On Tue, Aug 1, 2017 at 9:36 PM, Rick Stevens <ricks@xxxxxxxxxxxxxx> wrote:
On 08/01/2017 06:06 PM, Louis Garcia wrote:
> should I have SECURE_NFS=yes in /etc/sysconfig/nfs ?
We kind of dislike top-posting on the list. No biggie, but try to
refrain from top-posting if you can.
As to your problem, the first thing is to add "debug true" to
/etc/gssproxy/99-nfs-client.conf first, then have a look at the journal
again. You can also dial up the verbosity by setting "debug_level 3"
in the same file.
I don't think that the AVC denial is the cause of the problem. It looks
like the denial is caused by gssproxy trying to let you know it failed.
>
> On Tue, Aug 1, 2017 at 7:35 PM, Louis Garcia <louisgtwo@xxxxxxxxx
> <mailto:louisgtwo@xxxxxxxxx>> wrote:
>
> Does this have anything todo with gssproxy on the client? I did not
> know I had to configure that.
>
> On Tue, Aug 1, 2017 at 7:20 PM, Louis Garcia <louisgtwo@xxxxxxxxx
> <mailto:louisgtwo@xxxxxxxxx>> wrote:
>
> I found this on the client.
>
> gssproxy[661]: gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 })
> Unspecified GSS failure. Minor code may provide more
> information, No credentials cache found
> gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS
> failure. Minor code may provide more information, No
> credentials cache found
>
> This is right after, not sure if related.
>
> audit[651]: USER_AVC pid=651 uid=81 auid=4294967295
> ses=4294967295
> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: > <ricks@xxxxxxxxxxxxxx <mailto:ricks@xxxxxxxxxxxxxx>> wrote:
> denied { send_msg } for msgtype=error er
>
> exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
>
>
>
>
>
>
>
> On Tue, Aug 1, 2017 at 7:00 PM, Rick Stevens
>
> On 08/01/2017 03:24 PM, Louis Garcia wrote:
> > I've setup a kdc server and I'm able to kinit from my client and get a
> > ticket for ssh, nfs. I'm noticing nfs slow to mount, and disconnects
> > randomly when mounted with sec=krb5p. When I mount insecurely this does
> > not happen. I read that this has to do with gss but have not found a
> > solution.
>
> Have you checked journald's output for gss-related messages?
> ------------------------------------------------------------ > ricks@xxxxxxxxxxxxxx <mailto:ricks@xxxxxxxxxxxxxx> -----------
> - Rick Stevens, Systems Engineer, AllDigital
> - AIM/Skype: therps2 ICQ: 226437340 Yahoo:
> origrps2 -
> -
> -
> - We have enough youth, how about a fountain of
> SMART? -
> ------------------------------------------------------------ > <mailto:users@lists.----------
> _______________________________________________
> users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
fedoraproject.org >
> To unsubscribe send an email to
> users-leave@lists.fedoraproject.org
> <mailto:users-leave@lists.fedoraproject.org >
>
>
>
>
>
>
> _______________________________________________ --
> users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to users-leave@lists.fedoraproject.org
>
------------------------------------------------------------ - Brain: The organ with which we think that we think. -----------
- Rick Stevens, Systems Engineer, AllDigital ricks@xxxxxxxxxxxxxx -
- AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 -
- -
------------------------------------------------------------ ----------
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@lists.fedoraproject.org
Gmail always puts replies on top. I forgot about that.
I see nothing in the journal. With debug_level 3 should I see something?
99-nfs-client.conf:
[service/nfs-client]
mechs = krb5
cred_store = keytab:/etc/krb5.keytab
cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
cred_usage = initiate
allow_any_uid = yes
trusted = yes
euid = 0
debug true
debug_level 3
[service/nfs-client]
mechs = krb5
cred_store = keytab:/etc/krb5.keytab
cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
cred_usage = initiate
allow_any_uid = yes
trusted = yes
euid = 0
debug true
debug_level 3
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx