 
| Subject: | |
| From: | |
| Reply To: | |
| Date: | Wed, 29 Mar 2017 17:20:49 -0600 |
| Content-Type: | text/plain |
| Parts/Attachments: |
|
|
I'm still seeing the gssproxy issue mentioned in this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1414302
where gssproxy doesn't look in /var/lib/gssproxy/clients/%UID.keytab for a
valid keytab for non-root users.
Bad strace (SL7.3) looks like:
[pid 4528] close(15) = 0
[pid 4528] gettimeofday({1490828550, 957971}, NULL) = 0
[pid 4528] geteuid() = 0
[pid 4528] open("/var/lib/gssproxy/clients/krb5cc_48", O_RDONLY|O_CLOEXEC) =
-1 ENOENT (No such file or directory)
[pid 4528] open("/var/kerberos/krb5/user/0/client.keytab", O_RDONLY) = -1
ENOENT (No such file or directory)
[pid 4528] writev(2, [{"gssproxy[4524]: (OID: { 1 2 840 113554 1 2 2 })
Unspecified GSS failure. Minor code may provide more information, No
credentials cache found\n", 142}], 1) = 142
i.e. looks first for active credential cache for the userid (48 in this case),
but then a keytab for uid 0 and in the default kerberos location, not in the
location specified in /etc/gssproxy/gssproxy.conf.
Good strace (RHEL7.3) looks like:
[pid 537] close(15) = 0
[pid 537] gettimeofday({1490822814, 63838}, NULL) = 0
[pid 537] open("/var/lib/gssproxy/clients/krb5cc_14", O_RDONLY|O_CLOEXEC) =
-1 ENOENT (No such file or directory)
[pid 537] open("/var/lib/gssproxy/clients/14.keytab", O_RDONLY) = -1 ENOENT
(No such file or directory)
I didn't set up a keytab in this case, but you see that it looked for the
correct file - and didn't call geteuid().
I'm not sure what's going on here. Perhaps there was a build ordering issue
with the SL7.3 package builds. I'm going to try rebuilding the SL7.3 packages
and see if that helps. Just a heads up for now before I leave for the day.
--
Orion Poplawski
Technical Manager 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane [log in to unmask]
Boulder, CO 80301 http://www.nwra.com
|
|
|
