Re: NFS4 kerberos

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Aug 1, 2017 at 9:36 PM, Rick Stevens <ricks@xxxxxxxxxxxxxx> wrote:
On 08/01/2017 06:06 PM, Louis Garcia wrote:
> should I have SECURE_NFS=yes in  /etc/sysconfig/nfs ?

We kind of dislike top-posting on the list. No biggie, but try to
refrain from top-posting if you can.

As to your problem, the first thing is to add "debug true" to
/etc/gssproxy/99-nfs-client.conf first, then have a look at the journal
again. You can also dial up the verbosity by setting "debug_level 3"
in the same file.

I don't think that the AVC denial is the cause of the problem. It looks
like the denial is caused by gssproxy trying to let you know it failed.

>
> On Tue, Aug 1, 2017 at 7:35 PM, Louis Garcia <louisgtwo@xxxxxxxxx
> <mailto:louisgtwo@xxxxxxxxx>> wrote:
>
>     Does this have anything todo with gssproxy on the client? I did not
>     know I had to configure that.
>
>     On Tue, Aug 1, 2017 at 7:20 PM, Louis Garcia <louisgtwo@xxxxxxxxx
>     <mailto:louisgtwo@xxxxxxxxx>> wrote:
>
>         I found this on the client.
>
>         gssproxy[661]: gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 })
>         Unspecified GSS failure.  Minor code may provide more
>         information, No credentials cache found
>         gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS
>         failure.  Minor code may provide more information, No
>         credentials cache found
>
>         This is right after, not sure if related.
>
>         audit[651]: USER_AVC pid=651 uid=81 auid=4294967295
>         ses=4294967295
>         subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:
>         denied  { send_msg } for msgtype=error er
>
>         exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
>
>
>
>
>
>
>
>         On Tue, Aug 1, 2017 at 7:00 PM, Rick Stevens
>         <ricks@xxxxxxxxxxxxxx <mailto:ricks@xxxxxxxxxxxxxx>> wrote:
>
>             On 08/01/2017 03:24 PM, Louis Garcia wrote:
>             > I've setup a kdc server and I'm able to kinit from my client and get a
>             > ticket for ssh, nfs. I'm noticing nfs slow to mount, and disconnects
>             > randomly when mounted with sec=krb5p. When I mount insecurely this does
>             > not happen. I read that this has to do with gss but have not found a
>             > solution.
>
>             Have you checked journald's output for gss-related messages?
>             ----------------------------------------------------------------------
>             - Rick Stevens, Systems Engineer, AllDigital
>             ricks@xxxxxxxxxxxxxx <mailto:ricks@xxxxxxxxxxxxxx> -
>             - AIM/Skype: therps2        ICQ: 226437340           Yahoo:
>             origrps2 -
>             -
>                     -
>             -         We have enough youth, how about a fountain of
>             SMART?       -
>             ----------------------------------------------------------------------
>             _______________________________________________
>             users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
>             <mailto:users@lists.fedoraproject.org>
>             To unsubscribe send an email to
>             users-leave@lists.fedoraproject.org
>             <mailto:users-leave@lists.fedoraproject.org>
>
>
>
>
>
>
> _______________________________________________
> users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to users-leave@lists.fedoraproject.org
>


--
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    ricks@xxxxxxxxxxxxxx -
- AIM/Skype: therps2        ICQ: 226437340           Yahoo: origrps2 -
-                                                                    -
-        Brain:  The organ with which we think that we think.        -
----------------------------------------------------------------------
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@lists.fedoraproject.org

Gmail always puts replies on top. I forgot about that.

I see nothing in the journal. With debug_level 3 should I see something?

99-nfs-client.conf:
[service/nfs-client]
  mechs = krb5
  cred_store = keytab:/etc/krb5.keytab
  cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
  cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
  cred_usage = initiate
  allow_any_uid = yes
  trusted = yes
  euid = 0
  debug true
  debug_level 3


_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux