On 01/04/2017 01:13 PM, Rob Verduijn wrote:
2017-01-04 14:59 GMT+01:00 Simo Sorce <simo@redhat.com mailto:simo@redhat.com>:
On Wed, 2017-01-04 at 10:16 +0100, Rob Verduijn wrote: > ---------- Forwarded message ---------- > From: Simo Sorce <simo@redhat.com <mailto:simo@redhat.com>> > Date: 2017-01-03 17:32 GMT+01:00 > Subject: [gssproxy] Re: gssproxy broken on fedora > To: The GSS-Proxy developers and users mailing list < > gss-proxy@lists.fedorahosted.org <mailto:gss-proxy@lists.fedorahosted.org>> > > > On Mon, 2017-01-02 at 19:22 +0100, Rob Verduijn wrote: > > > > Nope that does not work on either fc24 or fc25. > > I did not try centos73 since it already worked on that one. > > Given you tried manually, make sure you delete the ccache before trying > with the client_keytab setting. > > If that doesn't work can you set debug = True in the global section and > tell me if you get any useful output/error ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > _______________________________________________ > gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org <mailto:gss-proxy@lists.fedorahosted.org> > To unsubscribe send an email to gss-proxy-leave@lists.fedorahosted.org <mailto:gss-proxy-leave@lists.fedorahosted.org> > > > Hi, > > I checked for the cache, but there were no cache files present in > /var/lib/gssproxy/clients. > I cleaned the sssd cache. > I set the debug entry, did a reboot, but also no log entries appeared > > current /etc/gssproxy/gssproxy.conf > > [gssproxy] > debug=True > > [service/HTTP] > mechs = krb5 > cred_store = keytab:/etc/gssproxy/http.keytab > cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U > cred_store = client_keytab:/etc/gssproxy/http.keytab > euid = 48 > > and tested it with > su - apache -s /bin/bash > > The mount works fine for a regular ipa user on fedora 24/25 > according to systemctl status gssproxy the service is up and running, > > [root@fedora-24 ~]# systemctl status gssproxy > ● gssproxy.service - GSSAPI Proxy Daemon > Loaded: loaded (/usr/lib/systemd/system/gssproxy.service; disabled; > vendor preset: disabled) > Active: active (running) since Wed 2017-01-04 10:05:55 CET; 8min ago > Main PID: 987 (gssproxy) > CGroup: /system.slice/gssproxy.service > └─987 /usr/sbin/gssproxy -D > > systemd[1]: Starting GSSAPI Proxy Daemon... > gssproxy[972]: [2017/01/04 09:05:55]: Debug Enabled (level: 1) > gssproxy[972]: [2017/01/04 09:05:55]: Client connected (fd = 10)[2017/01/04 > 09:05:55]: (pid = 987) (uid = 0) (gid = 0)[2017/01/04 09:05:55]: (context > = system_u:system_r:kernel_t:s0)[2017/01/04 09:05:55]: > Started GSSAPI Proxy Daemon. If you turn on rpc.gssd debugging and kernel rpc debugging do you see anything relevant ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org <mailto:gss-proxy@lists.fedorahosted.org> To unsubscribe send an email to gss-proxy-leave@lists.fedorahosted.org <mailto:gss-proxy-leave@lists.fedorahosted.org>It does not seem to look for the credits specified in the gssproxy.conf file. How can I verify the running configuration of gssproxy ?
Rob Verduijn
Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: #012handle_gssd_upcall: 'mech=krb5 uid=48 enctypes=18,17,16,23,3,1,2 ' (nfs/clnt0) Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: krb5_not_machine_creds: uid 48 tgtname (null) Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No Kerberos credentials available (default cache: KEYRING:persistent:48) Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: looking for client creds with uid 48 for server nfs.example.com http://nfs.example.com in /tmp Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: CC '/tmp/krb5ccmachine_EXAMPLE.COM' being considered, with preferred realm 'EXAMPLE.COM http://EXAMPLE.COM' Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: CC '/tmp/krb5ccmachine_EXAMPLE.COM' owned by 0, not 48 Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: looking for client creds with uid 48 for server nfs.example.com http://nfs.example.com in /run/user/%U Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: Error doing scandir on directory '/run/user/48': No such file or directory Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: doing error downcall
gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org To unsubscribe send an email to gss-proxy-leave@lists.fedorahosted.org
Why are you preferring credential cache in a file over a keyring which is default? Have you tried without cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U ?