gssproxy
gssproxy copied to clipboard
gssapi
error messages from kerberos are not logged
I am using rpc-gssd and gssproxy mechanism, and I found a mistake in my /etc/krb5.conf
default_ccache_name = DIR:/home/%{username}/.k5_ccache
this used to work for regular users needing a ticket, but it fails when root tries to mount a NFS volume, as there is no /home/root directory. It sounds trivial but the investigation took a while:
with verbosity activated, rpc-gssd will log
ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - (0x9ae73ac3)
which is not helpful.
In this case Kerberos constructs a readable error message however gssproxy simply grabs the Kerberos error code and puts it into a "minor code", and is later unable to display it.
Is it possible to improve gssproxy so that errors coming from the Kerberos API are logged properly? Thanks
I could check that something like
diff --git a/src/mechglue/gpp_creds.c b/src/mechglue/gpp_creds.c
index 677834d..84db676 100644
--- a/src/mechglue/gpp_creds.c
+++ b/src/mechglue/gpp_creds.c
@@ -327,6 +327,11 @@ OM_uint32 gppint_retrieve_remote_creds(uint32_t *min, const char *ccache_name,
done:
if (ctx) {
+ if (ret) {
+ char* msg = krb5_get_error_message(ctx, ret);
+ gpm_save_internal_status(ret, msg);
+ krb5_free_error_message(ctx, msg);
+ }
krb5_free_cred_contents(ctx, &cred);
krb5_free_cred_contents(ctx, &icred);
if (ccache) krb5_cc_close(ctx, ccache);
makes the error message lot more helpful:
rpc.gssd[54289]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Credential cache directory /home/root/.k5_ccache does not exist
This will require restructuring the interals a bit as we need to keep around some state when we go through the varipus fallbacks.
But it would definitely be very helpful to do so, indeed. It may take some time though, as I do not have spare cycles to afford such a refactoring right now.
