Hello, I am in a student context and we use FreeIPA. The station type is fedora 31. All profiles (home directories) are stored on an NFS kerberised crypted share. Students have personnal web pages on the NFS share with ~student_name1, ~student_name2, ...
The local httpd needs a TGT somwhere and i suppose, gssproxy is the good approach.
I have try a lot of things with gssproxy to allow local httpd tu access the pages with no real success. Here is "the best" i had, but it's not very usable. I suppose, it existes a nicer way ?
Merci beaucoup
The file is for automatic deployment : gssproxy part + sudo part for students I did a setup of un ipa account apache 48/48
#!/usr/bin/bash
kinit_admin(){ kinit admin <<EOF xxxxxxx EOF
} apache_nfs(){
# A - gssproxy part
kinit_admin rm -f /etc/gssproxy/httpd.keytab ipa-getkeytab -s $( awk '/^server/ { print $3 }' /etc/ipa/default.conf ) -k /etc/gssproxy/httpd.keytab -p apache@MYDOMAIN.FR kdestroy
# # 80-httpd.conf # cat >/etc/gssproxy/80-httpd.conf <<ESC [service/apache] mechs = krb5 cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_48 cred_store = client_keytab:/etc/gssproxy/httpd.keytab euid = 48 ESC
mkdir /etc/systemd/system/httpd.service.d cat >/etc/systemd/system/httpd.service.d/48-httpd.conf <<ESC [Service] Environment=GSS_USE_PROXY=1 ESC /usr/bin/systemctl daemon-reload /usr/bin/systemctl restart httpd
# B - sudo part # # sudo script gsproxy.sh in /usr/bin # cat >/usr/bin/gsproxy.sh <<ESC /usr/bin/kinit $(/usr/bin/logname) if [ $? -gt 0 ] ; then /usr/bin/echo "Password error" /usr/bin/echo "Restart sudo" exit 1 fi
/usr/bin/kdestroy -c /var/lib/gssproxy/clients/krb5cc_48 /usr/bin/kinit -k -t /etc/gssproxy/httpd.keytab -c /var/lib/gssproxy/clients/krb5cc_48 -p apache@MYDOMAIN.FR /usr/bin/kdestroy ESC
# # sudo file # echo '%utilisateurs ALL = /usr/bin/gsproxy.sh'
/etc/sudoers.d/gsproxy
chmod +x /usr/bin/gsproxy.sh
}
Hello, it is not clear to me what is the hold up.
Gssproxy can allow you to automatically use a keytab to gain credentials that then can be used to access a remote NFS server.
Of course the remote NFS server needs to recognize "apache" as a valid user as well that does have access to user directories for read.
Unfortunately without logs I cannot tell what is wrong. I think you should add at least cred_usage = initiate to your configuration.
Please provide logs with errors if you need more help.
Simo.
On Mon, 2020-10-12 at 01:20 +0200, daudel@daudel.com wrote:
Hello, I am in a student context and we use FreeIPA. The station type is fedora 31. All profiles (home directories) are stored on an NFS kerberised crypted share. Students have personnal web pages on the NFS share with ~student_name1, ~student_name2, ...
The local httpd needs a TGT somwhere and i suppose, gssproxy is the good approach.
I have try a lot of things with gssproxy to allow local httpd tu access the pages with no real success. Here is "the best" i had, but it's not very usable. I suppose, it existes a nicer way ?
Merci beaucoup
The file is for automatic deployment : gssproxy part + sudo part for students I did a setup of un ipa account apache 48/48
#!/usr/bin/bash
kinit_admin(){ kinit admin <<EOF xxxxxxx EOF
} apache_nfs(){
# A - gssproxy part
kinit_admin rm -f /etc/gssproxy/httpd.keytab ipa-getkeytab -s $( awk '/^server/ { print $3 }' /etc/ipa/default.conf ) -k /etc/gssproxy/httpd.keytab -p apache@MYDOMAIN.FR kdestroy
# # 80-httpd.conf # cat >/etc/gssproxy/80-httpd.conf <<ESC [service/apache] mechs = krb5 cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_48 cred_store = client_keytab:/etc/gssproxy/httpd.keytab euid = 48 ESC
mkdir /etc/systemd/system/httpd.service.d cat >/etc/systemd/system/httpd.service.d/48-httpd.conf <<ESC [Service] Environment=GSS_USE_PROXY=1 ESC /usr/bin/systemctl daemon-reload /usr/bin/systemctl restart httpd
# B - sudo part # # sudo script gsproxy.sh in /usr/bin # cat >/usr/bin/gsproxy.sh <<ESC /usr/bin/kinit $(/usr/bin/logname) if [ $? -gt 0 ] ; then /usr/bin/echo "Password error" /usr/bin/echo "Restart sudo" exit 1 fi
/usr/bin/kdestroy -c /var/lib/gssproxy/clients/krb5cc_48 /usr/bin/kinit -k -t /etc/gssproxy/httpd.keytab -c /var/lib/gssproxy/clients/krb5cc_48 -p apache@MYDOMAIN.FR /usr/bin/kdestroy ESC
# # sudo file # echo '%utilisateurs ALL = /usr/bin/gsproxy.sh'
/etc/sudoers.d/gsproxy
chmod +x /usr/bin/gsproxy.sh
} _______________________________________________ gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org To unsubscribe send an email to gss-proxy-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/gss-proxy@lists.fedorahosted.or...
