Change the priority of "common" log messages so that syslog doesn't get
slammed/spammed when users' credentials expire, or there is another common
problem which would cause error messages for all context creation requests.
Note that this will now require that gssd or svcgssd option "-v" is used to
debug these common cases.
Original patch from Andrew Pollock <[email protected]>.
Signed-off-by: Kevin Coffman <[email protected]>
cc: Andrew Pollock <[email protected]>
---
utils/gssd/gss_util.c | 2 +-
utils/gssd/gssd_proc.c | 8 ++++----
utils/gssd/krb5_util.c | 6 +++---
utils/gssd/svcgssd_proc.c | 6 +++---
4 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/utils/gssd/gss_util.c b/utils/gssd/gss_util.c
index 8a7bcaa..2d66be9 100644
--- a/utils/gssd/gss_util.c
+++ b/utils/gssd/gss_util.c
@@ -216,7 +216,7 @@ gssd_acquire_cred(char *server_name)
ignore_maj_stat = gss_display_name(&ignore_min_stat,
target_name, &pbuf, NULL);
if (ignore_maj_stat == GSS_S_COMPLETE) {
- printerr(0, "Unable to obtain credentials for '%.*s'\n",
+ printerr(1, "Unable to obtain credentials for '%.*s'\n",
pbuf.length, pbuf.value);
ignore_maj_stat = gss_release_buffer(&ignore_min_stat,
&pbuf);
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index cb14d45..91fc8d2 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -448,7 +448,7 @@ do_downcall(int k5_fd, uid_t uid, struct authgss_private_data *pd,
return 0;
out_err:
if (buf) free(buf);
- printerr(0, "Failed to write downcall!\n");
+ printerr(1, "Failed to write downcall!\n");
return -1;
}
@@ -741,14 +741,14 @@ handle_krb5_upcall(struct clnt_info *clp)
}
gssd_free_krb5_machine_cred_list(credlist);
if (!success) {
- printerr(0, "WARNING: Failed to create krb5 context "
+ printerr(1, "WARNING: Failed to create krb5 context "
"for user with uid %d with any "
"credentials cache for server %s\n",
uid, clp->servername);
goto out_return_error;
}
} else {
- printerr(0, "WARNING: Failed to create krb5 context "
+ printerr(1, "WARNING: Failed to create krb5 context "
"for user with uid %d for server %s\n",
uid, clp->servername);
goto out_return_error;
@@ -756,7 +756,7 @@ handle_krb5_upcall(struct clnt_info *clp)
}
if (!authgss_get_private_data(auth, &pd)) {
- printerr(0, "WARNING: Failed to obtain authentication "
+ printerr(1, "WARNING: Failed to obtain authentication "
"data for user with uid %d for server %s\n",
uid, clp->servername);
goto out_return_error;
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 77814bc..d4ee631 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -399,7 +399,7 @@ gssd_get_single_krb5_cred(krb5_context context,
goto out;
}
if (krb5_get_init_creds_opt_set_addressless(context, init_opts, 1))
- printerr(0, "WARNING: Unable to set option for addressless "
+ printerr(1, "WARNING: Unable to set option for addressless "
"tickets. May have problems behind a NAT.\n");
#ifdef TEST_SHORT_LIFETIME
/* set a short lifetime (for debugging only!) */
@@ -422,7 +422,7 @@ gssd_get_single_krb5_cred(krb5_context context,
if ((code = krb5_get_init_creds_keytab(context, &my_creds, ple->princ,
kt, 0, NULL, opts))) {
- printerr(0, "WARNING: %s while getting initial ticket for "
+ printerr(1, "WARNING: %s while getting initial ticket for "
"principal '%s' using keytab '%s'\n",
gssd_k5_err_msg(context, code),
pname ? pname : "<unparsable>", kt_name);
@@ -632,7 +632,7 @@ get_full_hostname(const char *inhost, char *outhost, int outhostlen)
/* Get full target hostname */
retval = getaddrinfo(inhost, NULL, &hints, &addrs);
if (retval) {
- printerr(0, "%s while getting full hostname for '%s'\n",
+ printerr(1, "%s while getting full hostname for '%s'\n",
gai_strerror(retval), inhost);
goto out;
}
diff --git a/utils/gssd/svcgssd_proc.c b/utils/gssd/svcgssd_proc.c
index f162152..1d13532 100644
--- a/utils/gssd/svcgssd_proc.c
+++ b/utils/gssd/svcgssd_proc.c
