On Tue, Aug 1, 2017 at 9:36 PM, Rick Stevens <ri...@alldigital.com> wrote:

> On 08/01/2017 06:06 PM, Louis Garcia wrote:
> > should I have SECURE_NFS=yes in  /etc/sysconfig/nfs ?
>
> We kind of dislike top-posting on the list. No biggie, but try to
> refrain from top-posting if you can.
>
> As to your problem, the first thing is to add "debug true" to
> /etc/gssproxy/99-nfs-client.conf first, then have a look at the journal
> again. You can also dial up the verbosity by setting "debug_level 3"
> in the same file.
>
> I don't think that the AVC denial is the cause of the problem. It looks
> like the denial is caused by gssproxy trying to let you know it failed.
>
> >
> > On Tue, Aug 1, 2017 at 7:35 PM, Louis Garcia <louisg...@gmail.com
> > <mailto:louisg...@gmail.com>> wrote:
> >
> >     Does this have anything todo with gssproxy on the client? I did not
> >     know I had to configure that.
> >
> >     On Tue, Aug 1, 2017 at 7:20 PM, Louis Garcia <louisg...@gmail.com
> >     <mailto:louisg...@gmail.com>> wrote:
> >
> >         I found this on the client.
> >
> >         gssproxy[661]: gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 })
> >         Unspecified GSS failure.  Minor code may provide more
> >         information, No credentials cache found
> >         gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS
> >         failure.  Minor code may provide more information, No
> >         credentials cache found
> >
> >         This is right after, not sure if related.
> >
> >         audit[651]: USER_AVC pid=651 uid=81 auid=4294967295
> >         ses=4294967295
> >         subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:
> >         denied  { send_msg } for msgtype=error er
> >
> >         exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
> >
> >
> >
> >
> >
> >
> >
> >         On Tue, Aug 1, 2017 at 7:00 PM, Rick Stevens
> >         <ri...@alldigital.com <mailto:ri...@alldigital.com>> wrote:
> >
> >             On 08/01/2017 03:24 PM, Louis Garcia wrote:
> >             > I've setup a kdc server and I'm able to kinit from my
> client and get a
> >             > ticket for ssh, nfs. I'm noticing nfs slow to mount, and
> disconnects
> >             > randomly when mounted with sec=krb5p. When I mount
> insecurely this does
> >             > not happen. I read that this has to do with gss but have
> not found a
> >             > solution.
> >
> >             Have you checked journald's output for gss-related messages?
> >             ------------------------------------------------------------
> ----------
> >             - Rick Stevens, Systems Engineer, AllDigital
> >             ri...@alldigital.com <mailto:ri...@alldigital.com> -
> >             - AIM/Skype: therps2        ICQ: 226437340           Yahoo:
> >             origrps2 -
> >             -
> >                     -
> >             -         We have enough youth, how about a fountain of
> >             SMART?       -
> >             ------------------------------------------------------------
> ----------
> >             _______________________________________________
> >             users mailing list -- users@lists.fedoraproject.org
> >             <mailto:users@lists.fedoraproject.org>
> >             To unsubscribe send an email to
> >             users-le...@lists.fedoraproject.org
> >             <mailto:users-le...@lists.fedoraproject.org>
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > users mailing list -- users@lists.fedoraproject.org
> > To unsubscribe send an email to users-le...@lists.fedoraproject.org
> >
>
>
> --
> ----------------------------------------------------------------------
> - Rick Stevens, Systems Engineer, AllDigital    ri...@alldigital.com -
> - AIM/Skype: therps2        ICQ: 226437340           Yahoo: origrps2 -
> -                                                                    -
> -        Brain:  The organ with which we think that we think.        -
> ----------------------------------------------------------------------
> _______________________________________________
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
>

Gmail always puts replies on top. I forgot about that.

I see nothing in the journal. With debug_level 3 should I see something?

99-nfs-client.conf:
[service/nfs-client]
  mechs = krb5
  cred_store = keytab:/etc/krb5.keytab
  cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
  cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
  cred_usage = initiate
  allow_any_uid = yes
  trusted = yes
  euid = 0
  debug true
  debug_level 3
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Reply via email to