Hello Simo,
I have added cred_usage = initiate [service/apache] mechs = krb5 cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_48 cred_store = client_keytab:/etc/gssproxy/httpd.keytab euid = 48 cred_usage = initiate
I think, we have correct permissions on ~/www/intex.html $ nfs4_getfacl ~
# file: ~ #### on NFS SHARE A::OWNER@:rwaDxtTcCy A::apache@xxxxxx.yyyyyyyy.fr:xtcy A::GROUP@:tcy A::EVERYONE@:tcy
755 on www and 644 on index.html
LOGS = LOGS = LOGS
PART I I have stoped gssproxy.service an started # /usr/sbin/gssproxy -i --debug-level 9
# /usr/sbin/gssproxy -i --debug-level 9 [2020/10/24 19:43:55]: Debug Enabled (level: 9) [2020/10/24 19:43:55]: Service: nfs-server, Keytab: /etc/krb5.keytab, Enctype: 18 [2020/10/24 19:43:55]: Service: apache, Keytab: FILE:/etc/krb5.keytab, Enctype: 18 [2020/10/24 19:43:55]: Service: nfs-client, Keytab: /etc/krb5.keytab, Enctype: 18 [2020/10/24 19:43:55]: Failed to get peer's SELinux context (92:Protocole non disponible) ##### we are not using SELINUX [2020/10/24 19:43:55]: Client [2020/10/24 19:43:55]: (/usr/sbin/gssproxy) [2020/10/24 19:43:55]: connected (fd = 13)[2020/10/24 19:43:55]: (pid = 6808) (uid = 0) (gid = 0)[2020/10/24 19:43:55]:
PART II If i try http://localhost/~userx/, which terminates with Forbidden You don't have persmission to access this ressource, i get some more logs
[2020/10/24 19:46:35]: Failed to get peer's SELinux context (92:Protocole non disponible) ##### we are not using SELINUX [2020/10/24 19:46:35]: Client [2020/10/24 19:46:35]: (/usr/sbin/rpc.gssd) [2020/10/24 19:46:35]: connected (fd = 14)[2020/10/24 19:46:35]: (pid = 915) (uid = 48) (gid = 48)[2020/10/24 19:46:35]: [CID 14][2020/10/24 19:46:35]: [status] Handling query input: 0x56032c4c42d0 (932) [CID 14][2020/10/24 19:46:35]: Connection matched service apache [CID 14][2020/10/24 19:46:35]: [status] Processing request [0x56032c4c42d0 (932)] [CID 14][2020/10/24 19:46:35]: [status] Executing request 6 (GSSX_ACQUIRE_CRED) from [0x56032c4c42d0 (932)] [CID 14][2020/10/24 19:46:35]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "apache", euid: 48,socket: (null) GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [ ] } input_cred_handle: { { "HTTP/host.xxxxxx.yyyyyyyy.fr@XXXXXX.YYYYYYYY.FR" { 1 2 840 113554 1 2 2 1 } [ 410b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e4652 ] [ 420b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e46520000 ] [ ] } [ { { "HTTP/host.xxxxxx.yyyyyyyy.fr@XXXXXX.YYYYYYYY.FR" { 1 2 840 113554 1 2 2 1 } [ 410b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e4652 ] [ 420b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e46520000 ] [ ] } { 1 2 840 113554 1 2 2 } INITIATE 86400 0 } ] [ ffffffdbffffff9fffffffdfffffffce5c68602d74ffffffb4fffffff71b775fffffffdb6efffffff41ffffffc9ffffff89fffffff0745078ffffffb0ffffffb36a26ffffffdecfffffff6ffffff9d43493e72ffffff92ffffffda4f4a33f20ffffff88ffffffd8ffffff8dffffffc16d7ffffffa7ffffffdaffffff88ffffffe94cffffffb8ffffffd8233cffffffec1614267fffffffeffffffaaffffffe0ffffff8affffffecffffffaceffffffd4ffffff823c5c311dffffff98ffffff9e6965ffffffd3ffffffd9fffffff0ffffffe1703056ffffffafffffffccffffff91ffffffc51fffffffa3fffffff15dffffffab7752ffffffd42f3bffffff94ffffffcbbffffffe7ffffff8cffffffa0ffffffd23e7b33ffffffd327ffffffa963fffffffbffffffa757d6b6f2238ffffffb4ffffffd164ffffff94ffffff956affffffca6f30ffffffecffffffbb132a7bffffffc779ffffffde7fffffffffffffffc4ffffffbaffffffb924e22ffffffb1ffffffe1ffffffa1416bffffffabffffffcfffffffd34d3ffffffcaffffffca49fffffff0ffffffcc40ffffffba5d556ffffff9c65ffffffd76afffffff316fffffff3ffffffd429ffffffef6323694bffffffca1771ffffffcd647affffff83ffffffd7ffffff84ffffffddffffff98632660634032fffffff7326bfffffffefff fff9c76ffffffd21fffffffa991520ffffffc460ffffffafffffffd9ffffffcdffffff9cffffffd332ffffff83ffffffb55114ffffffb8ffffffffffffffc9ffffffde48ffffffabffffffd0ffffffaa4b318ffffffe8ffffffc83cffffffa46678ffffff9fffffffe7fffffff8ffffffbbffffffb149ffffffd4ffffff852c4bffffffdf73ffffffc5ffffffcffffffffcffffffa67dfffffff135ffffffd8 ] 0 } add_cred: 0 desired_name: <Null> time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: INITIATE initiator_time_req: 0 acceptor_time_req: 0 ) GSSX_RES_ACQUIRE_CRED( status: { 851968 { 1 2 840 113554 1 2 2 } 100001 "Unspecified GSS failure. Minor code may provide more information" "Succès" [ ] } output_cred_handle: <Null> ) [CID 14][2020/10/24 19:46:35]: [status] Returned buffer 6 (GSSX_ACQUIRE_CRED) from [0x56032c4c42d0 (932)]: [0x7f0800001340 (156)] [CID 14][2020/10/24 19:46:35]: [status] Handling query output: 0x7f0800001340 (156) [2020/10/24 19:46:35]: [status] Handling query reply: 0x7f0800001340 (156) [2020/10/24 19:46:35]: [status] Sending data: 0x7f0800001340 (156) [2020/10/24 19:46:35]: [status] Sending data [0x7f0800001340 (156)]: successful write of 156 [CID 14][2020/10/24 19:46:35]: [status] Handling query input: 0x56032c4c09f0 (932) [CID 14][2020/10/24 19:46:35]: Connection matched service apache [CID 14][2020/10/24 19:46:35]: [status] Processing request [0x56032c4c09f0 (932)] [CID 14][2020/10/24 19:46:35]: [status] Executing request 6 (GSSX_ACQUIRE_CRED) from [0x56032c4c09f0 (932)] [CID 14][2020/10/24 19:46:35]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "apache", euid: 48,socket: (null) GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [ ] } input_cred_handle: { { "HTTP/host.xxxxxx.yyyyyyyy.fr@XXXXXX.YYYYYYYY.FR" { 1 2 840 113554 1 2 2 1 } [ 410b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e4652 ] [ 420b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e46520000 ] [ ] } [ { { "HTTP/host.xxxxxx.yyyyyyyy.fr@XXXXXX.YYYYYYYY.FR" { 1 2 840 113554 1 2 2 1 } [ 410b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e4652 ] [ 420b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e46520000 ] [ ] } { 1 2 840 113554 1 2 2 } INITIATE 86400 0 } ] [ ffffffdbffffff9fffffffdfffffffce5c68602d74ffffffb4fffffff71b775fffffffdb6efffffff41ffffffc9ffffff89fffffff0745078ffffffb0ffffffb36a26ffffffdecfffffff6ffffff9d43493e72ffffff92ffffffda4f4a33f20ffffff88ffffffd8ffffff8dffffffc16d7ffffffa7ffffffdaffffff88ffffffe94cffffffb8ffffffd8233cffffffec1614267fffffffeffffffaaffffffe0ffffff8affffffecffffffaceffffffd4ffffff823c5c311dffffff98ffffff9e6965ffffffd3ffffffd9fffffff0ffffffe1703056ffffffafffffffccffffff91ffffffc51fffffffa3fffffff15dffffffab7752ffffffd42f3bffffff94ffffffcbbffffffe7ffffff8cffffffa0ffffffd23e7b33ffffffd327ffffffa963fffffffbffffffa757d6b6f2238ffffffb4ffffffd164ffffff94ffffff956affffffca6f30ffffffecffffffbb132a7bffffffc779ffffffde7fffffffffffffffc4ffffffbaffffffb924e22ffffffb1ffffffe1ffffffa1416bffffffabffffffcfffffffd34d3ffffffcaffffffca49fffffff0ffffffcc40ffffffba5d556ffffff9c65ffffffd76afffffff316fffffff3ffffffd429ffffffef6323694bffffffca1771ffffffcd647affffff83ffffffd7ffffff84ffffffddffffff98632660634032fffffff7326bfffffffefff fff9c76ffffffd21fffffffa991520ffffffc460ffffffafffffffd9ffffffcdffffff9cffffffd332ffffff83ffffffb55114ffffffb8ffffffffffffffc9ffffffde48ffffffabffffffd0ffffffaa4b318ffffffe8ffffffc83cffffffa46678ffffff9fffffffe7fffffff8ffffffbbffffffb149ffffffd4ffffff852c4bffffffdf73ffffffc5ffffffcffffffffcffffffa67dfffffff135ffffffd8 ] 0 } add_cred: 0 desired_name: <Null> time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: INITIATE initiator_time_req: 0 acceptor_time_req: 0 ) GSSX_RES_ACQUIRE_CRED( status: { 851968 { 1 2 840 113554 1 2 2 } 100001 "Unspecified GSS failure. Minor code may provide more information" "Succès" [ ] } output_cred_handle: <Null> ) [CID 14][2020/10/24 19:46:35]: [status] Returned buffer 6 (GSSX_ACQUIRE_CRED) from [0x56032c4c09f0 (932)]: [0x7f08000041d0 (156)] [CID 14][2020/10/24 19:46:35]: [status] Handling query output: 0x7f08000041d0 (156) [2020/10/24 19:46:35]: [status] Handling query reply: 0x7f08000041d0 (156) [2020/10/24 19:46:35]: [status] Sending data: 0x7f08000041d0 (156) [2020/10/24 19:46:35]: [status] Sending data [0x7f08000041d0 (156)]: successful write of 156
END OF LOGS
The file /var/lib/gssproxy/clients/krb5cc_48 is not created (This why i try to do it whith sudo ; a realy bad solution probabably)
Best.
Le 2020-10-13 23:27, Simo Sorce a écrit :
Hello, it is not clear to me what is the hold up.
Gssproxy can allow you to automatically use a keytab to gain credentials that then can be used to access a remote NFS server.
Of course the remote NFS server needs to recognize "apache" as a valid user as well that does have access to user directories for read.
Unfortunately without logs I cannot tell what is wrong. I think you should add at least cred_usage = initiate to your configuration.
Please provide logs with errors if you need more help.
Simo.
On Mon, 2020-10-12 at 01:20 +0200, daudel@daudel.com wrote:
Hello, I am in a student context and we use FreeIPA. The station type is fedora 31. All profiles (home directories) are stored on an NFS kerberised crypted share. Students have personnal web pages on the NFS share with ~student_name1, ~student_name2, ...
The local httpd needs a TGT somwhere and i suppose, gssproxy is the good approach.
I have try a lot of things with gssproxy to allow local httpd tu access the pages with no real success. Here is "the best" i had, but it's not very usable. I suppose, it existes a nicer way ?
Merci beaucoup
The file is for automatic deployment : gssproxy part + sudo part for students I did a setup of un ipa account apache 48/48
#!/usr/bin/bash
kinit_admin(){ kinit admin <<EOF xxxxxxx EOF
} apache_nfs(){
# A - gssproxy part
kinit_admin rm -f /etc/gssproxy/httpd.keytab ipa-getkeytab -s $( awk '/^server/ { print $3 }' /etc/ipa/default.conf ) -k /etc/gssproxy/httpd.keytab -p apache@MYDOMAIN.FR kdestroy
# # 80-httpd.conf # cat >/etc/gssproxy/80-httpd.conf <<ESC [service/apache] mechs = krb5 cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_48 cred_store = client_keytab:/etc/gssproxy/httpd.keytab euid = 48 ESC
mkdir /etc/systemd/system/httpd.service.d cat >/etc/systemd/system/httpd.service.d/48-httpd.conf <<ESC [Service] Environment=GSS_USE_PROXY=1 ESC /usr/bin/systemctl daemon-reload /usr/bin/systemctl restart httpd
# B - sudo part # # sudo script gsproxy.sh in /usr/bin # cat >/usr/bin/gsproxy.sh <<ESC /usr/bin/kinit $(/usr/bin/logname) if [ $? -gt 0 ] ; then /usr/bin/echo "Password error" /usr/bin/echo "Restart sudo" exit 1 fi
/usr/bin/kdestroy -c /var/lib/gssproxy/clients/krb5cc_48 /usr/bin/kinit -k -t /etc/gssproxy/httpd.keytab -c /var/lib/gssproxy/clients/krb5cc_48 -p apache@MYDOMAIN.FR /usr/bin/kdestroy ESC
# # sudo file # echo '%utilisateurs ALL = /usr/bin/gsproxy.sh'
/etc/sudoers.d/gsproxy
chmod +x /usr/bin/gsproxy.sh
} _______________________________________________ gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org To unsubscribe send an email to gss-proxy-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/gss-proxy@lists.fedorahosted.or...
Hello Simo,
I did mistakes in the previous mail, so you may ignore it.
USERDIR.CONF # cat userdir.conf <IfModule mod_userdir.c> UserDir disabled root UserDir www </IfModule>
<Directory "/*/*/www"> AllowOverride FileInfo AuthConfig Limit Indexes Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Require method GET POST OPTIONS </Directory>
PERMISSIONS $ ls ~/www index.html index.php laravel
I think, we have correct permissions on ~/www/index.html
$ nfs4_getfacl ~
# file: ~ #### on NFS SHARE A::OWNER@:rwaDxtTcCy A::apache@xxxxxx.yyyyyyyy.fr:xtcy ### gives cross permission A::GROUP@:tcy A::EVERYONE@:tcy
755 on www and 644 on index.html
We simplify for a moment with : chmod 777 ~ $ nfs4_getfacl .
# file: . A::OWNER@:rwaDxtTcCy D::apache@xxxx.yyyyyyyy.fr:rwaD A::apache@xxxx.yyyyyyyy.fr:xtcy A::GROUP@:tcy D::GROUP@:rwaDx A::EVERYONE@:rwaDxtcy
GSSPROXY Also in rewiewing every thing, there was a problem to get the keytab. Now the cache seems correct when we boot with cred_usage = initiate (with this configuration, sudo is note needed any more)
[service/apache] mechs = krb5 cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_48 cred_store = client_keytab:/etc/gssproxy/httpd.keytab euid = 48 cred_usage = initiate
In /var/lib/gssproxy/clients/ # ls -l total 8 -rw------- 1 root root 2233 28 sept. 07:50 krb5cc_0 -rw------- 1 root root 1154 25 oct. 08:05 krb5cc_48
LOGS - LOGS
We have a permission problem in accessing index.html with : firefox http://localhost/~userx
Forbidden You don't have permission to access this resource.
Here is the new log after stoping the service gssproxy.service
PART 1 systemctl stop gssproxy.service # /usr/sbin/gssproxy -i --debug-level 3 [2020/10/25 08:10:29]: Debug Enabled (level: 3) [2020/10/25 08:10:29]: Service: nfs-server, Keytab: /etc/krb5.keytab, Enctype: 18 [2020/10/25 08:10:29]: Service: apache, Keytab: FILE:/etc/krb5.keytab, Enctype: 18 [2020/10/25 08:10:29]: Service: nfs-client, Keytab: /etc/krb5.keytab, Enctype: 18 [2020/10/25 08:10:29]: Debug Enabled (level: 9) [2020/10/25 08:10:29]: Failed to get peer's SELinux context (92:Protocole non disponible) ##### we don't use SELINUX [2020/10/25 08:10:29]: Client [2020/10/25 08:10:29]: (/usr/sbin/gssproxy) [2020/10/25 08:10:29]: connected (fd = 13)[2020/10/25 08:10:29]: (pid = 6868) (uid = 0) (gid = 0)[2020/10/25 08:10:29]:
PART II when trying : firefox http://localhost/~userx & we have a Forbiden access
[2020/10/25 08:11:31]: Failed to get peer's SELinux context (92:Protocole non disponible) ##### we don't use SELINUX [2020/10/25 08:11:31]: Client [2020/10/25 08:11:31]: (/usr/sbin/rpc.gssd) [2020/10/25 08:11:31]: connected (fd = 14)[2020/10/25 08:11:31]: (pid = 912) (uid = 48) (gid = 48)[2020/10/25 08:11:31]: [CID 14][2020/10/25 08:11:31]: [status] Handling query input: 0x55b6d9534350 (932) [CID 14][2020/10/25 08:11:31]: Connection matched service apache [CID 14][2020/10/25 08:11:31]: [status] Processing request [0x55b6d9534350 (932)] [CID 14][2020/10/25 08:11:31]: [status] Executing request 6 (GSSX_ACQUIRE_CRED) from [0x55b6d9534350 (932)] [CID 14][2020/10/25 08:11:31]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "apache", euid: 48,socket: (null) GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [ ] } input_cred_handle: { { "HTTP/host.xxxx.yyyyyyyy.fr@XXXX.YYYYYYYY.FR" { 1 2 840 113554 1 2 2 1 } [ 410b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e4652 ] [ 420b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e46520000 ] [ ] } [ { { "HTTP/host.xxxx.yyyyyyyy.fr@XXXX.YYYYYYYY.FR" { 1 2 840 113554 1 2 2 1 } [ 410b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e4652 ] [ 420b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e46520000 ] [ ] } { 1 2 840 113554 1 2 2 } INITIATE 86400 0 } ] [ ffffffdbffffff9fffffffdfffffffce5c68602d74ffffffb4fffffff71b775fffffffdb6efffffff41ffffffc9ffffff89fffffff0745078ffffffb0ffffffb36a26ffffffdecfffffff6ffffff9d43493e72ffffff92ffffffda4f4a33f20ffffff88ffffffd8ffffff8dffffffc16d7ffffffa7ffffffdaffffff88ffffffe94cffffffb8ffffffd8233cffffffec1614267fffffffeffffffaaffffffe0ffffff8affffffecffffffaceffffffd4ffffff823c5c311dffffff98ffffff9e6965ffffffd3ffffffd9fffffff0ffffffe1703056ffffffafffffffccffffff91ffffffc51fffffffa3fffffff15dffffffab7752ffffffd42f3bffffff94ffffffcbbffffffe7ffffff8cffffffa0ffffffd23e7b33ffffffd327ffffffa963fffffffbffffffa757d6b6f2238ffffffb4ffffffd164ffffff94ffffff956affffffca6f30ffffffecffffffbb132a7bffffffc779ffffffde7fffffffffffffffc4ffffffbaffffffb924e22ffffffb1ffffffe1ffffffa1416bffffffabffffffcfffffffd34d3ffffffcaffffffca49fffffff0ffffffcc40ffffffba5d556ffffff9c65ffffffd76afffffff316fffffff3ffffffd429ffffffef6323694bffffffca1771ffffffcd647affffff83ffffffd7ffffff84ffffffddffffff98632660634032fffffff7326bfffffffefff fff9c76ffffffd21fffffffa991520ffffffc460ffffffafffffffd9ffffffcdffffff9cffffffd332ffffff83ffffffb55114ffffffb8ffffffffffffffc9ffffffde48ffffffabffffffd0ffffffaa4b318ffffffe8ffffffc83cffffffa46678ffffff9fffffffe7fffffff8ffffffbbffffffb149ffffffd4ffffff852c4bffffffdf73ffffffc5ffffffcffffffffcffffffa67dfffffff135ffffffd8 ] 0 } add_cred: 0 desired_name: <Null> time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: INITIATE initiator_time_req: 0 acceptor_time_req: 0 ) GSSX_RES_ACQUIRE_CRED( status: { 851968 { 1 2 840 113554 1 2 2 } 100001 "Unspecified GSS failure. Minor code may provide more information" "Succès" [ ] } output_cred_handle: <Null> ) [CID 14][2020/10/25 08:11:31]: [status] Returned buffer 6 (GSSX_ACQUIRE_CRED) from [0x55b6d9534350 (932)]: [0x7f5920001340 (156)] [CID 14][2020/10/25 08:11:31]: [status] Handling query output: 0x7f5920001340 (156) [2020/10/25 08:11:31]: [status] Handling query reply: 0x7f5920001340 (156) [2020/10/25 08:11:31]: [status] Sending data: 0x7f5920001340 (156) [2020/10/25 08:11:31]: [status] Sending data [0x7f5920001340 (156)]: successful write of 156 [CID 14][2020/10/25 08:11:31]: [status] Handling query input: 0x55b6d9530b70 (932) [CID 14][2020/10/25 08:11:31]: Connection matched service apache [CID 14][2020/10/25 08:11:31]: [status] Processing request [0x55b6d9530b70 (932)] [CID 14][2020/10/25 08:11:31]: [status] Executing request 6 (GSSX_ACQUIRE_CRED) from [0x55b6d9530b70 (932)] [CID 14][2020/10/25 08:11:31]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "apache", euid: 48,socket: (null) GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [ ] } input_cred_handle: { { "HTTP/host.xxxx.yyyyyyyy.fr@XXXX.YYYYYYYY.FR" { 1 2 840 113554 1 2 2 1 } [ 410b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e4652 ] [ 420b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e46520000 ] [ ] } [ { { "HTTP/host.xxxx.yyyyyyyy.fr@XXXX.YYYYYYYY.FR" { 1 2 840 113554 1 2 2 1 } [ 410b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e4652 ] [ 420b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e46520000 ] [ ] } { 1 2 840 113554 1 2 2 } INITIATE 86400 0 } ] [ ffffffdbffffff9fffffffdfffffffce5c68602d74ffffffb4fffffff71b775fffffffdb6efffffff41ffffffc9ffffff89fffffff0745078ffffffb0ffffffb36a26ffffffdecfffffff6ffffff9d43493e72ffffff92ffffffda4f4a33f20ffffff88ffffffd8ffffff8dffffffc16d7ffffffa7ffffffdaffffff88ffffffe94cffffffb8ffffffd8233cffffffec1614267fffffffeffffffaaffffffe0ffffff8affffffecffffffaceffffffd4ffffff823c5c311dffffff98ffffff9e6965ffffffd3ffffffd9fffffff0ffffffe1703056ffffffafffffffccffffff91ffffffc51fffffffa3fffffff15dffffffab7752ffffffd42f3bffffff94ffffffcbbffffffe7ffffff8cffffffa0ffffffd23e7b33ffffffd327ffffffa963fffffffbffffffa757d6b6f2238ffffffb4ffffffd164ffffff94ffffff956affffffca6f30ffffffecffffffbb132a7bffffffc779ffffffde7fffffffffffffffc4ffffffbaffffffb924e22ffffffb1ffffffe1ffffffa1416bffffffabffffffcfffffffd34d3ffffffcaffffffca49fffffff0ffffffcc40ffffffba5d556ffffff9c65ffffffd76afffffff316fffffff3ffffffd429ffffffef6323694bffffffca1771ffffffcd647affffff83ffffffd7ffffff84ffffffddffffff98632660634032fffffff7326bfffffffefff fff9c76ffffffd21fffffffa991520ffffffc460ffffffafffffffd9ffffffcdffffff9cffffffd332ffffff83ffffffb55114ffffffb8ffffffffffffffc9ffffffde48ffffffabffffffd0ffffffaa4b318ffffffe8ffffffc83cffffffa46678ffffff9fffffffe7fffffff8ffffffbbffffffb149ffffffd4ffffff852c4bffffffdf73ffffffc5ffffffcffffffffcffffffa67dfffffff135ffffffd8 ] 0 } add_cred: 0 desired_name: <Null> time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: INITIATE initiator_time_req: 0 acceptor_time_req: 0 ) GSSX_RES_ACQUIRE_CRED( status: { 851968 { 1 2 840 113554 1 2 2 } 100001 "Unspecified GSS failure. Minor code may provide more information" "Succès" [ ] } output_cred_handle: <Null> ) [CID 14][2020/10/25 08:11:31]: [status] Returned buffer 6 (GSSX_ACQUIRE_CRED) from [0x55b6d9530b70 (932)]: [0x7f59200041d0 (156)] [CID 14][2020/10/25 08:11:31]: [status] Handling query output: 0x7f59200041d0 (156) [2020/10/25 08:11:31]: [status] Handling query reply: 0x7f59200041d0 (156) [2020/10/25 08:11:31]: [status] Sending data: 0x7f59200041d0 (156) [2020/10/25 08:11:31]: [status] Sending data [0x7f59200041d0 (156)]: successful write of 156 [CID 14][2020/10/25 08:11:53]: [status] Handling query input: 0x55b6d9530fb0 (932) [CID 14][2020/10/25 08:11:53]: Connection matched service apache [CID 14][2020/10/25 08:11:53]: [status] Processing request [0x55b6d9530fb0 (932)] [CID 14][2020/10/25 08:11:53]: [status] Executing request 6 (GSSX_ACQUIRE_CRED) from [0x55b6d9530fb0 (932)] [CID 14][2020/10/25 08:11:53]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "apache", euid: 48,socket: (null) GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [ ] } input_cred_handle: { { "HTTP/host.xxxx.yyyyyyyy.fr@XXXX.YYYYYYYY.FR" { 1 2 840 113554 1 2 2 1 } [ 410b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e4652 ] [ 420b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e46520000 ] [ ] } [ { { "HTTP/host.xxxx.yyyyyyyy.fr@XXXX.YYYYYYYY.FR" { 1 2 840 113554 1 2 2 1 } [ 410b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e4652 ] [ 420b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e46520000 ] [ ] } { 1 2 840 113554 1 2 2 } INITIATE 86400 0 } ] [ ffffffdbffffff9fffffffdfffffffce5c68602d74ffffffb4fffffff71b775fffffffdb6efffffff41ffffffc9ffffff89fffffff0745078ffffffb0ffffffb36a26ffffffdecfffffff6ffffff9d43493e72ffffff92ffffffda4f4a33f20ffffff88ffffffd8ffffff8dffffffc16d7ffffffa7ffffffdaffffff88ffffffe94cffffffb8ffffffd8233cffffffec1614267fffffffeffffffaaffffffe0ffffff8affffffecffffffaceffffffd4ffffff823c5c311dffffff98ffffff9e6965ffffffd3ffffffd9fffffff0ffffffe1703056ffffffafffffffccffffff91ffffffc51fffffffa3fffffff15dffffffab7752ffffffd42f3bffffff94ffffffcbbffffffe7ffffff8cffffffa0ffffffd23e7b33ffffffd327ffffffa963fffffffbffffffa757d6b6f2238ffffffb4ffffffd164ffffff94ffffff956affffffca6f30ffffffecffffffbb132a7bffffffc779ffffffde7fffffffffffffffc4ffffffbaffffffb924e22ffffffb1ffffffe1ffffffa1416bffffffabffffffcfffffffd34d3ffffffcaffffffca49fffffff0ffffffcc40ffffffba5d556ffffff9c65ffffffd76afffffff316fffffff3ffffffd429ffffffef6323694bffffffca1771ffffffcd647affffff83ffffffd7ffffff84ffffffddffffff98632660634032fffffff7326bfffffffefff fff9c76ffffffd21fffffffa991520ffffffc460ffffffafffffffd9ffffffcdffffff9cffffffd332ffffff83ffffffb55114ffffffb8ffffffffffffffc9ffffffde48ffffffabffffffd0ffffffaa4b318ffffffe8ffffffc83cffffffa46678ffffff9fffffffe7fffffff8ffffffbbffffffb149ffffffd4ffffff852c4bffffffdf73ffffffc5ffffffcffffffffcffffffa67dfffffff135ffffffd8 ] 0 } add_cred: 0 desired_name: <Null> time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: INITIATE initiator_time_req: 0 acceptor_time_req: 0 ) GSSX_RES_ACQUIRE_CRED( status: { 851968 { 1 2 840 113554 1 2 2 } 100001 "Unspecified GSS failure. Minor code may provide more information" "Succès" [ ] } output_cred_handle: <Null> ) [CID 14][2020/10/25 08:11:53]: [status] Returned buffer 6 (GSSX_ACQUIRE_CRED) from [0x55b6d9530fb0 (932)]: [0x7f5920004b90 (156)] [CID 14][2020/10/25 08:11:53]: [status] Handling query output: 0x7f5920004b90 (156) [2020/10/25 08:11:53]: [status] Handling query reply: 0x7f5920004b90 (156) [2020/10/25 08:11:53]: [status] Sending data: 0x7f5920004b90 (156) [2020/10/25 08:11:53]: [status] Sending data [0x7f5920004b90 (156)]: successful write of 156 [CID 14][2020/10/25 08:11:53]: [status] Handling query input: 0x55b6d95313f0 (932) [CID 14][2020/10/25 08:11:53]: Connection matched service apache [CID 14][2020/10/25 08:11:53]: [status] Processing request [0x55b6d95313f0 (932)] [CID 14][2020/10/25 08:11:53]: [status] Executing request 6 (GSSX_ACQUIRE_CRED) from [0x55b6d95313f0 (932)] [CID 14][2020/10/25 08:11:53]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "apache", euid: 48,socket: (null) GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [ ] } input_cred_handle: { { "HTTP/host.xxxx.yyyyyyyy.fr@XXXX.YYYYYYYY.FR" { 1 2 840 113554 1 2 2 1 } [ 410b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e4652 ] [ 420b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e46520000 ] [ ] } [ { { "HTTP/host.xxxx.yyyyyyyy.fr@XXXX.YYYYYYYY.FR" { 1 2 840 113554 1 2 2 1 } [ 410b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e4652 ] [ 420b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e46520000 ] [ ] } { 1 2 840 113554 1 2 2 } INITIATE 86400 0 } ] [ ffffffdbffffff9fffffffdfffffffce5c68602d74ffffffb4fffffff71b775fffffffdb6efffffff41ffffffc9ffffff89fffffff0745078ffffffb0ffffffb36a26ffffffdecfffffff6ffffff9d43493e72ffffff92ffffffda4f4a33f20ffffff88ffffffd8ffffff8dffffffc16d7ffffffa7ffffffdaffffff88ffffffe94cffffffb8ffffffd8233cffffffec1614267fffffffeffffffaaffffffe0ffffff8affffffecffffffaceffffffd4ffffff823c5c311dffffff98ffffff9e6965ffffffd3ffffffd9fffffff0ffffffe1703056ffffffafffffffccffffff91ffffffc51fffffffa3fffffff15dffffffab7752ffffffd42f3bffffff94ffffffcbbffffffe7ffffff8cffffffa0ffffffd23e7b33ffffffd327ffffffa963fffffffbffffffa757d6b6f2238ffffffb4ffffffd164ffffff94ffffff956affffffca6f30ffffffecffffffbb132a7bffffffc779ffffffde7fffffffffffffffc4ffffffbaffffffb924e22ffffffb1ffffffe1ffffffa1416bffffffabffffffcfffffffd34d3ffffffcaffffffca49fffffff0ffffffcc40ffffffba5d556ffffff9c65ffffffd76afffffff316fffffff3ffffffd429ffffffef6323694bffffffca1771ffffffcd647affffff83ffffffd7ffffff84ffffffddffffff98632660634032fffffff7326bfffffffefff fff9c76ffffffd21fffffffa991520ffffffc460ffffffafffffffd9ffffffcdffffff9cffffffd332ffffff83ffffffb55114ffffffb8ffffffffffffffc9ffffffde48ffffffabffffffd0ffffffaa4b318ffffffe8ffffffc83cffffffa46678ffffff9fffffffe7fffffff8ffffffbbffffffb149ffffffd4ffffff852c4bffffffdf73ffffffc5ffffffcffffffffcffffffa67dfffffff135ffffffd8 ] 0 } add_cred: 0 desired_name: <Null> time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: INITIATE initiator_time_req: 0 acceptor_time_req: 0 ) GSSX_RES_ACQUIRE_CRED( status: { 851968 { 1 2 840 113554 1 2 2 } 100001 "Unspecified GSS failure. Minor code may provide more information" "Succès" [ ] } output_cred_handle: <Null> ) [CID 14][2020/10/25 08:11:53]: [status] Returned buffer 6 (GSSX_ACQUIRE_CRED) from [0x55b6d95313f0 (932)]: [0x7f5920004ed0 (156)] [CID 14][2020/10/25 08:11:53]: [status] Handling query output: 0x7f5920004ed0 (156) [2020/10/25 08:11:53]: [status] Handling query reply: 0x7f5920004ed0 (156) [2020/10/25 08:11:53]: [status] Sending data: 0x7f5920004ed0 (156) [2020/10/25 08:11:53]: [status] Sending data [0x7f5920004ed0 (156)]: successful write of 156
Thanks, Olivier.
On Sun, 2020-10-25 at 10:04 +0100, daudel@daudel.com wrote:
GSSX_RES_ACQUIRE_CRED( status: { 851968 { 1 2 840 113554 1 2 2 }100001 "Unspecified GSS failure. Minor code may provide more information" "Succès" [ ] } output_cred_handle: <Null> )
Seem like you have issues initiating via keytab.
Is /var/lib/gssproxy/clients/krb5cc_48 already present when you start gssproxy by chance? If so delete it before trying.
if do: kinit -kt /etc/gssproxy/httpd.keytab HTTP/host.xxxx.yyyyyyyy.fr@XXXX.YYYYYYYY.FR
Do you get a tgt ? If not that's your issue.
Simo.
gss-proxy@lists.fedorahosted.org
-
daudel@daudel.com -
Simo Sorce