-
Notifications
You must be signed in to change notification settings - Fork 30
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
KRB5_TRACE documentation for gssproxy
Added KRB5_TRACE.md to provide a brief overview on how to enable low level Kerberos tracing below gssapi via KRB5_TRACE. Updated gssproxy.conf man page to cite newly added doc when mentioning KRB5_TRACE behavior. Signed-off-by: Jacob Shivers <jacob.shivers@redhat.com>
- Loading branch information
1 parent
cacb03c
commit 5918c9b
Showing
2 changed files
with
37 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| # Setting KRB5_TRACE for gssproxy | ||
|
|
||
| Enabling `KRB5_TRACE` output as described in `# man gssproxy.conf`: | ||
|
|
||
| **At level 3 and above, KRB5_TRACE output is logged. If KRB5_TRACE was already set in the execution environment, trace output is sent to its value instead.** | ||
|
|
||
| can be done either by including `KRB5_TRACE=/path/to/location` when executing gssproxy at the command line or by including a location within a drop file loaded by systemd. Systemd does not open `/dev/stderr` and instead creates a file descriptor for stderr when gssproxy is started. A drop file is necessary to record `KRB5_TRACE` information as gssproxy directs `KRB5_TRACE` to `/dev/stderr` at this time. | ||
|
|
||
| The output can be directed to any location, but gssproxy only has write access to `/var/lib/gssproxy` by default. This means that for a host system using SELinux either a custom module policy will need to be created or SELinux will need to be put into permissive mode. | ||
|
|
||
| As setting `KRB5_TRACE` output is not designed to be continually logged nor treated as traditional log output, it is recommended to direct the trace output to `/var/lib/gssproxy`. | ||
|
|
||
| - Increase gssproxy debugging so that `KRB5_TRACE` information is logged as described in `# man gssproxy.conf`. | ||
|
|
||
| ~~~~ | ||
| # echo ' debug_level = 3' >> /etc/gssproxy/gssproxy.conf | ||
| ~~~~ | ||
|
|
||
| - Create a drop file for gssproxy to log `KRB5_TRACE` output to a file under `/var/lib/gssproxy` | ||
|
|
||
| ~~~~ | ||
| # mkdir /etc/systemd/system/gssproxy.service.d | ||
| # cat <<EOF > /etc/systemd/system/gssproxy.service.d/99-trace.conf | ||
| [Service] | ||
| Environment=KRB5_TRACE=/var/lib/gssproxy/gssproxy.krb5_trace | ||
| EOF | ||
| ~~~~ | ||
|
|
||
| - Reload the service files and restart the `gssproxy` service | ||
|
|
||
| ~~~~ | ||
| # systemctl daemon-reload | ||
| # systemctl restart gssproxy | ||
| ~~~~ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters