Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

error messages from kerberos are not logged #75

Open
freedge opened this issue Apr 22, 2023 · 1 comment
Open

error messages from kerberos are not logged #75

freedge opened this issue Apr 22, 2023 · 1 comment
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@freedge
Copy link

freedge commented Apr 22, 2023

I am using rpc-gssd and gssproxy mechanism, and I found a mistake in my /etc/krb5.conf

    default_ccache_name = DIR:/home/%{username}/.k5_ccache

this used to work for regular users needing a ticket, but it fails when root tries to mount a NFS volume, as there is no /home/root directory. It sounds trivial but the investigation took a while:

with verbosity activated, rpc-gssd will log

ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - (0x9ae73ac3)

which is not helpful.

In this case Kerberos constructs a readable error message however gssproxy simply grabs the Kerberos error code and puts it into a "minor code", and is later unable to display it.

Is it possible to improve gssproxy so that errors coming from the Kerberos API are logged properly? Thanks

I could check that something like

diff --git a/src/mechglue/gpp_creds.c b/src/mechglue/gpp_creds.c
index 677834d..84db676 100644
--- a/src/mechglue/gpp_creds.c
+++ b/src/mechglue/gpp_creds.c
@@ -327,6 +327,11 @@ OM_uint32 gppint_retrieve_remote_creds(uint32_t *min, const char *ccache_name,
 
 done:
     if (ctx) {
+        if (ret) {
+            char* msg = krb5_get_error_message(ctx, ret);
+            gpm_save_internal_status(ret, msg);
+            krb5_free_error_message(ctx, msg);
+        }
         krb5_free_cred_contents(ctx, &cred);
         krb5_free_cred_contents(ctx, &icred);
         if (ccache) krb5_cc_close(ctx, ccache);

makes the error message lot more helpful:

rpc.gssd[54289]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Credential cache directory /home/root/.k5_ccache does not exist
@simo5
Copy link
Contributor

simo5 commented Apr 24, 2023

This will require restructuring the interals a bit as we need to keep around some state when we go through the varipus fallbacks.

But it would definitely be very helpful to do so, indeed.
It may take some time though, as I do not have spare cycles to afford such a refactoring right now.

@simo5 simo5 added enhancement New feature or request help wanted Extra attention is needed labels Apr 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@simo5 @freedge