Closed robberteggermont closed 4 years ago
Hi,
I think I'm facing your same problem, what kind of errors did you had?
I've tried your solution but it's not working for me, I'm getting the following error:
spank-auks: unable to get user xxxxxxx cred : auks api : reply seems corrupted
I'm running centos, sssd, gssproxy against a freeipa.
Thank you! Alex
Sorry, I can't remember the errors.
In the end (to solve problems with rpc.gssd/gssproxy), I disabled gssproxy for nfs (in /etc/sysconfig/nfs, set GSS_USE_PROXY="no"). That solved this problem as well. (But I'm still running successfully with the above workarounds.)
Hi robberteggermon,
Thank you for your answer, I'll try disabling gssproxy.
I'm afraid this is still a problem in auks 0.5.0. I have gssproxy enabled because I need it. After commit 68cdb0c879e18c8b011be7676b206a8603b272bf, the aukspriv service is always using /tmp/krb5cc_0 as credentials cache which is conflicting with gssproxy:
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: host/obst25.example.com@EXAMPLE.COM
Issued Expires Principal
Jan 1 01:00:00 1970 >>>Expired<<< Encrypted/Credentials/v1@X-GSSPROXY:
After upgrading to CentOS7.4, auks stopped functioning properly because rpc.gssd stores a GSSPROXY ticket in /tmp/krb5cc_0 (service principal 'Encrypted/Credentials/v1@X-GSSPROXY:') and auks can't use this ticket. Restarting aukspriv will fix the problem temporarily (new service principal 'krbtgt/DOMAIN@DOMAIN') until rpc.gssd overwrites the cache again.
My workaround is to make auks use it's private ticket cache (/tmp/krb5cc_0_auks). This required quite some searching and trying however: For aukspriv, I added 'AUKS_PRIV_CCACHE_APPEND=_auks' to /etc/sysconfig/aukspriv. For auksdrenewer, I added 'KRB5CCNAME=FILE:/tmp/krb5cc_0_auks' to /etc/sysconfig/auksdrenewer. For the SLURM spank plugin, I added 'hostcredcache=FILE:/tmp/krb5cc_0_auks' to /etc/slurm/plugstack.conf.d/auks.conf.
It would have been nice to have a common setting for this, and even better to use a private ticket cache by default...