Hi Rob, I can reproduce your issue now and I am looking into this issue and I suspect nfs-utils may have broken gss-proxy support recently.
I am not sure yet, but some critical areas have been changed, so I need to better investigate them. It will take me a little time as I am at Devconf.cz now, but hopefully I will have an answer for you in a few days.
Simo.
On Sat, 2017-01-21 at 13:10 +0100, Rob Verduijn wrote:
Another fresh install of a fedora25 client, now with the new gssproxy 0.6.0 package, but that one does not work either.
Created the file /etc/gssproxy/00-apache.conf [service/apache] mechs = krb5 cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_apache cred_store = client_keytab:/var/lib/gssproxy/clients/httpd.keytab cred_usage = initiate euid = 48
put the keytab in the specified place added debug settings to /etc/gssproxy/gssproxy.conf [gssproxy] debug = true debug_level = 9
I did not touch the file /etc/sysconfig/nfs Since the default setting of GSS_USE_PROXY="yes" is what I want
Checked the logs, nothing in there besides what you get from systemctl status gssproxy.service
su - apache -s /bin/bash and no access to the shares is allowed
Weird thing I noticed, when browsing as root the nfs mounts are readable ( root is squashed ) but not as the apache user. Root gets to read it with nobody:nobody privileges but apache with apache:apache is refused.
I'm really at a loss as to what to do next.
Do I need to set an environment variable to make this work ?
Rob Verduijn
2017-01-04 23:14 GMT+01:00 Rob Verduijn rob.verduijn@gmail.com:
2017-01-04 20:56 GMT+01:00 Simo Sorce simo@redhat.com:
On Wed, 2017-01-04 at 19:41 +0100, Rob Verduijn wrote:
2017-01-04 19:27 GMT+01:00 Dmitri Pal dpal@redhat.com:
On 01/04/2017 01:13 PM, Rob Verduijn wrote:
2017-01-04 14:59 GMT+01:00 Simo Sorce simo@redhat.com:
On Wed, 2017-01-04 at 10:16 +0100, Rob Verduijn wrote: > ---------- Forwarded message ---------- > From: Simo Sorce simo@redhat.com > Date: 2017-01-03 17:32 GMT+01:00 > Subject: [gssproxy] Re: gssproxy broken on fedora > To: The GSS-Proxy developers and users mailing list < > gss-proxy@lists.fedorahosted.org> > > > On Mon, 2017-01-02 at 19:22 +0100, Rob Verduijn wrote: > > > > Nope that does not work on either fc24 or fc25. > > I did not try centos73 since it already worked on that
one.
> > Given you tried manually, make sure you delete the ccache
before trying
> with the client_keytab setting. > > If that doesn't work can you set debug = True in the
global section and
> tell me if you get any useful output/error ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > _______________________________________________ > gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org > To unsubscribe send an email to gss-proxy-leave@lists.fedo
rahosted.org
> > > Hi, > > I checked for the cache, but there were no cache files
present in
> /var/lib/gssproxy/clients. > I cleaned the sssd cache. > I set the debug entry, did a reboot, but also no log
entries appeared
> > current /etc/gssproxy/gssproxy.conf > > [gssproxy] > debug=True > > [service/HTTP] > mechs = krb5 > cred_store = keytab:/etc/gssproxy/http.keytab > cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U > cred_store = client_keytab:/etc/gssproxy/http.keytab > euid = 48 > > and tested it with > su - apache -s /bin/bash > > The mount works fine for a regular ipa user on fedora
24/25
> according to systemctl status gssproxy the service is up
and running,
> > [root@fedora-24 ~]# systemctl status gssproxy > ● gssproxy.service - GSSAPI Proxy Daemon > Loaded: loaded
(/usr/lib/systemd/system/gssproxy.service; disabled;
> vendor preset: disabled) > Active: active (running) since Wed 2017-01-04 10:05:55
CET; 8min ago
> Main PID: 987 (gssproxy) > CGroup: /system.slice/gssproxy.service > └─987 /usr/sbin/gssproxy -D > > systemd[1]: Starting GSSAPI Proxy Daemon... > gssproxy[972]: [2017/01/04 09:05:55]: Debug Enabled
(level: 1)
> gssproxy[972]: [2017/01/04 09:05:55]: Client connected (fd
=
10)[2017/01/04 > 09:05:55]: (pid = 987) (uid = 0) (gid = 0)[2017/01/04
09:05:55]:
(context > = system_u:system_r:kernel_t:s0)[2017/01/04 09:05:55]: > Started GSSAPI Proxy Daemon.
If you turn on rpc.gssd debugging and kernel rpc debugging
do you see
anything relevant ?
Simo.
-- Simo Sorce * Red Hat, Inc * New York _______________________________________________ gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org To unsubscribe send an email to gss-proxy-leave@lists.fedora
hosted.org
It does not seem to look for the credits specified in the
gssproxy.conf
file. How can I verify the running configuration of gssproxy ?
Rob Verduijn
Jan 4 18:52:50 fedora-24 rpc.gssd[1034]:
#012handle_gssd_upcall:
'mech=krb5 uid=48 enctypes=18,17,16,23,3,1,2 ' (nfs/clnt0) Jan 4 18:52:50 fedora-24 rpc.gssd[1034]:
krb5_not_machine_creds: uid 48
tgtname (null) Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: ERROR: GSS-API:
error in
gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure.
Minor code may
provide more information) - No Kerberos credentials available
(default
cache: KEYRING:persistent:48) Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: looking for client
creds with
uid 48 for server nfs.example.com in /tmp Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: CC
'/tmp/krb5ccmachine_EXAMPLE.COM'
being considered, with preferred realm 'EXAMPLE.COM' Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: CC
'/tmp/krb5ccmachine_EXAMPLE.COM'
owned by 0, not 48 Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: looking for client
creds with
uid 48 for server nfs.example.com in /run/user/%U Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: Error doing scandir
on directory
'/run/user/48': No such file or directory Jan 4 18:52:50 fedora-24 rpc.gssd[1034]: doing error
downcall
gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org To unsubscribe send an email to gss-proxy-leave@lists.fedorah
osted.org
Why are you preferring credential cache in a file over a
keyring which is
default? Have you tried without cred_store =
ccache:/var/lib/gssproxy/clients/krb5cc_%U
?
-- Thank you, Dmitri Pal
Engineering Director, Identity Management and Platform
Security
Red Hat, Inc.
gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org To unsubscribe send an email to gss-proxy-leave@lists.fedorah
osted.org
Because it said so in the example here : https://fedorahosted.org/gss-proxy/wiki/Apache
But have tried it without and it still fails.
Rob Verduijn _______________________________________________ gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org To unsubscribe send an email to gss-proxy-leave@lists.fedorahos
ted.org
Rob is rpc.gssd running with the USE_GSS_PROXY=Yes environment variable on ? If not then gssproxy is simply not involved here
Simo.
-- Simo Sorce * Red Hat, Inc * New York _______________________________________________ gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org To unsubscribe send an email to gss-proxy-leave@lists.fedorahoste d.org
There is a GSS_USE_PROXY=yes in /etc/sysconfig/nfs so I added USE_GSS_PROXY=yes to it and also to the script /usr/libexec/nfs-utils/nfs-utils_env.sh so that it gets applied to the the file /run/sysconfig/nfs-utils at boot. I double checked after a reboot verified the share was working for an ordinary user but not for the apache user when using 'su - apache -s /bin/bash' also checked the kvno of the http.keytab just to make sure I wasn't missing the obvious. still no go.
Rob Verduijn
gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org To unsubscribe send an email to gss-proxy-leave@lists.fedorahosted.or g