Another fresh install of a fedora25 client, now with the new gssproxy 0.6.0
package, but that one does not work either.
Created the file /etc/gssproxy/00-apache.conf
[service/apache]
mechs = krb5
cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_apache
cred_store = client_keytab:/var/lib/gssproxy/clients/httpd.keytab
cred_usage = initiate
euid = 48
put the keytab in the specified place
added debug settings to /etc/gssproxy/gssproxy.conf
[gssproxy]
debug = true
debug_level = 9
I did not touch the file /etc/sysconfig/nfs
Since the default setting of GSS_USE_PROXY="yes" is what I want
Checked the logs, nothing in there besides what you get from
systemctl status gssproxy.service
su - apache -s /bin/bash
and no access to the shares is allowed
Weird thing I noticed, when browsing as root the nfs mounts are readable (
root is squashed ) but not as the apache user.
Root gets to read it with nobody:nobody privileges but apache with
apache:apache is refused.
I'm really at a loss as to what to do next.
Do I need to set an environment variable to make this work ?
Rob Verduijn
2017-01-04 23:14 GMT+01:00 Rob Verduijn <rob.verduijn(a)gmail.com>:
2017-01-04 20:56 GMT+01:00 Simo Sorce <simo(a)redhat.com>:
> On Wed, 2017-01-04 at 19:41 +0100, Rob Verduijn wrote:
> > 2017-01-04 19:27 GMT+01:00 Dmitri Pal <dpal(a)redhat.com>:
> >
> > > On 01/04/2017 01:13 PM, Rob Verduijn wrote:
> > >
> > >
> > >
> > > 2017-01-04 14:59 GMT+01:00 Simo Sorce <simo(a)redhat.com>:
> > >
> > >> On Wed, 2017-01-04 at 10:16 +0100, Rob Verduijn wrote:
> > >> > ---------- Forwarded message ----------
> > >> > From: Simo Sorce <simo(a)redhat.com>
> > >> > Date: 2017-01-03 17:32 GMT+01:00
> > >> > Subject: [gssproxy] Re: gssproxy broken on fedora
> > >> > To: The GSS-Proxy developers and users mailing list <
> > >> > gss-proxy(a)lists.fedorahosted.org>
> > >> >
> > >> >
> > >> > On Mon, 2017-01-02 at 19:22 +0100, Rob Verduijn wrote:
> > >> > >
> > >> > > Nope that does not work on either fc24 or fc25.
> > >> > > I did not try centos73 since it already worked on that one.
> > >> >
> > >> > Given you tried manually, make sure you delete the ccache before
> trying
> > >> > with the client_keytab setting.
> > >> >
> > >> > If that doesn't work can you set debug = True in the global
> section and
> > >> > tell me if you get any useful output/error ?
> > >> >
> > >> > Simo.
> > >> >
> > >> > --
> > >> > Simo Sorce * Red Hat, Inc * New York
> > >> > _______________________________________________
> > >> > gss-proxy mailing list -- gss-proxy(a)lists.fedorahosted.org
> > >> > To unsubscribe send an email to gss-proxy-leave(a)lists.fedoraho
>
sted.org
> > >> >
> > >> >
> > >> > Hi,
> > >> >
> > >> > I checked for the cache, but there were no cache files present in
> > >> > /var/lib/gssproxy/clients.
> > >> > I cleaned the sssd cache.
> > >> > I set the debug entry, did a reboot, but also no log entries
> appeared
> > >> >
> > >> > current /etc/gssproxy/gssproxy.conf
> > >> >
> > >> > [gssproxy]
> > >> > debug=True
> > >> >
> > >> > [service/HTTP]
> > >> > mechs = krb5
> > >> > cred_store = keytab:/etc/gssproxy/http.keytab
> > >> > cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
> > >> > cred_store = client_keytab:/etc/gssproxy/http.keytab
> > >> > euid = 48
> > >> >
> > >> > and tested it with
> > >> > su - apache -s /bin/bash
> > >> >
> > >> > The mount works fine for a regular ipa user on fedora 24/25
> > >> > according to systemctl status gssproxy the service is up and
> running,
> > >> >
> > >> > [root@fedora-24 ~]# systemctl status gssproxy
> > >> > ● gssproxy.service - GSSAPI Proxy Daemon
> > >> > Loaded: loaded (/usr/lib/systemd/system/gssproxy.service;
> disabled;
> > >> > vendor preset: disabled)
> > >> > Active: active (running) since Wed 2017-01-04 10:05:55 CET;
> 8min ago
> > >> > Main PID: 987 (gssproxy)
> > >> > CGroup: /system.slice/gssproxy.service
> > >> > └─987 /usr/sbin/gssproxy -D
> > >> >
> > >> > systemd[1]: Starting GSSAPI Proxy Daemon...
