Hi Robbie,
Thanks very much for your reply! I apologise but I was indeed mistaken with that
statement. I should have said that gssproxy was only looking for 0.keytab rather than the
actual user's keytab. I'm sorry for the misunderstanding.
In case it would still be informative, here are the permissions for the keytabs and
credential cache:
-rw-------. 1 root root unconfined_u:object_r:gssproxy_var_lib_t:s0 538 Feb 23 19:06
40058920.keytab
-rw-------. 1 root root unconfined_u:object_r:gssproxy_var_lib_t:s0 302 Feb 23 21:52
40059091.keytab
-rw-------. 1 root root system_u:object_r:gssproxy_var_lib_t:s0 1575 Feb 23 19:10
krb5cc_40058920
-rw-------. 1 root root system_u:object_r:gssproxy_var_lib_t:s0 1619 Feb 23 21:53
krb5cc_40059091
I've since made a little bit of progress on the issue. When mounting the NFS share the
journal is still being spammed with:
gssproxy[642]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may
provide more information, No credentials cache found
However, restarting the gssproxy service via systemd stops the errors, and allows the
credential cache for the required users to be created in
/var/lib/gssproxy/clients/krb5cc_%U as expected. These errors recur on reboot.
The biggest problem is I am unable to access the NFS shares using this credentials cache.
When I try to do so as the user emby(a)EXAMPLE.COM (UID 40058920), I get this:
strace -p $(pidof gssproxy) -s4096 -f
[...]
[pid 2913] read(4, "\0", 1) = 1
[pid 2913] epoll_ctl(5, EPOLL_CTL_ADD, 12, {EPOLLOUT|EPOLLERR|EPOLLHUP, {u32=2618044368,
u64=94552028098512}}) = 0
[pid 2913] epoll_wait(5, [{EPOLLOUT, {u32=2618044368, u64=94552028098512}}], 1, 30000) =
1
[pid 2913] writev(12, [{"\200\0\4\320", 4},
{"[REDACTED]emby@EXAMPLE.COM[REDACTED](nfs/nfs-server.example.com@EXAMPLE.COM[REDACTED]/etc/krb5.conf[REDACTED]emby@EXAMPLE.COM[REDACTED]emby@EXAMPLE.COM[REDACTED]emby@EXAMPLE.COM[REDACTED](nfs/nfs-server.example.com@EXAMPLE.COM[REDACTED](nfs/nfs-server.example.com@EXAMPLE.COM(nfs/nfs-server.example.com(a)EXAMPLE.COM[REDACTED]",
1232}], 2) = 1236
[pid 2913] epoll_ctl(5, EPOLL_CTL_ADD, 12, {EPOLLIN|EPOLLERR|EPOLLHUP, {u32=2618044608,
u64=94552028098752}}) = -1 EEXIST (File exists)
[pid 2913] epoll_ctl(5, EPOLL_CTL_MOD, 12, {EPOLLIN|EPOLLOUT|EPOLLERR|EPOLLHUP,
{u32=2618044368, u64=94552028098512}}) = 0
[pid 2913] epoll_ctl(5, EPOLL_CTL_MOD, 12, {EPOLLIN|EPOLLERR|EPOLLHUP, {u32=2618044608,
u64=94552028098752}}) = 0
[pid 2913] epoll_wait(5, [{EPOLLIN|EPOLLHUP, {u32=2618044608, u64=94552028098752}}], 1,
30000) = 1
[pid 2913] read(12, "", 4) = 0
[pid 2913] close(12) = 0
[pid 2913] epoll_ctl(5, EPOLL_CTL_DEL, 12, 0x7fff055fa5e0) = -1 EBADF (Bad file
descriptor)
[pid 2913] epoll_wait(5, [], 1, 30000) = 0
I've redacted line 4 for brevity. Let me know if there is any more information I can
provide.
Thanks again for your consideration
James