[CentOS] gssproxy items...

Tue Jun 30 18:39:47 UTC 2015
Erik Laxdal <elaxdal at ece.uvic.ca>


I've been working on some systems trying to get kerberized nfsv4 and
kerberized web services going on 7.  Kerberized nfsv4 was working with
7.0, but with the 7.1 release it stopped working, the key difference
between the two setups is that gssproxy wasn't being used with 7.0, but
seems to be key with 7.1.

The problem I am encountering with Kerberized NFSv4 is that the
directory will mount okay, and I can see it's contents as root, but I
encounter "Permission denied" errors when trying to access it as a
regular user.  'klist -ce' returns valid results as the user (including
a a line for the server spn that I was trying to access), and I am able
to access Kerberized NFSv4 shares hosted on EL6 servers as the same user.

Kerberized web services have been a recent thing to try in order to see
if they would work with gssproxy - a colleague did get Kerberized web
services going on 7.1 without using gssproxy.  I followed the
instructions at https://fedorahosted.org/gss-proxy/wiki/Apache, but
still didn't have any success until I added the cred_store line
mentioned in comment 6 of
https://bugzilla.redhat.com/show_bug.cgi?id=1168962 as we are running
with selinux enabled.  The success was short-lived for once I started
adding user/group checking it would succeed about 30% of the time as the
user principal was being returned as
elaxdal at REALMH\x86\xf7\x12\x01\x02\x02 instead of just elaxdal at REALM.

Today I tried recompiling the 0.4.1-1 source rpm from Fedora 21's
updates, installed it onto a 7.1 nfsv4/web server, at which point
everything started to consistently work - NFSv4 shares and web services
with user/group checking.  So it appears that the problem I'm
encountering has been addressed.  I've also tried recompiling the
0.3.1-1 and 0.3.1-4 source rpms from Fedora 20 and 21, both of which
show the same problems I see with the 7.1 version of gssproxy.

Some additional background information, the Kerberos server is an AD
server that is maintained by another group.  The system keytab uses a
user account based spn on the AD server, and a computer account based
keytab for the system with aliases for host and http keytabs.

Any thoughts/suggestions as I'd rather stay with the distribution's
version of supplied packages?