To close the loop, the issue was a subtle configuration error.On Sat, 6 Dec 2014 12:18:14 -0500
Simo Sorce <simo@redhat.com> wrote:
> On Sat, 6 Dec 2014 14:32:32 +0100
> Rob Verduijn <rob.verduijn@gmail.com> wrote:
>
> > Hello all,
> >
> > I've got this weird problem.
> >
> > I have a server that uses kerberized mounts.
> >
> > One service (squeezebox) uses a mount point and is able to access it
> > using gssproxy.
> > But the other service (apache) is not able to access it using
> > gssproxy.
> >
> > This is my gssproxy.conf
> > [gssproxy]
> >
> > [service/squeezebox]
> > mechs = krb5
> > cred_store =
> > ccache:FILE:/var/lib/gssproxy/clients/krb5cc_squeezebox cred_store
> > = client_keytab:/etc/gssproxy/clients/squeezbox.keytab cred_usage =
> > initiate euid = 997
> >
> > [service/apache]
> > mechs = krb5
> > cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_apache
> > cred_store = client_keytab:/etc/gssproxy/clients/httpd.keytab
> > cred_usage = initiate
> > euid = 48
> >
> > And I triple checked the apache principal, it is definitely the
> > right one.
> >
> >
> > I see this in the logs for the working service :
> > Client connected (fd = 10) (pid = 1625) (uid = 997) (gid = 997)
> > (context =ystem_u:system_r:gssd_t:s0)
> > gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service
> > "squeezebox", euid: 997, socket: (null)
> > gp_rpc_execute: executing 8 (GSSX_INIT_SEC_CONTEXT) for service
> > "squeezebox", euid: 997, socket: (null)
> > gp_rpc_execute: executing 8 (GSSX_INIT_SEC_CONTEXT) for service
> > "squeezebox", euid: 997, socket: (null)
> >
> > a\but the apache service gives me:
> > Client connected (fd = 10) (pid = 1695) (uid = 48) (gid = 48)
> > (context = system_u:system_r:gssd_t:s0)
> > gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service
> > "apache", euid: 48, socket: (null)
> > Client connected (fd = 10) (pid = 1696) (uid = 48) (gid = 48)
> > (context = system_u:system_r:gssd_t:s0)
> > gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service
> > "apache", euid: 48, socket: (null)
> > Client connected (fd = 10) (pid = 1698) (uid = 48) (gid = 48)
> > (context = system_u:system_r:gssd_t:s0)
> > gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service
> > "apache", euid: 48, socket: (null)
> > Client connected (fd = 10) (pid = 1699) (uid = 48) (gid = 48)
> > (context = system_u:system_r:gssd_t:s0)
> > gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service
> > "apache", euid: 48, socket: (null)
> >
> > Any ideas on what is causing the gssproxy to fail for apache ?
> >
> > Rob
>
> If you have access to the KDC logs, do you see any failure there?
>
> Otherwise what happens if you the following ?
>
> KRB5CCNAME=FILE:/var/lib/gssproxy/clients/krb5cc_apache \
> kinit -kt /etc/gssproxy/clients/httpd.keytab
>
> Simo.
>
Simo.
--
Simo Sorce * Red Hat, Inc * New York