On 08/02/2017 08:14 AM, Louis Garcia wrote:
> On Tue, Aug 1, 2017 at 9:36 PM, Rick Stevens <ri...@alldigital.com
> <mailto:ri...@alldigital.com>> wrote:
>
> On 08/01/2017 06:06 PM, Louis Garcia wrote:
> > should I have SECURE_NFS=yes in /etc/sysconfig/nfs ?
>
> We kind of dislike top-posting on the list. No biggie, but try to
> refrain from top-posting if you can.
>
> As to your problem, the first thing is to add "debug true" to
> /etc/gssproxy/99-nfs-client.conf first, then have a look at the journal
> again. You can also dial up the verbosity by setting "debug_level 3"
> in the same file.
>
> I don't think that the AVC denial is the cause of the problem. It looks
> like the denial is caused by gssproxy trying to let you know it failed.
>
> >
> > On Tue, Aug 1, 2017 at 7:35 PM, Louis Garcia <louisg...@gmail.com
> <mailto:louisg...@gmail.com>
> > <mailto:louisg...@gmail.com <mailto:louisg...@gmail.com>>> wrote:
> >
> > Does this have anything todo with gssproxy on the client? I did not
> > know I had to configure that.
> >
> > On Tue, Aug 1, 2017 at 7:20 PM, Louis Garcia <louisg...@gmail.com
> <mailto:louisg...@gmail.com>
> > <mailto:louisg...@gmail.com <mailto:louisg...@gmail.com>>> wrote:
> >
> > I found this on the client.
> >
> > gssproxy[661]: gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 })
> > Unspecified GSS failure. Minor code may provide more
> > information, No credentials cache found
> > gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS
> > failure. Minor code may provide more information, No
> > credentials cache found
> >
> > This is right after, not sure if related.
> >
> > audit[651]: USER_AVC pid=651 uid=81 auid=4294967295
> > ses=4294967295
> > subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:
> > denied { send_msg } for msgtype=error er
> >
> > exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=?
> terminal=?'
> >
> >
> >
> >
> >
> >
> >
> > On Tue, Aug 1, 2017 at 7:00 PM, Rick Stevens
> > <ri...@alldigital.com <mailto:ri...@alldigital.com>
> <mailto:ri...@alldigital.com <mailto:ri...@alldigital.com>>> wrote:
> >
> > On 08/01/2017 03:24 PM, Louis Garcia wrote:
> > > I've setup a kdc server and I'm able to kinit from my
> client and get a
> > > ticket for ssh, nfs. I'm noticing nfs slow to mount, and
> disconnects
> > > randomly when mounted with sec=krb5p. When I mount
> insecurely this does
> > > not happen. I read that this has to do with gss but have
> not found a
> > > solution.
> >
> > Have you checked journald's output for gss-related messages?
> > >
>
> Gmail always puts replies on top. I forgot about that.
>
> I see nothing in the journal. With debug_level 3 should I see something?
>
> 99-nfs-client.conf:
> [service/nfs-client]
> mechs = krb5
> cred_store = keytab:/etc/krb5.keytab
> cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
> cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
> cred_usage = initiate
> allow_any_uid = yes
> trusted = yes
> euid = 0
> debug true
> debug_level 3
Uhm, did you restart gssproxy after buggering the config file
("systemctl restart gssproxy.service")? I think it only looks at the
config file when it starts up.
I don't use gssproxy, so this is all just a suggestion to try to see
what it's doing. All the edits do is enable debug mode and dial up its
verbosity, and it should be logging to the journal.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ri...@alldigital.com -
- AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 -
- -
- Blessed are the peacekeepers...for they shall be shot at -
- from both sides. --A.M. Greeley -
----------------------------------------------------------------------
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
