1525442 – Kerberized NFS not working with keyring or KCM ccache and gssproxy

Bug 1525442 - Kerberized NFS not working with keyring or KCM ccache and gssproxy

Summary: Kerberized NFS not working with keyring or KCM ccache and gssproxy

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	gssproxy
Sub Component:
Version:	27
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Robbie Harwood
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-12-13 10:46 UTC by Dan Ragnar
Modified:	2018-01-17 08:26 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-01-17 08:26:19 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Dan Ragnar 2017-12-13 10:46:01 UTC

Description of problem:
When configuring sssd/krb5 with KCM or kernel keyring ccache storage, kerberized NFS does not work with gssproxy. If you disable gssproxy or switch file based ccache mounting of kerberized nfs mounts starts to work.

The clients are joined to a FreeIPA domain and the NFS server is running Ubuntu 16.04 with sec=krb5i and nfs/ service principal in place. nfs/ principal for clients does not seem to matter in this case.

rpc-gssd throws the following error:
ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - (0x9ae73a8d)
WARNING: Failed while limiting krb5 encryption types for user with uid 0
WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_<EXAMPLE.COM> for server <nfs-server.example.com>
ERROR: Failed to create machine krb5 context with any credentials cache for server <nfs-server.example.com>
doing error downcall

Version-Release number of selected component (if applicable):
gssproxy: 0.7.0-25
sssd: 1.16.0-4
nfs-utils: 2.2.1-1

How reproducible:
always

Steps to Reproduce:
1. Enable kernel keyring or KCM ccache in /etc/krb5.conf (and /etc/krb5.conf.d/kcm_default_ccache for KCM)
2. Make sure gssproxy and rpc-gssd is running (should be if SECURE_NFS is configured)
3. Try to mount kerberized NFS mount 

Actual results:
Mount attempt fails

Expected results:
Mount attempt succeeds

Additional info:

Comment 1 Robbie Harwood 2017-12-13 15:18:27 UTC

Please retest with the latest gssproxy (0.7.0-28 if you can, 0.7.0-26 is okay too).  Thanks!

Comment 2 Dan Ragnar 2017-12-14 08:42:32 UTC

I can confirm that it is working with 0.7.0-26, however I still see errors in the gssproxy log:
(OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found. Is that a non-fatal error, or is it falling back to something else somehow?

BR,
Dan

Comment 3 Robbie Harwood 2017-12-14 16:08:14 UTC

(In reply to Dan Ragnar from comment #2)
> I can confirm that it is working with 0.7.0-26, however I still see errors
> in the gssproxy log:
> (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may
> provide more information, No credentials cache found. Is that a non-fatal
> error, or is it falling back to something else somehow?

Neither, inherently.  That's the GSSAPI call that the application which is using gssproxy is getting back.

Perhaps more clearly: the application makes a call (probably gss_acquire_cred) asking for credentials from a specific location.  The credentials not being there isn't necessarily fatal - they may be somewhere else, and the application may try there next.

Anyway, if your mounts are working reasonably, then it's probably not an issue.

Note You need to log in before you can comment on or make changes to this bug.