On 08/02/2017 08:14 AM, Louis Garcia wrote: > On Tue, Aug 1, 2017 at 9:36 PM, Rick Stevens <ricks@xxxxxxxxxxxxxx > <mailto:ricks@xxxxxxxxxxxxxx>> wrote: > > On 08/01/2017 06:06 PM, Louis Garcia wrote: > > should I have SECURE_NFS=yes in /etc/sysconfig/nfs ? > > We kind of dislike top-posting on the list. No biggie, but try to > refrain from top-posting if you can. > > As to your problem, the first thing is to add "debug true" to > /etc/gssproxy/99-nfs-client.conf first, then have a look at the journal > again. You can also dial up the verbosity by setting "debug_level 3" > in the same file. > > I don't think that the AVC denial is the cause of the problem. It looks > like the denial is caused by gssproxy trying to let you know it failed. > > > > > On Tue, Aug 1, 2017 at 7:35 PM, Louis Garcia <louisgtwo@xxxxxxxxx <mailto:louisgtwo@xxxxxxxxx> > > <mailto:louisgtwo@xxxxxxxxx <mailto:louisgtwo@xxxxxxxxx>>> wrote: > > > > Does this have anything todo with gssproxy on the client? I did not > > know I had to configure that. > > > > On Tue, Aug 1, 2017 at 7:20 PM, Louis Garcia <louisgtwo@xxxxxxxxx <mailto:louisgtwo@xxxxxxxxx> > > <mailto:louisgtwo@xxxxxxxxx <mailto:louisgtwo@xxxxxxxxx>>> wrote: > > > > I found this on the client. > > > > gssproxy[661]: gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) > > Unspecified GSS failure. Minor code may provide more > > information, No credentials cache found > > gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS > > failure. Minor code may provide more information, No > > credentials cache found > > > > This is right after, not sure if related. > > > > audit[651]: USER_AVC pid=651 uid=81 auid=4294967295 > > ses=4294967295 > > subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: > > denied { send_msg } for msgtype=error er > > > > exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' > > > > > > > > > > > > > > > > On Tue, Aug 1, 2017 at 7:00 PM, Rick Stevens > > <ricks@xxxxxxxxxxxxxx <mailto:ricks@xxxxxxxxxxxxxx> > <mailto:ricks@xxxxxxxxxxxxxx <mailto:ricks@xxxxxxxxxxxxxx>>> wrote: > > > > On 08/01/2017 03:24 PM, Louis Garcia wrote: > > > I've setup a kdc server and I'm able to kinit from my client and get a > > > ticket for ssh, nfs. I'm noticing nfs slow to mount, and disconnects > > > randomly when mounted with sec=krb5p. When I mount insecurely this does > > > not happen. I read that this has to do with gss but have not found a > > > solution. > > > > Have you checked journald's output for gss-related messages? > > > > > Gmail always puts replies on top. I forgot about that. > > I see nothing in the journal. With debug_level 3 should I see something? > > 99-nfs-client.conf: > [service/nfs-client] > mechs = krb5 > cred_store = keytab:/etc/krb5.keytab > cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U > cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab > cred_usage = initiate > allow_any_uid = yes > trusted = yes > euid = 0 > debug true > debug_level 3 Uhm, did you restart gssproxy after buggering the config file ("systemctl restart gssproxy.service")? I think it only looks at the config file when it starts up. I don't use gssproxy, so this is all just a suggestion to try to see what it's doing. All the edits do is enable debug mode and dial up its verbosity, and it should be logging to the journal. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@xxxxxxxxxxxxxx - - AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 - - - - Blessed are the peacekeepers...for they shall be shot at - - from both sides. --A.M. Greeley - ---------------------------------------------------------------------- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
