There seem to be a few configuration files that might affect the behaviour of gssproxy/rpc.gssd. The following leap to mind (any others?):/etc/gssproxy/*.conf/etc/nfs.conf/etc/idmapd.conf If an operator would like to have changes to those files take effect immediately (without a reboot), which processes should be restarted? Or HUP'd? Should gssproxy be restarted whenever rpc.gssd is restarted (or vice versa). I've searched through the relevant RHEL8 man pages, but I see no guidance on this. Also, besides the expected brief outage caused by bouncing these processes, are there any caveats about restarting them on a running system? Thanks in advace for any info!
Ah, these are quite good questions.
In general gssproxy need to be restarted/HUPed only when you change the gssproxy.conf config files.
There is no need to restart gssproxy just because you restarted rpc.gssd.
In terms of gotchas there is one in some configurations.
When using encrypted caches (client case), and there is no keytab available to gssproxy, then gssproxy will generate a random key at startup, which will be lost when the process restart.
However in that case, generally the encrypted cache can simply be regenerated. But there are a few corner cases (multi-roundtrip negotiations) in which this may cause an application authentication failure if the restart happens at an unfortunate time.
This is generally not the case for regular nfs clients, because they have a client ccache that the gssproxy service access directly unencrypted (either because the user has a cache, or because gssproxy is configured with client keytabs and ccaches on a tmpfs).
HTH, simo.
On Fri, 2023-02-24 at 14:46 +0000, John Devitofranceschi wrote:
There seem to be a few configuration files that might affect the behaviour of gssproxy/rpc.gssd. The following leap to mind (any others?):/etc/gssproxy/*.conf/etc/nfs.conf/etc/idmapd.conf If an operator would like to have changes to those files take effect immediately (without a reboot), which processes should be restarted? Or HUP'd? Should gssproxy be restarted whenever rpc.gssd is restarted (or vice versa). I've searched through the relevant RHEL8 man pages, but I see no guidance on this. Also, besides the expected brief outage caused by bouncing these processes, are there any caveats about restarting them on a running system? Thanks in advace for any info!
gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org To unsubscribe send an email to gss-proxy-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/gss-proxy@lists.fedorahosted.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
gss-proxy@lists.fedorahosted.org
-
John Devitofranceschi -
Simo Sorce