Another fresh install of a fedora25 client, now with the new gssproxy 0.6.0 package, but that one does not work either.
Created the file /etc/gssproxy/00-apache.conf [service/apache] mechs = krb5 cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_apache cred_store = client_keytab:/var/lib/gssproxy/clients/httpd.keytab cred_usage = initiate euid = 48
put the keytab in the specified place added debug settings to /etc/gssproxy/gssproxy.conf [gssproxy] debug = true debug_level = 9
I did not touch the file /etc/sysconfig/nfs Since the default setting of GSS_USE_PROXY="yes" is what I want
Checked the logs, nothing in there besides what you get from systemctl status gssproxy.service
su - apache -s /bin/bash and no access to the shares is allowed
Weird thing I noticed, when browsing as root the nfs mounts are readable ( root is squashed ) but not as the apache user. Root gets to read it with nobody:nobody privileges but apache with apache:apache is refused.
I'm really at a loss as to what to do next.
Do I need to set an environment variable to make this work ?
Rob Verduijn
2017-01-04 23:14 GMT+01:00 Rob Verduijn rob.verduijn@gmail.com:
2017-01-04 20:56 GMT+01:00 Simo Sorce simo@redhat.com:
On Wed, 2017-01-04 at 19:41 +0100, Rob Verduijn wrote:
2017-01-04 19:27 GMT+01:00 Dmitri Pal dpal@redhat.com:
On 01/04/2017 01:13 PM, Rob Verduijn wrote:
2017-01-04 14:59 GMT+01:00 Simo Sorce simo@redhat.com:
On Wed, 2017-01-04 at 10:16 +0100, Rob Verduijn wrote:
---------- Forwarded message ---------- From: Simo Sorce simo@redhat.com Date: 2017-01-03 17:32 GMT+01:00 Subject: [gssproxy] Re: gssproxy broken on fedora To: The GSS-Proxy developers and users mailing list < gss-proxy@lists.fedorahosted.org>
On Mon, 2017-01-02 at 19:22 +0100, Rob Verduijn wrote: > > Nope that does not work on either fc24 or fc25. > I did not try centos73 since it already worked on that one.
Given you tried manually, make sure you delete the ccache before
trying
with the client_keytab setting.
If that doesn't work can you set debug = True in the global
section and
tell me if you get any useful output/error ?
Simo.
-- Simo Sorce * Red Hat, Inc * New York _______________________________________________ gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org To unsubscribe send an email to gss-proxy-leave@lists.fedoraho
sted.org
Hi,
I checked for the cache, but there were no cache files present in /var/lib/gssproxy/clients. I cleaned the sssd cache. I set the debug entry, did a reboot, but also no log entries
appeared
current /etc/gssproxy/gssproxy.conf
[gssproxy] debug=True
[service/HTTP] mechs = krb5 cred_store = keytab:/etc/gssproxy/http.keytab cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U cred_store = client_keytab:/etc/gssproxy/http.keytab euid = 48
and tested it with su - apache -s /bin/bash
The mount works fine for a regular ipa user on fedora 24/25 according to systemctl status gssproxy the service is up and
running,
[root@fedora-24 ~]# systemctl status gssproxy ● gssproxy.service - GSSAPI Proxy Daemon Loaded: loaded (/usr/lib/systemd/system/gssproxy.service;
disabled;
vendor preset: disabled) Active: active (running) since Wed 2017-01-04 10:05:55 CET;
8min ago
Main PID: 987 (gssproxy) CGroup: /system.slice/gssproxy.service └─987 /usr/sbin/gssproxy -D
systemd[1]: Starting GSSAPI Proxy Daemon... gssproxy[972]: [2017/01/04 09:05:55]: Debug Enabled (level: 1) gssproxy[972]: [2017/01/04 09:05:55]: Client connected (fd =
10)[2017/01/04
09:05:55]: (pid = 987) (uid = 0) (gid = 0)[2017/01/04 09:05:55]:
(context
= system_u:system_r:kernel_t:s0)[2017/01/04 09:05:55]: Started GSSAPI Proxy Daemon.
If you turn on rpc.gssd debugging and kernel rpc debugging do you see anything relevant ?
Simo.
-- Simo Sorce * Red Hat, Inc * New York _______________________________________________ gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org To unsubscribe send an email to gss-proxy-leave@lists.fedoraho
sted.org
It does not seem to look for the credits specified in the
gssproxy.conf
file. How can I verify the running configuration of gssproxy ?
Rob Verduijn
Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: #012handle_gssd_upcall: 'mech=krb5 uid=48 enctypes=18,17,16,23,3,1,2 ' (nfs/clnt0) Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: krb5_not_machine_creds: uid
48
tgtname (null) Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor
code may
provide more information) - No Kerberos credentials available (default cache: KEYRING:persistent:48) Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: looking for client creds
with
uid 48 for server nfs.example.com in /tmp Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: CC
'/tmp/krb5ccmachine_EXAMPLE.COM'
being considered, with preferred realm 'EXAMPLE.COM' Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: CC
'/tmp/krb5ccmachine_EXAMPLE.COM'
owned by 0, not 48 Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: looking for client creds
with
uid 48 for server nfs.example.com in /run/user/%U Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: Error doing scandir on
directory
'/run/user/48': No such file or directory Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: doing error downcall
gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org To unsubscribe send an email to gss-proxy-leave@lists.fedoraho
sted.org
Why are you preferring credential cache in a file over a keyring
which is
default? Have you tried without cred_store = ccache:/var/lib/gssproxy/clien
ts/krb5cc_%U
?
-- Thank you, Dmitri Pal
Engineering Director, Identity Management and Platform Security Red Hat, Inc.
gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org To unsubscribe send an email to gss-proxy-leave@lists.fedoraho
sted.org
Because it said so in the example here : https://fedorahosted.org/gss-proxy/wiki/Apache
But have tried it without and it still fails.
Rob Verduijn _______________________________________________ gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org To unsubscribe send an email to gss-proxy-leave@lists.fedorahosted.org
Rob is rpc.gssd running with the USE_GSS_PROXY=Yes environment variable on ? If not then gssproxy is simply not involved here
Simo.
-- Simo Sorce * Red Hat, Inc * New York _______________________________________________ gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org To unsubscribe send an email to gss-proxy-leave@lists.fedorahosted.org
There is a GSS_USE_PROXY=yes in /etc/sysconfig/nfs
so I added USE_GSS_PROXY=yes to it and also to the script /usr/libexec/nfs-utils/nfs-utils_env.sh
so that it gets applied to the the file /run/sysconfig/nfs-utils at boot.
I double checked after a reboot
verified the share was working for an ordinary user
but not for the apache user when using 'su - apache -s /bin/bash'
also checked the kvno of the http.keytab just to make sure I wasn't missing the obvious.
still no go.
Rob Verduijn