I am using rpc-gssd and gssproxy mechanism, and I found a mistake in my /etc/krb5.conf
default_ccache_name = DIR:/home/%{username}/.k5_ccache
this used to work for regular users needing a ticket, but it fails when root tries to mount a NFS volume, as there is no /home/root directory. It sounds trivial but the investigation took a while:
with verbosity activated, rpc-gssd will log
ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - (0x9ae73ac3)
which is not helpful.
In this case Kerberos constructs a readable error message however gssproxy simply grabs the Kerberos error code and puts it into a "minor code", and is later unable to display it.
Is it possible to improve gssproxy so that errors coming from the Kerberos API are logged properly? Thanks
I could check that something like
diff --git a/src/mechglue/gpp_creds.c b/src/mechglue/gpp_creds.c
index 677834d..84db676 100644
--- a/src/mechglue/gpp_creds.c
+++ b/src/mechglue/gpp_creds.c
@@ -327,6 +327,11 @@ OM_uint32 gppint_retrieve_remote_creds(uint32_t *min, const char *ccache_name,
done:
if (ctx) {
+ if (ret) {
+ char* msg = krb5_get_error_message(ctx, ret);
+ gpm_save_internal_status(ret, msg);
+ krb5_free_error_message(ctx, msg);
+ }
krb5_free_cred_contents(ctx, &cred);
krb5_free_cred_contents(ctx, &icred);
if (ccache) krb5_cc_close(ctx, ccache);makes the error message lot more helpful:
rpc.gssd[54289]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Credential cache directory /home/root/.k5_ccache does not exist
I am using rpc-gssd and gssproxy mechanism, and I found a mistake in my /etc/krb5.conf
this used to work for regular users needing a ticket, but it fails when root tries to mount a NFS volume, as there is no /home/root directory. It sounds trivial but the investigation took a while:
with verbosity activated, rpc-gssd will log
which is not helpful.
In this case Kerberos constructs a readable error message however gssproxy simply grabs the Kerberos error code and puts it into a "minor code", and is later unable to display it.
Is it possible to improve gssproxy so that errors coming from the Kerberos API are logged properly? Thanks
I could check that something like
makes the error message lot more helpful: