Hi,
I've been working on some systems trying to get kerberized nfsv4 and kerberized web services going on 7. Kerberized nfsv4 was working with 7.0, but with the 7.1 release it stopped working, the key difference between the two setups is that gssproxy wasn't being used with 7.0, but seems to be key with 7.1.
The problem I am encountering with Kerberized NFSv4 is that the directory will mount okay, and I can see it's contents as root, but I encounter "Permission denied" errors when trying to access it as a regular user. 'klist -ce' returns valid results as the user (including a a line for the server spn that I was trying to access), and I am able to access Kerberized NFSv4 shares hosted on EL6 servers as the same user.
Kerberized web services have been a recent thing to try in order to see if they would work with gssproxy - a colleague did get Kerberized web services going on 7.1 without using gssproxy. I followed the instructions at https://fedorahosted.org/gss-proxy/wiki/Apache, but still didn't have any success until I added the cred_store line mentioned in comment 6 of https://bugzilla.redhat.com/show_bug.cgi?id=1168962 as we are running with selinux enabled. The success was short-lived for once I started adding user/group checking it would succeed about 30% of the time as the user principal was being returned as elaxdal@REALMH\x86\xf7\x12\x01\x02\x02 instead of just elaxdal@REALM.
Today I tried recompiling the 0.4.1-1 source rpm from Fedora 21's updates, installed it onto a 7.1 nfsv4/web server, at which point everything started to consistently work - NFSv4 shares and web services with user/group checking. So it appears that the problem I'm encountering has been addressed. I've also tried recompiling the 0.3.1-1 and 0.3.1-4 source rpms from Fedora 20 and 21, both of which show the same problems I see with the 7.1 version of gssproxy.
Some additional background information, the Kerberos server is an AD server that is maintained by another group. The system keytab uses a user account based spn on the AD server, and a computer account based keytab for the system with aliases for host and http keytabs.
Any thoughts/suggestions as I'd rather stay with the distribution's version of supplied packages?
Thanks, Erik
Erik Laxdal wrote:
Hi,
I've been working on some systems trying to get kerberized nfsv4 and kerberized web services going on 7. Kerberized nfsv4 was working with 7.0, but with the 7.1 release it stopped working, the key difference between the two setups is that gssproxy wasn't being used with 7.0, but seems to be key with 7.1.
The problem I am encountering with Kerberized NFSv4 is that the directory will mount okay, and I can see it's contents as root, but I encounter "Permission denied" errors when trying to access it as a regular user. 'klist -ce' returns valid results as the user (including a a line for the server spn that I was trying to access), and I am able to access Kerberized NFSv4 shares hosted on EL6 servers as the same user.
<snip> Stupid question: selinux?
mark
On 06/30/2015 12:13 PM, m.roth@5-cent.us wrote:
Erik Laxdal wrote:
The problem I am encountering with Kerberized NFSv4 is that the directory will mount okay, and I can see it's contents as root, but I encounter "Permission denied" errors when trying to access it as a regular user. 'klist -ce' returns valid results as the user (including a a line for the server spn that I was trying to access), and I am able to access Kerberized NFSv4 shares hosted on EL6 servers as the same user.
<snip> Stupid question: selinux?
Not a stupid question, selinux has gotten me with other things from time to time. The server was setup with selinux set to enforcing by default, but I have tried 'setenforce 0', changing it to permissive, and finally disabled (rebooting after each of these state changes) with no change in behaviour.
On the client side, I've only tried the 'setenforce 0' command. The gssproxy-0.4.1-1 package was only installed on the server and worked with selinux enabled on both the server and client sides. The client side also has no problem accessing Kerberized NFSv4 shares from EL6 systems with selinux enabled on it.
Thanks, Erik
-
Erik Laxdal -
m.roth@5-cent.us