Bug 1525442

Summary:	Kerberized NFS not working with keyring or KCM ccache and gssproxy
Product:	[Fedora] Fedora	Reporter:	Dan Ragnar <dan.ragnar>
Component:	gssproxy	Assignee:	Robbie Harwood <rharwood>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	27	CC:	abokovoy, dan.ragnar, gdeschner, pasik, rharwood, ssorce
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-01-17 08:26:19 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Dan Ragnar 2017-12-13 10:46:01 UTC

Description of problem:
When configuring sssd/krb5 with KCM or kernel keyring ccache storage, kerberized NFS does not work with gssproxy. If you disable gssproxy or switch file based ccache mounting of kerberized nfs mounts starts to work.

The clients are joined to a FreeIPA domain and the NFS server is running Ubuntu 16.04 with sec=krb5i and nfs/ service principal in place. nfs/ principal for clients does not seem to matter in this case.

rpc-gssd throws the following error:
ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - (0x9ae73a8d)
WARNING: Failed while limiting krb5 encryption types for user with uid 0
WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_<EXAMPLE.COM> for server <nfs-server.example.com>
ERROR: Failed to create machine krb5 context with any credentials cache for server <nfs-server.example.com>
doing error downcall

Version-Release number of selected component (if applicable):
gssproxy: 0.7.0-25
sssd: 1.16.0-4
nfs-utils: 2.2.1-1

How reproducible:
always

Steps to Reproduce:
1. Enable kernel keyring or KCM ccache in /etc/krb5.conf (and /etc/krb5.conf.d/kcm_default_ccache for KCM)
2. Make sure gssproxy and rpc-gssd is running (should be if SECURE_NFS is configured)
3. Try to mount kerberized NFS mount 

Actual results:
Mount attempt fails

Expected results:
Mount attempt succeeds

Additional info:

Comment 1 Robbie Harwood 2017-12-13 15:18:27 UTC

Please retest with the latest gssproxy (0.7.0-28 if you can, 0.7.0-26 is okay too).  Thanks!

Comment 2 Dan Ragnar 2017-12-14 08:42:32 UTC

I can confirm that it is working with 0.7.0-26, however I still see errors in the gssproxy log:
(OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found. Is that a non-fatal error, or is it falling back to something else somehow?

BR,
Dan

Comment 3 Robbie Harwood 2017-12-14 16:08:14 UTC

(In reply to Dan Ragnar from comment #2)
> I can confirm that it is working with 0.7.0-26, however I still see errors
> in the gssproxy log:
> (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may
> provide more information, No credentials cache found. Is that a non-fatal
> error, or is it falling back to something else somehow?

Neither, inherently.  That's the GSSAPI call that the application which is using gssproxy is getting back.

Perhaps more clearly: the application makes a call (probably gss_acquire_cred) asking for credentials from a specific location.  The credentials not being there isn't necessarily fatal - they may be somewhere else, and the application may try there next.

Anyway, if your mounts are working reasonably, then it's probably not an issue.