Hi,

One more minor thing I noticed (and was probably the bigger culprit besides the typo) Today my gssproxy entries failed again.

After some serious digging i found that there were a lot of entries in /var/lib/gssproxy/clients/

and since I had a new freeipa server which was the start of my misery (caused by a utterly failed snapshot that changed a migration from fedora20 to centos7 in a fresh new reinstalled freeipa3.3.2 on centos7.)

I figured I should probably clean up my sssd cache (didn't help) Cleaning up the /var/lib/gssproxy/clients/ did help. after a restart that one dropped from many entries to 2. (guess which :-P )

To get to the point. For getting rid of weird errors, getting rid of the cache entries in /var/lib/gssproxy/clients/ and then restarting gssproxy might help in some cases. (like a new ipa server)

Rob

2014-12-08 19:07 GMT+01:00 Simo Sorce simo@redhat.com:

On Sat, 6 Dec 2014 12:18:14 -0500 Simo Sorce simo@redhat.com wrote:

...

On Sat, 6 Dec 2014 14:32:32 +0100 Rob Verduijn rob.verduijn@gmail.com wrote:

...

Hello all,

I've got this weird problem.

I have a server that uses kerberized mounts.

One service (squeezebox) uses a mount point and is able to access it using gssproxy. But the other service (apache) is not able to access it using gssproxy.

This is my gssproxy.conf [gssproxy]

[service/squeezebox] mechs = krb5 cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_squeezebox cred_store = client_keytab:/etc/gssproxy/clients/squeezbox.keytab cred_usage = initiate euid = 997

[service/apache] mechs = krb5 cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_apache cred_store = client_keytab:/etc/gssproxy/clients/httpd.keytab cred_usage = initiate euid = 48

And I triple checked the apache principal, it is definitely the right one.

I see this in the logs for the working service : Client connected (fd = 10) (pid = 1625) (uid = 997) (gid = 997) (context =ystem_u:system_r:gssd_t:s0) gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "squeezebox", euid: 997, socket: (null) gp_rpc_execute: executing 8 (GSSX_INIT_SEC_CONTEXT) for service "squeezebox", euid: 997, socket: (null) gp_rpc_execute: executing 8 (GSSX_INIT_SEC_CONTEXT) for service "squeezebox", euid: 997, socket: (null)

a\but the apache service gives me: Client connected (fd = 10) (pid = 1695) (uid = 48) (gid = 48) (context = system_u:system_r:gssd_t:s0) gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "apache", euid: 48, socket: (null) Client connected (fd = 10) (pid = 1696) (uid = 48) (gid = 48) (context = system_u:system_r:gssd_t:s0) gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "apache", euid: 48, socket: (null) Client connected (fd = 10) (pid = 1698) (uid = 48) (gid = 48) (context = system_u:system_r:gssd_t:s0) gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "apache", euid: 48, socket: (null) Client connected (fd = 10) (pid = 1699) (uid = 48) (gid = 48) (context = system_u:system_r:gssd_t:s0) gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "apache", euid: 48, socket: (null)

Any ideas on what is causing the gssproxy to fail for apache ?

Rob

If you have access to the KDC logs, do you see any failure there?

Otherwise what happens if you the following ?

KRB5CCNAME=FILE:/var/lib/gssproxy/clients/krb5cc_apache \ kinit -kt /etc/gssproxy/clients/httpd.keytab

Simo.

To close the loop, the issue was a subtle configuration error.

Simo.

-- Simo Sorce * Red Hat, Inc * New York