc1ce… Author: Alexey Tikhonov <atikhono(a)redhat.com> Date: 2026-01-29 (Thu, 29 Jan 2026) Changed paths: M external/dinglibs.m4 Log Message: ----------- Remove unneeded include in configure script Deprecated 'ini_config.h' is going to be removed from public API. Signed-off-by: Alexey Tikhonov <atikhono(a)redhat.com> Commit: bd4518ea977244643ac9d4970164e10bc372572c https://github.com/gssapi/gssproxy/commit/bd4518ea977244643ac9d4970164e10bc… Author: Alexey Tikhonov <atikhono(a)redhat.com> Date: 2026-01-29 (Thu, 29 Jan 2026) Changed paths: M configure.ac M external/dinglibs.m4 Log Message: ----------- Don't check for libref_array explicitly LIBINI_CONFIG_LIBS contains '-lref_array' and there is no lib version that wouldn't provide `ref_array_destroy()`, so this change won't break anything now. On the other hand, it can help to avoid breaking later, when 'ref_array' will be merged in 'ini_config'. Signed-off-by: Alexey Tikhonov <atikhono(a)redhat.com> Compare: https://github.com/gssapi/gssproxy/compare/d93a17125870...bd4518ea9772 To unsubscribe from these emails, change your notification settings at https://github.com/gssapi/gssproxy/settings/notifications

1 0

[gssapi/gssproxy] d93a17: Debian sid seem to have chaned to libselinux-dev
by Simo Sorce 29 Jan '26

29 Jan '26

Branch: refs/heads/main Home: https://github.com/gssapi/gssproxy Commit: d93a17125870d71ba1aee365407281ab3e9cf913 https://github.com/gssapi/gssproxy/commit/d93a17125870d71ba1aee365407281ab3… Author: Simo Sorce <simo(a)redhat.com> Date: 2026-01-29 (Thu, 29 Jan 2026) Changed paths: M .github/workflows/ci.yaml Log Message: ----------- Debian sid seem to have chaned to libselinux-dev Signed-off-by: Simo Sorce <simo(a)redhat.com> To unsubscribe from these emails, change your notification settings at https://github.com/gssapi/gssproxy/settings/notifications

1 0

Re: Trying to mount a KRB NFS share from windows in cross-domain trust
by Orion Poplawski 25 Aug '25

25 Aug '25

2 4

Trying to mount a KRB NFS share from windows in cross-domain trust
by Orion Poplawski 20 Aug '25

20 Aug '25

We have an IPA client in the NWRA.COM realm and are trying to do a krb5 nfs mount from a Windows server in the AD.NWRA.COM realm. The two realms are connected by a two way trust. Mounting of CIFS shares works fine. # mount -t nfs -v -o sec=krb5,vers=4.1 SERVER.ad.nwra.com:test_nfs /mnt mount.nfs: timeout set for Mon Aug 18 16:11:46 2025 mount.nfs: trying text-based options 'sec=krb5,vers=4.1,addr=10.X.X.X,clientaddr=10.X.X.X' mount.nfs: mount(2): Permission denied mount.nfs: access denied by server while mounting SERVER.ad.nwra.com:test_nfs I think this is the issue: Aug 18 16:09:48 gssproxy[1121023]: [CID 11][2025/08/18 23:09:48]: gp_rpc_execute: executing 8 (GSSX_INIT_SEC_CONTEXT) for ser vice "nfs-client", euid: 0,socket: (null) Aug 18 16:09:48 gssproxy[1121023]: GSSX_ARG_INIT_SEC_CONTEXT( call_ctx: { "" [ ] } context_handle: <Null> cred_handle: { "host/CLIENT.mry.nwra.com(a)NWRA.COM" [ { "host/CLIENT.mry.nwra.com(a)NWRA.COM" { 1 2 840 113554 1 2 2 } INITIATE 84879 0 [ { [ krb5.set.allowed... ] [ ................... ] } ] } ] [ .............2..... ] 0 } target_name: "nfs(a)SERVER.ad.nwra.com" mech_type: { 1 2 840 113554 1 2 2 } req_flags: 2 time_req: 0 input_cb: <Null> input_token: <Null> [ { [ sync.modified.cr... ] [ 64656661756c740 ] } ] ) Aug 18 16:09:48 gssproxy[1121023]: [CID 11][2025/08/18 23:09:48]: Credentials allowed by configuration Aug 18 16:09:48 gssproxy[1121023]: GSSX_RES_INIT_SEC_CONTEXT( status: { 851968 { 1 2 840 113554 1 2 2 } 2529638919 "Unspe cified GSS failure. Minor code may provide more information" "Server krbtgt/AD.NWRA.COM(a)NWRA.COM not found in Kerberos datab ase" [ ] } context_handle: <Null> output_token: <Null> ) Aug 18 16:09:48 rpc.gssd[1120142]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs(a)SERVER.ad. nwra.com Aug 18 16:09:48 rpc.gssd[1120142]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_NWR A.COM for server SERVER.ad.nwra.com Aug 18 16:09:48 rpc.gssd[1120142]: ERROR: Failed to create machine krb5 context with any credentials cache for server SERVER.ad.nwra.com Aug 18 16:09:48 rpc.gssd[1120142]: do_error_downcall(0x7f69a33a7700): uid 0 err -13 Aug 18 16:09:48 rpc.gssd[1120142]: destroying client nfs/clnt59 Aug 18 16:09:48 rpc.gssd[1120142]: freeing client nfs/clnt59 Aug 18 16:09:48 rpc.gssd[1120142]: destroying client nfs/clnt58 Shouldn't krbtgt/AD.NWRA.COM(a)NWRA.COM be krbtgt/AD.NWRA.COM(a)AD.NWRA.COM?

