On Tue, Aug 1, 2017 at 9:36 PM, Rick Stevens <ri...@alldigital.com> wrote:
> On 08/01/2017 06:06 PM, Louis Garcia wrote: > > should I have SECURE_NFS=yes in /etc/sysconfig/nfs ? > > We kind of dislike top-posting on the list. No biggie, but try to > refrain from top-posting if you can. > > As to your problem, the first thing is to add "debug true" to > /etc/gssproxy/99-nfs-client.conf first, then have a look at the journal > again. You can also dial up the verbosity by setting "debug_level 3" > in the same file. > > I don't think that the AVC denial is the cause of the problem. It looks > like the denial is caused by gssproxy trying to let you know it failed. > > > > > On Tue, Aug 1, 2017 at 7:35 PM, Louis Garcia <louisg...@gmail.com > > <mailto:louisg...@gmail.com>> wrote: > > > > Does this have anything todo with gssproxy on the client? I did not > > know I had to configure that. > > > > On Tue, Aug 1, 2017 at 7:20 PM, Louis Garcia <louisg...@gmail.com > > <mailto:louisg...@gmail.com>> wrote: > > > > I found this on the client. > > > > gssproxy[661]: gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) > > Unspecified GSS failure. Minor code may provide more > > information, No credentials cache found > > gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS > > failure. Minor code may provide more information, No > > credentials cache found > > > > This is right after, not sure if related. > > > > audit[651]: USER_AVC pid=651 uid=81 auid=4294967295 > > ses=4294967295 > > subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: > > denied { send_msg } for msgtype=error er > > > > exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' > > > > > > > > > > > > > > > > On Tue, Aug 1, 2017 at 7:00 PM, Rick Stevens > > <ri...@alldigital.com <mailto:ri...@alldigital.com>> wrote: > > > > On 08/01/2017 03:24 PM, Louis Garcia wrote: > > > I've setup a kdc server and I'm able to kinit from my > client and get a > > > ticket for ssh, nfs. I'm noticing nfs slow to mount, and > disconnects > > > randomly when mounted with sec=krb5p. When I mount > insecurely this does > > > not happen. I read that this has to do with gss but have > not found a > > > solution. > > > > Have you checked journald's output for gss-related messages? > > ------------------------------------------------------------ > ---------- > > - Rick Stevens, Systems Engineer, AllDigital > > ri...@alldigital.com <mailto:ri...@alldigital.com> - > > - AIM/Skype: therps2 ICQ: 226437340 Yahoo: > > origrps2 - > > - > > - > > - We have enough youth, how about a fountain of > > SMART? - > > ------------------------------------------------------------ > ---------- > > _______________________________________________ > > users mailing list -- users@lists.fedoraproject.org > > <mailto:users@lists.fedoraproject.org> > > To unsubscribe send an email to > > users-le...@lists.fedoraproject.org > > <mailto:users-le...@lists.fedoraproject.org> > > > > > > > > > > > > > > _______________________________________________ > > users mailing list -- users@lists.fedoraproject.org > > To unsubscribe send an email to users-le...@lists.fedoraproject.org > > > > > -- > ---------------------------------------------------------------------- > - Rick Stevens, Systems Engineer, AllDigital ri...@alldigital.com - > - AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 - > - - > - Brain: The organ with which we think that we think. - > ---------------------------------------------------------------------- > _______________________________________________ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org > Gmail always puts replies on top. I forgot about that. I see nothing in the journal. With debug_level 3 should I see something? 99-nfs-client.conf: [service/nfs-client] mechs = krb5 cred_store = keytab:/etc/krb5.keytab cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab cred_usage = initiate allow_any_uid = yes trusted = yes euid = 0 debug true debug_level 3
_______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org