> > >> > gssproxy[972]: [2017/01/04 09:05:55]: Debug Enabled (level: 1)
> > >> > gssproxy[972]: [2017/01/04 09:05:55]: Client connected (fd =
> > >> 10)[2017/01/04
> > >> > 09:05:55]: (pid = 987) (uid = 0) (gid = 0)[2017/01/04 09:05:55]:
> > >> (context
> > >> > = system_u:system_r:kernel_t:s0)[2017/01/04 09:05:55]:
> > >> > Started GSSAPI Proxy Daemon.
> > >>
> > >> If you turn on rpc.gssd debugging and kernel rpc debugging do you see
> > >> anything relevant ?
> > >>
> > >> Simo.
> > >>
> > >> --
> > >> Simo Sorce * Red Hat, Inc * New York
> > >> _______________________________________________
> > >> gss-proxy mailing list -- gss-proxy(a)lists.fedorahosted.org
> > >> To unsubscribe send an email to gss-proxy-leave(a)lists.fedoraho
>
sted.org
> > >>
> > >
> > >
> > > It does not seem to look for the credits specified in the
> gssproxy.conf
> > > file.
> > > How can I verify the running configuration of gssproxy ?
> > >
> > > Rob Verduijn
> > >
> > > Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: #012handle_gssd_upcall:
> > > 'mech=krb5 uid=48 enctypes=18,17,16,23,3,1,2 ' (nfs/clnt0)
> > > Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: krb5_not_machine_creds: uid
> 48
> > > tgtname (null)
> > > Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: ERROR: GSS-API: error in
> > > gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor
> code may
> > > provide more information) - No Kerberos credentials available (default
> > > cache: KEYRING:persistent:48)
> > > Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: looking for client creds
> with
> > > uid 48 for server
nfs.example.com in /tmp
> > > Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: CC
> '/tmp/krb5ccmachine_EXAMPLE.COM'
> > > being considered, with preferred realm 'EXAMPLE.COM'
> > > Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: CC
> '/tmp/krb5ccmachine_EXAMPLE.COM'
> > > owned by 0, not 48
> > > Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: looking for client creds
> with
> > > uid 48 for server
nfs.example.com in /run/user/%U
> > > Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: Error doing scandir on
> directory
> > > '/run/user/48': No such file or directory
> > > Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: doing error downcall
> > >
> > >
> > >
> > > _______________________________________________
> > > gss-proxy mailing list -- gss-proxy(a)lists.fedorahosted.org
> > > To unsubscribe send an email to gss-proxy-leave(a)lists.fedoraho
>
sted.org
> > >
> > >
> > > Why are you preferring credential cache in a file over a keyring
> which is
> > > default?
> > > Have you tried without cred_store = ccache:/var/lib/gssproxy/clien
> ts/krb5cc_%U
> > > ?
> > >
> > > --
> > > Thank you,
> > > Dmitri Pal
> > >
> > > Engineering Director, Identity Management and Platform Security
> > > Red Hat, Inc.
> > >
> > >
> > > _______________________________________________
> > > gss-proxy mailing list -- gss-proxy(a)lists.fedorahosted.org
> > > To unsubscribe send an email to gss-proxy-leave(a)lists.fedoraho
>
sted.org
> > >
> > >
> > Because it said so in the example here :
> >
https://fedorahosted.org/gss-proxy/wiki/Apache
> >
> > But have tried it without and it still fails.
> >
> > Rob Verduijn
> > _______________________________________________
> > gss-proxy mailing list -- gss-proxy(a)lists.fedorahosted.org
> > To unsubscribe send an email to gss-proxy-leave(a)lists.fedorahosted.org
>
> Rob is rpc.gssd running with the USE_GSS_PROXY=Yes environment variable
> on ?
> If not then gssproxy is simply not involved here
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
> _______________________________________________
> gss-proxy mailing list -- gss-proxy(a)lists.fedorahosted.org
> To unsubscribe send an email to gss-proxy-leave(a)lists.fedorahosted.org
>
There is a
GSS_USE_PROXY=yes in /etc/sysconfig/nfs
so I added USE_GSS_PROXY=yes to it and also to the script
/usr/libexec/nfs-utils/nfs-utils_env.sh
so that it gets applied to the the file
/run/sysconfig/nfs-utils at boot.
I double checked after a reboot
verified the share was working for an ordinary user
but not for the apache user when using 'su - apache -s /bin/bash'
also checked the kvno of the http.keytab just to make sure I wasn't missing the
obvious.
still no go.
Rob Verduijn