2 1

[gssapi/gssproxy] c66e42: Fix gssproxy.conf manpage about comments
by Julien Rische 02 Jun '25

02 Jun '25

Branch: refs/heads/main Home: https://github.com/gssapi/gssproxy Commit: c66e429f41db98f8d02ea9844f0b02f0fa4b5c28 https://github.com/gssapi/gssproxy/commit/c66e429f41db98f8d02ea9844f0b02f0f… Author: Julien Rische <jrische(a)redhat.com> Date: 2025-03-26 (Wed, 26 Mar 2025) Changed paths: M man/gssproxy.conf.5.xml Log Message: ----------- Fix gssproxy.conf manpage about comments The manpage was implying it was possible to have comments at the end of configuration lines, while SSSD's ini parsing library used by gssproxy supports full line comments only. Signed-off-by: Julien Rische <jrische(a)redhat.com> To unsubscribe from these emails, change your notification settings at https://github.com/gssapi/gssproxy/settings/notifications

1 0

gssproxy security, configuration and life-cycle questions
by Andrew J. Romero 13 Mar '25

13 Mar '25

Hi In my environment using gssproxy, on our NFS client systems, facilitates the reliable operation of Kerberos secured NFS I/O by non-interactive processes. Prior to learning about gssproxy, we used a somewhat "kludgy" scheme, to obtain Kerberos credentials for non-interactive processes, involving cron jobs to kinit at regular intervals. Problems with gss kernel contexts ( requiring client reboots ) were much more common before gssproxy. I noticed that in newer versions of Linux ( for example: Red Hat Enterprise v9 ), the paramter use-gss-proxy (in the [gssd] section of /etc/nfs.conf file ) no longer exists. I have also read that some security specialists determined that gssproxy increases security risk. And they are recommending that use of gssproxy be discontinued. ( SEE: https://www.stigviewer.com/stig/red_hat_enterprise_linux_9/2023-12-01/findi… ) Questions: 1) Why did the use-gss-proxy configuration parameter disappear ? 2) What is the nature and severity of the security risk/s associated with gssproxy ( on NFS clients ) ? 3) Is there a way for users to mitigate the security risk without discontinuing the use of gssproxy ? 4) Will the gssproxy code be modified to eliminate the security risk ? 5) What is the expected 5 - 10 year plan for active gssproxy development ? 6) If the plan is to discontinue active development, are there other active living projects that will provide the same functionality ? Thanks Andy Romero Fermilab / ITD

3 2

[gssapi/gssproxy] b8e336: Revert "Remove the NoNewPrivileges because it brea...
by yixiangzhike 06 Mar '25

06 Mar '25

Branch: refs/heads/main Home: https://github.com/gssapi/gssproxy Commit: b8e3364ea95968e6a2eeb7a63735c89c9108c24b https://github.com/gssapi/gssproxy/commit/b8e3364ea95968e6a2eeb7a63735c89c9… Author: yixiangzhike <yixiangzhike007(a)163.com> Date: 2025-03-06 (Thu, 06 Mar 2025) Changed paths: M systemd/gssproxy.service.in Log Message: ----------- Revert "Remove the NoNewPrivileges because it breaks the ability to open socket" Selinux-policy has allowed init_t nnp domain transition to gssproxy_t in the commit 95d5f5e. Now it is ok to enable NoNewPrivileges for gssproxy.service. Signed-off-by: yixiangzhike <yixiangzhike007(a)163.com> To unsubscribe from these emails, change your notification settings at https://github.com/gssapi/gssproxy/settings/notifications

1 0

[gssapi/gssproxy] 66e7c5: Respect krb5_principal when impersonating
by Simo Sorce 11 Feb '25

11 Feb '25

Branch: refs/heads/main Home: https://github.com/gssapi/gssproxy Commit: 66e7c5c5091fb392dbcd61d25ee2363f8b718403 https://github.com/gssapi/gssproxy/commit/66e7c5c5091fb392dbcd61d25ee2363f8… Author: Steinar H. Gunderson <sesse(a)samfundet.no> Date: 2025-02-11 (Tue, 11 Feb 2025) Changed paths: M src/gp_creds.c Log Message: ----------- Respect krb5_principal when impersonating When doing impersonation, we need to get initial credentials using some service principal from the given keytab. However, since keytabs have no default principals, libgss just chooses the first one in the file, which generally does not work well when in Active Directory. In particular, in AD, the only valid principal for authenticating is SERVER$(a)EXAMPLE.ORG, whereas e.g. host/server.example.org(a)EXAMPLE.ORG is just an SPN connected to SERVER$ and not valid for authenticating in its own right. gssd will try SERVER$ first for its own purposes (at least according to the man page), but when impersonating, it will naturally ask for a ticket for a user (e.g. user(a)EXAMPLE.ORG) and not the service principal itself. This patch doesn't really make us choose the right principal for AD purposes, but it makes us respect the krb5_principal configuration option when getting a service principal for this purpose, so that an administrator can at least manually select which one to use without having to somehow reorder entries in the keytab (which appears to be hard). Thus, the admin can set "krb5_principal = SERVER$(a)EXAMPLE.ORG" in the service definition in gssproxy.conf, and it will work. Signed-off-by: Steinar H. Gunderson <sesse(a)samfundet.no> To unsubscribe from these emails, change your notification settings at https://github.com/gssapi/gssproxy/settings/notifications

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

gss-proxy