I’ve been working on some systems trying to get kerberized nfsv4 and kerberized web services going on 7. Kerberized nfsv4 was working with
7.0, but with the 7.1 release it stopped working, the key difference between the two setups is that gssproxy wasn’t being used with 7.0, but seems to be key with 7.1.
The problem I am encountering with Kerberized NFSv4 is that the directory will mount okay, and I can see it’s contents as root, but I
encounter “Permission denied” errors when trying to access it as a regular user. ‘klist -ce’ returns valid results as the user (including a a line for the server spn that I was trying to access), and I am able to access Kerberized NFSv4 shares hosted on EL6 servers as the same user.
Kerberized web services have been a recent thing to try in order to see if they would work with gssproxy – a colleague did get Kerberized web services going on 7.1 without using gssproxy. I followed the instructions at https://fedorahosted.org/gss-proxy/wiki/Apache, but still didn’t have any success until I added the cred_store line mentioned in comment 6 of https://bugzilla.redhat.com/show_bug.cgi?id68962 as we are running with selinux enabled. The success was short-lived for once I started adding user/group checking it would succeed about 30% of the time as the user principal was being returned as elaxdal@REALMH\x86\xf7\x12\x01\x02\x02 instead of just elaxdal@REALM.
Today I tried recompiling the 0.4.1-1 source rpm from Fedora 21’s updates, installed it onto a 7.1 nfsv4/web server, at which point everything started to consistently work – NFSv4 shares and web services with user/group checking. So it appears that the problem I’m encountering has been addressed. I’ve also tried recompiling the
0.3.1-1 and 0.3.1-4 source rpms from Fedora 20 and 21, both of which show the same problems I see with the 7.1 version of gssproxy.
Some additional background information, the Kerberos server is an AD
server that is maintained by another group. The system keytab uses a user account based spn on the AD server, and a computer account based keytab for the system with aliases for host and http keytabs.
Any thoughts/suggestions as I’d rather stay with the distribution’s version of supplied packages?