Hi,

One more minor thing I noticed (and was probably the bigger culprit besides the typo)
Today my gssproxy entries failed again.

After some serious digging i found that there were a lot of entries in 
/var/lib/gssproxy/clients/

and since I had a new freeipa server which was the start of my misery
(caused by a utterly failed snapshot that changed a migration from fedora20 to centos7 in a fresh new reinstalled freeipa3.3.2 on centos7.)

I figured I should probably clean up my sssd cache  (didn't help)
Cleaning up the /var/lib/gssproxy/clients/ did help.
after a restart that one dropped from many entries to 2. (guess which :-P )

To get to the point.
For getting rid of weird errors, getting rid of the cache entries in  /var/lib/gssproxy/clients/ and then restarting gssproxy might help in some cases.
(like a new ipa server)

Rob




2014-12-08 19:07 GMT+01:00 Simo Sorce <simo@redhat.com>:
On Sat, 6 Dec 2014 12:18:14 -0500
Simo Sorce <simo@redhat.com> wrote:

> On Sat, 6 Dec 2014 14:32:32 +0100
> Rob Verduijn <rob.verduijn@gmail.com> wrote:
>
> > Hello all,
> >
> > I've got this weird problem.
> >
> > I have a server that uses kerberized mounts.
> >
> > One service (squeezebox) uses a mount point and is able to access it
> > using gssproxy.
> > But the other service (apache) is not able to access it using
> > gssproxy.
> >
> > This is my gssproxy.conf
> > [gssproxy]
> >
> > [service/squeezebox]
> >   mechs = krb5
> >   cred_store =
> > ccache:FILE:/var/lib/gssproxy/clients/krb5cc_squeezebox cred_store
> > = client_keytab:/etc/gssproxy/clients/squeezbox.keytab cred_usage =
> > initiate euid = 997
> >
> > [service/apache]
> >   mechs = krb5
> >   cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_apache
> >   cred_store = client_keytab:/etc/gssproxy/clients/httpd.keytab
> >   cred_usage = initiate
> >   euid = 48
> >
> > And I triple checked the apache principal, it is definitely the
> > right one.
> >
> >
> > I see this in the logs for the working service :
> > Client connected (fd = 10) (pid = 1625) (uid = 997) (gid = 997)
> > (context =ystem_u:system_r:gssd_t:s0)
> > gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service
> > "squeezebox", euid: 997, socket: (null)
> > gp_rpc_execute: executing 8 (GSSX_INIT_SEC_CONTEXT) for service
> > "squeezebox", euid: 997, socket: (null)
> > gp_rpc_execute: executing 8 (GSSX_INIT_SEC_CONTEXT) for service
> > "squeezebox", euid: 997, socket: (null)
> >
> > a\but the apache service gives me:
> > Client connected (fd = 10) (pid = 1695) (uid = 48) (gid = 48)
> > (context = system_u:system_r:gssd_t:s0)
> > gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service
> > "apache", euid: 48, socket: (null)
> > Client connected (fd = 10) (pid = 1696) (uid = 48) (gid = 48)
> > (context = system_u:system_r:gssd_t:s0)
> > gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service
> > "apache", euid: 48, socket: (null)
> > Client connected (fd = 10) (pid = 1698) (uid = 48) (gid = 48)
> > (context = system_u:system_r:gssd_t:s0)
> > gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service
> > "apache", euid: 48, socket: (null)
> > Client connected (fd = 10) (pid = 1699) (uid = 48) (gid = 48)
> > (context = system_u:system_r:gssd_t:s0)
> > gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service
> > "apache", euid: 48, socket: (null)
> >
> > Any ideas on what is causing the gssproxy to fail for apache ?
> >
> > Rob
>
> If you have access to the KDC logs, do you see any failure there?
>
> Otherwise what happens if you the following ?
>
> KRB5CCNAME=FILE:/var/lib/gssproxy/clients/krb5cc_apache \
> kinit -kt /etc/gssproxy/clients/httpd.keytab
>
> Simo.
>

To close the loop, the issue was a subtle configuration error.

Simo.

--
Simo Sorce * Red Hat, Inc * New York