On Sat, 6 Dec 2014 12:18:14 -0500
Simo Sorce <simo(a)redhat.com> wrote:
On Sat, 6 Dec 2014 14:32:32 +0100
Rob Verduijn <rob.verduijn(a)gmail.com> wrote:
> Hello all,
>
> I've got this weird problem.
>
> I have a server that uses kerberized mounts.
>
> One service (squeezebox) uses a mount point and is able to access it
> using gssproxy.
> But the other service (apache) is not able to access it using
> gssproxy.
>
> This is my gssproxy.conf
> [gssproxy]
>
> [service/squeezebox]
> mechs = krb5
> cred_store =
> ccache:FILE:/var/lib/gssproxy/clients/krb5cc_squeezebox cred_store
> = client_keytab:/etc/gssproxy/clients/squeezbox.keytab cred_usage =
> initiate euid = 997
>
> [service/apache]
> mechs = krb5
> cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_apache
> cred_store = client_keytab:/etc/gssproxy/clients/httpd.keytab
> cred_usage = initiate
> euid = 48
>
> And I triple checked the apache principal, it is definitely the
> right one.
>
>
> I see this in the logs for the working service :
> Client connected (fd = 10) (pid = 1625) (uid = 997) (gid = 997)
> (context =ystem_u:system_r:gssd_t:s0)
> gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service
> "squeezebox", euid: 997, socket: (null)
> gp_rpc_execute: executing 8 (GSSX_INIT_SEC_CONTEXT) for service
> "squeezebox", euid: 997, socket: (null)
> gp_rpc_execute: executing 8 (GSSX_INIT_SEC_CONTEXT) for service
> "squeezebox", euid: 997, socket: (null)
>
> a\but the apache service gives me:
> Client connected (fd = 10) (pid = 1695) (uid = 48) (gid = 48)
> (context = system_u:system_r:gssd_t:s0)
> gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service
> "apache", euid: 48, socket: (null)
> Client connected (fd = 10) (pid = 1696) (uid = 48) (gid = 48)
> (context = system_u:system_r:gssd_t:s0)
> gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service
> "apache", euid: 48, socket: (null)
> Client connected (fd = 10) (pid = 1698) (uid = 48) (gid = 48)
> (context = system_u:system_r:gssd_t:s0)
> gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service
> "apache", euid: 48, socket: (null)
> Client connected (fd = 10) (pid = 1699) (uid = 48) (gid = 48)
> (context = system_u:system_r:gssd_t:s0)
> gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service
> "apache", euid: 48, socket: (null)
>
> Any ideas on what is causing the gssproxy to fail for apache ?
>
> Rob
If you have access to the KDC logs, do you see any failure there?
Otherwise what happens if you the following ?
KRB5CCNAME=FILE:/var/lib/gssproxy/clients/krb5cc_apache \
kinit -kt /etc/gssproxy/clients/httpd.keytab
Simo.
To close the loop, the issue was a subtle configuration error.
Simo.
--
Simo Sorce * Red Hat, Inc * New York