search

hautreux / auks

Kerberos credential support for batch environments
Other
20 stars 18 forks source link

Auks not working with gssproxy tickets, needs private ticket cache #23

Closed robberteggermont closed 4 years ago

robberteggermont commented 7 years ago

After upgrading to CentOS7.4, auks stopped functioning properly because rpc.gssd stores a GSSPROXY ticket in /tmp/krb5cc_0 (service principal 'Encrypted/Credentials/v1@X-GSSPROXY:') and auks can't use this ticket. Restarting aukspriv will fix the problem temporarily (new service principal 'krbtgt/DOMAIN@DOMAIN') until rpc.gssd overwrites the cache again.

My workaround is to make auks use it's private ticket cache (/tmp/krb5cc_0_auks). This required quite some searching and trying however: For aukspriv, I added 'AUKS_PRIV_CCACHE_APPEND=_auks' to /etc/sysconfig/aukspriv. For auksdrenewer, I added 'KRB5CCNAME=FILE:/tmp/krb5cc_0_auks' to /etc/sysconfig/auksdrenewer. For the SLURM spank plugin, I added 'hostcredcache=FILE:/tmp/krb5cc_0_auks' to /etc/slurm/plugstack.conf.d/auks.conf.

It would have been nice to have a common setting for this, and even better to use a private ticket cache by default...

afont commented 6 years ago

Hi,

I think I'm facing your same problem, what kind of errors did you had?

I've tried your solution but it's not working for me, I'm getting the following error:

spank-auks: unable to get user xxxxxxx cred : auks api : reply seems corrupted

I'm running centos, sssd, gssproxy against a freeipa.

Thank you! Alex

robberteggermont commented 6 years ago

Sorry, I can't remember the errors.

In the end (to solve problems with rpc.gssd/gssproxy), I disabled gssproxy for nfs (in /etc/sysconfig/nfs, set GSS_USE_PROXY="no"). That solved this problem as well. (But I'm still running successfully with the above workarounds.)

afont commented 6 years ago

Hi robberteggermon,

Thank you for your answer, I'll try disabling gssproxy.

LaHaine commented 4 years ago

I'm afraid this is still a problem in auks 0.5.0. I have gssproxy enabled because I need it. After commit 68cdb0c879e18c8b011be7676b206a8603b272bf, the aukspriv service is always using /tmp/krb5cc_0 as credentials cache which is conflicting with gssproxy:

# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: host/obst25.example.com@EXAMPLE.COM

  Issued                Expires        Principal
Jan  1 01:00:00 1970  >>>Expired<<<  Encrypted/Credentials/v1@X-GSSPROXY: