NFS4 kerberos

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

NFS4 kerberos

Louis Garcia
I've setup a kdc server and I'm able to kinit from my client and get a ticket for ssh, nfs. I'm noticing nfs slow to mount, and disconnects randomly when mounted with sec=krb5p. When I mount insecurely this does not happen. I read that this has to do with gss but have not found a solution.

thanks.

_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NFS4 kerberos

Rick Stevens-4
On 08/01/2017 03:24 PM, Louis Garcia wrote:
> I've setup a kdc server and I'm able to kinit from my client and get a
> ticket for ssh, nfs. I'm noticing nfs slow to mount, and disconnects
> randomly when mounted with sec=krb5p. When I mount insecurely this does
> not happen. I read that this has to do with gss but have not found a
> solution.

Have you checked journald's output for gss-related messages?
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    [hidden email] -
- AIM/Skype: therps2        ICQ: 226437340           Yahoo: origrps2 -
-                                                                    -
-         We have enough youth, how about a fountain of SMART?       -
----------------------------------------------------------------------
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NFS4 kerberos

Louis Garcia
I found this on the client.

gssproxy[661]: gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found

This is right after, not sure if related.

audit[651]: USER_AVC pid=651 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error er
                                                     exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'







On Tue, Aug 1, 2017 at 7:00 PM, Rick Stevens <[hidden email]> wrote:
On 08/01/2017 03:24 PM, Louis Garcia wrote:
> I've setup a kdc server and I'm able to kinit from my client and get a
> ticket for ssh, nfs. I'm noticing nfs slow to mount, and disconnects
> randomly when mounted with sec=krb5p. When I mount insecurely this does
> not happen. I read that this has to do with gss but have not found a
> solution.

Have you checked journald's output for gss-related messages?
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    [hidden email] -
- AIM/Skype: therps2        ICQ: 226437340           Yahoo: origrps2 -
-                                                                    -
-         We have enough youth, how about a fountain of SMART?       -
----------------------------------------------------------------------
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]


_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NFS4 kerberos

Louis Garcia
Does this have anything todo with gssproxy on the client? I did not know I had to configure that.

On Tue, Aug 1, 2017 at 7:20 PM, Louis Garcia <[hidden email]> wrote:
I found this on the client.

gssproxy[661]: gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found

This is right after, not sure if related.

audit[651]: USER_AVC pid=651 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error er
                                                     exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'







On Tue, Aug 1, 2017 at 7:00 PM, Rick Stevens <[hidden email]> wrote:
On 08/01/2017 03:24 PM, Louis Garcia wrote:
> I've setup a kdc server and I'm able to kinit from my client and get a
> ticket for ssh, nfs. I'm noticing nfs slow to mount, and disconnects
> randomly when mounted with sec=krb5p. When I mount insecurely this does
> not happen. I read that this has to do with gss but have not found a
> solution.

Have you checked journald's output for gss-related messages?
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    [hidden email] -
- AIM/Skype: therps2        ICQ: 226437340           Yahoo: origrps2 -
-                                                                    -
-         We have enough youth, how about a fountain of SMART?       -
----------------------------------------------------------------------
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]



_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NFS4 kerberos

Louis Garcia
should I have SECURE_NFS=yes in  /etc/sysconfig/nfs ?

On Tue, Aug 1, 2017 at 7:35 PM, Louis Garcia <[hidden email]> wrote:
Does this have anything todo with gssproxy on the client? I did not know I had to configure that.

On Tue, Aug 1, 2017 at 7:20 PM, Louis Garcia <[hidden email]> wrote:
I found this on the client.

gssproxy[661]: gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found

This is right after, not sure if related.

audit[651]: USER_AVC pid=651 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error er
                                                     exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'







On Tue, Aug 1, 2017 at 7:00 PM, Rick Stevens <[hidden email]> wrote:
On 08/01/2017 03:24 PM, Louis Garcia wrote:
> I've setup a kdc server and I'm able to kinit from my client and get a
> ticket for ssh, nfs. I'm noticing nfs slow to mount, and disconnects
> randomly when mounted with sec=krb5p. When I mount insecurely this does
> not happen. I read that this has to do with gss but have not found a
> solution.

Have you checked journald's output for gss-related messages?
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    [hidden email] -
- AIM/Skype: therps2        ICQ: 226437340           Yahoo: origrps2 -
-                                                                    -
-         We have enough youth, how about a fountain of SMART?       -
----------------------------------------------------------------------
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]




_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NFS4 kerberos

Rick Stevens-4
On 08/01/2017 06:06 PM, Louis Garcia wrote:
> should I have SECURE_NFS=yes in  /etc/sysconfig/nfs ?

We kind of dislike top-posting on the list. No biggie, but try to
refrain from top-posting if you can.

As to your problem, the first thing is to add "debug true" to
/etc/gssproxy/99-nfs-client.conf first, then have a look at the journal
again. You can also dial up the verbosity by setting "debug_level 3"
in the same file.

I don't think that the AVC denial is the cause of the problem. It looks
like the denial is caused by gssproxy trying to let you know it failed.

>
> On Tue, Aug 1, 2017 at 7:35 PM, Louis Garcia <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Does this have anything todo with gssproxy on the client? I did not
>     know I had to configure that.
>
>     On Tue, Aug 1, 2017 at 7:20 PM, Louis Garcia <[hidden email]
>     <mailto:[hidden email]>> wrote:
>
>         I found this on the client.
>
>         gssproxy[661]: gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 })
>         Unspecified GSS failure.  Minor code may provide more
>         information, No credentials cache found
>         gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS
>         failure.  Minor code may provide more information, No
>         credentials cache found
>
>         This is right after, not sure if related.
>
>         audit[651]: USER_AVC pid=651 uid=81 auid=4294967295
>         ses=4294967295
>         subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:
>         denied  { send_msg } for msgtype=error er
>                                                            
>         exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
>
>
>
>
>
>
>
>         On Tue, Aug 1, 2017 at 7:00 PM, Rick Stevens
>         <[hidden email] <mailto:[hidden email]>> wrote:
>
>             On 08/01/2017 03:24 PM, Louis Garcia wrote:
>             > I've setup a kdc server and I'm able to kinit from my client and get a
>             > ticket for ssh, nfs. I'm noticing nfs slow to mount, and disconnects
>             > randomly when mounted with sec=krb5p. When I mount insecurely this does
>             > not happen. I read that this has to do with gss but have not found a
>             > solution.
>
>             Have you checked journald's output for gss-related messages?
>             ----------------------------------------------------------------------
>             - Rick Stevens, Systems Engineer, AllDigital  
>             [hidden email] <mailto:[hidden email]> -
>             - AIM/Skype: therps2        ICQ: 226437340           Yahoo:
>             origrps2 -
>             -                                                          
>                     -
>             -         We have enough youth, how about a fountain of
>             SMART?       -
>             ----------------------------------------------------------------------
>             _______________________________________________
>             users mailing list -- [hidden email]
>             <mailto:[hidden email]>
>             To unsubscribe send an email to
>             [hidden email]
>             <mailto:[hidden email]>
>
>
>
>
>
>
> _______________________________________________
> users mailing list -- [hidden email]
> To unsubscribe send an email to [hidden email]
>


--
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    [hidden email] -
- AIM/Skype: therps2        ICQ: 226437340           Yahoo: origrps2 -
-                                                                    -
-        Brain:  The organ with which we think that we think.        -
----------------------------------------------------------------------
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NFS4 kerberos

Louis Garcia
On Tue, Aug 1, 2017 at 9:36 PM, Rick Stevens <[hidden email]> wrote:
On 08/01/2017 06:06 PM, Louis Garcia wrote:
> should I have SECURE_NFS=yes in  /etc/sysconfig/nfs ?

We kind of dislike top-posting on the list. No biggie, but try to
refrain from top-posting if you can.

As to your problem, the first thing is to add "debug true" to
/etc/gssproxy/99-nfs-client.conf first, then have a look at the journal
again. You can also dial up the verbosity by setting "debug_level 3"
in the same file.

I don't think that the AVC denial is the cause of the problem. It looks
like the denial is caused by gssproxy trying to let you know it failed.

>
> On Tue, Aug 1, 2017 at 7:35 PM, Louis Garcia <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Does this have anything todo with gssproxy on the client? I did not
>     know I had to configure that.
>
>     On Tue, Aug 1, 2017 at 7:20 PM, Louis Garcia <[hidden email]
>     <mailto:[hidden email]>> wrote:
>
>         I found this on the client.
>
>         gssproxy[661]: gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 })
>         Unspecified GSS failure.  Minor code may provide more
>         information, No credentials cache found
>         gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS
>         failure.  Minor code may provide more information, No
>         credentials cache found
>
>         This is right after, not sure if related.
>
>         audit[651]: USER_AVC pid=651 uid=81 auid=4294967295
>         ses=4294967295
>         subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:
>         denied  { send_msg } for msgtype=error er
>
>         exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
>
>
>
>
>
>
>
>         On Tue, Aug 1, 2017 at 7:00 PM, Rick Stevens
>         <[hidden email] <mailto:[hidden email]>> wrote:
>
>             On 08/01/2017 03:24 PM, Louis Garcia wrote:
>             > I've setup a kdc server and I'm able to kinit from my client and get a
>             > ticket for ssh, nfs. I'm noticing nfs slow to mount, and disconnects
>             > randomly when mounted with sec=krb5p. When I mount insecurely this does
>             > not happen. I read that this has to do with gss but have not found a
>             > solution.
>
>             Have you checked journald's output for gss-related messages?
>             ----------------------------------------------------------------------
>             - Rick Stevens, Systems Engineer, AllDigital
>             [hidden email] <mailto:[hidden email]> -
>             - AIM/Skype: therps2        ICQ: 226437340           Yahoo:
>             origrps2 -
>             -
>                     -
>             -         We have enough youth, how about a fountain of
>             SMART?       -
>             ----------------------------------------------------------------------
>             _______________________________________________
>             users mailing list -- [hidden email]
>             <mailto:[hidden email]>
>             To unsubscribe send an email to
>             [hidden email]
>             <mailto:[hidden email]>
>
>
>
>
>
>
> _______________________________________________
> users mailing list -- [hidden email]
> To unsubscribe send an email to [hidden email]
>


--
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    [hidden email] -
- AIM/Skype: therps2        ICQ: 226437340           Yahoo: origrps2 -
-                                                                    -
-        Brain:  The organ with which we think that we think.        -
----------------------------------------------------------------------
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]

Gmail always puts replies on top. I forgot about that.

I see nothing in the journal. With debug_level 3 should I see something?

99-nfs-client.conf:
[service/nfs-client]
  mechs = krb5
  cred_store = keytab:/etc/krb5.keytab
  cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
  cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
  cred_usage = initiate
  allow_any_uid = yes
  trusted = yes
  euid = 0
  debug true
  debug_level 3



_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NFS4 kerberos

Rick Stevens-4
On 08/02/2017 08:14 AM, Louis Garcia wrote:

> On Tue, Aug 1, 2017 at 9:36 PM, Rick Stevens <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On 08/01/2017 06:06 PM, Louis Garcia wrote:
>     > should I have SECURE_NFS=yes in  /etc/sysconfig/nfs ?
>
>     We kind of dislike top-posting on the list. No biggie, but try to
>     refrain from top-posting if you can.
>
>     As to your problem, the first thing is to add "debug true" to
>     /etc/gssproxy/99-nfs-client.conf first, then have a look at the journal
>     again. You can also dial up the verbosity by setting "debug_level 3"
>     in the same file.
>
>     I don't think that the AVC denial is the cause of the problem. It looks
>     like the denial is caused by gssproxy trying to let you know it failed.
>
>     >
>     > On Tue, Aug 1, 2017 at 7:35 PM, Louis Garcia <[hidden email] <mailto:[hidden email]>
>     > <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>     >
>     >     Does this have anything todo with gssproxy on the client? I did not
>     >     know I had to configure that.
>     >
>     >     On Tue, Aug 1, 2017 at 7:20 PM, Louis Garcia <[hidden email] <mailto:[hidden email]>
>     >     <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>     >
>     >         I found this on the client.
>     >
>     >         gssproxy[661]: gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 })
>     >         Unspecified GSS failure.  Minor code may provide more
>     >         information, No credentials cache found
>     >         gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS
>     >         failure.  Minor code may provide more information, No
>     >         credentials cache found
>     >
>     >         This is right after, not sure if related.
>     >
>     >         audit[651]: USER_AVC pid=651 uid=81 auid=4294967295
>     >         ses=4294967295
>     >         subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:
>     >         denied  { send_msg } for msgtype=error er
>     >
>     >         exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >         On Tue, Aug 1, 2017 at 7:00 PM, Rick Stevens
>     >         <[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>     >
>     >             On 08/01/2017 03:24 PM, Louis Garcia wrote:
>     >             > I've setup a kdc server and I'm able to kinit from my client and get a
>     >             > ticket for ssh, nfs. I'm noticing nfs slow to mount, and disconnects
>     >             > randomly when mounted with sec=krb5p. When I mount insecurely this does
>     >             > not happen. I read that this has to do with gss but have not found a
>     >             > solution.
>     >
>     >             Have you checked journald's output for gss-related messages?
>     >             >
>
> Gmail always puts replies on top. I forgot about that.
>
> I see nothing in the journal. With debug_level 3 should I see something?
>
> 99-nfs-client.conf:
> [service/nfs-client]
>   mechs = krb5
>   cred_store = keytab:/etc/krb5.keytab
>   cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
>   cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
>   cred_usage = initiate
>   allow_any_uid = yes
>   trusted = yes
>   euid = 0
>   debug true
>   debug_level 3

Uhm, did you restart gssproxy after buggering the config file
("systemctl restart gssproxy.service")? I think it only looks at the
config file when it starts up.

I don't use gssproxy, so this is all just a suggestion to try to see
what it's doing. All the edits do is enable debug mode and dial up its
verbosity, and it should be logging to the journal.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    [hidden email] -
- AIM/Skype: therps2        ICQ: 226437340           Yahoo: origrps2 -
-                                                                    -
-       Blessed are the peacekeepers...for they shall be shot at     -
-                 from both sides. --A.M. Greeley                    -
----------------------------------------------------------------------
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Loading...