@@ -108,7 +108,7 @@ do_svc_downcall(gss_buffer_desc *out_handle, struct svc_cred *cred,
fclose(f);
return err;
out_err:
- printerr(0, "WARNING: downcall failed\n");
+ printerr(1, "WARNING: downcall failed\n");
return -1;
}
@@ -247,7 +247,7 @@ get_ids(gss_name_t client_name, gss_OID mech, struct svc_cred *cred)
res = 0;
goto out_free;
}
- printerr(0, "WARNING: get_ids: failed to map name '%s' "
+ printerr(1, "WARNING: get_ids: failed to map name '%s' "
"to uid/gid: %s\n", sname, strerror(-res));
goto out_free;
}
@@ -380,7 +380,7 @@ handle_nullreq(FILE *f) {
goto continue_needed;
}
else if (maj_stat != GSS_S_COMPLETE) {
- printerr(0, "WARNING: gss_accept_sec_context failed\n");
+ printerr(1, "WARNING: gss_accept_sec_context failed\n");
pgsserr("handle_nullreq: gss_accept_sec_context",
maj_stat, min_stat, mech);
goto out_err;
On Jan 5, 2009, at Jan 5, 2009, 3:09 PM, Steve Dickson wrote:
> Kevin Coffman wrote:
>> Change the priority of "common" log messages so that syslog doesn't
>> get
>> slammed/spammed when users' credentials expire, or there is another
>> common
>> problem which would cause error messages for all context creation
>> requests.
>>
>> Note that this will now require that gssd or svcgssd option "-v" is
>> used to
>> debug these common cases.
>>
>> Original patch from Andrew Pollock <[email protected]>.
>>
> Committed...
>
> This took a little longer than expected do to a fairly
> nasty bug in the Fedora 10 installation....
>
> The installation process adds both the FQDN and the host name
> (i.e. the non-FQDN) to the 127.0.0.1 line in /etc/hosts. This
> causes gethostname() on the FQDN to return 127.0.0.1 instead of
> DNS IP address... This caused svcgssd to always fail due to
> the host name not being found in the key tab.
>
> Unfortunately it took quite a bit to figure out what host name the
> kerberos libs were looking since the host name in the key tab was
> indeed correct... That lib code is definitely lacking when it comes
> to debug-ability... :-(
>
> So buyer bewared... if you recently installed F-10 please check to see
> if your /etc/hosts file only contains the non-FQDN host name on the
> 127.0.0.1 line.
I think that's the default configuration for F10 (and probably earlier
Fedora releases as well). The lack of proper /etc/hosts entries also
wreaks some havoc with sendmail.
Moreover, F10's Anaconda no longer allows you to specify a static IP
configuration at install time -- network configuration is handled
almost entirely via NetworkManager, and any special configuration,
other than "use DHCP for every network interface you can find," is now
done after the system is installed and running.
F10 still includes system-config-network and /etc/init.d/network, but
these are unused/disabled by default. system-config-network doesn't
play well with NetworkManager. There's also no way to specify a fixed
IPv6 address.
While this automatic style of network configuration matches the trend
set by Ubuntu, and probably meets the needs of most desktop users, I
find it pretty inconvenient for servers (which is mostly how I
configure and use Linux these days).
I would like either a restoration of networking configuration during
the installation process, or to have the network management tools work
and have decent help facilities and wizards. Even better if we could
have both.
--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com
Kevin Coffman wrote:
> Change the priority of "common" log messages so that syslog doesn't get
> slammed/spammed when users' credentials expire, or there is another common
> problem which would cause error messages for all context creation requests.
>
> Note that this will now require that gssd or svcgssd option "-v" is used to
> debug these common cases.
>
> Original patch from Andrew Pollock <[email protected]>.
>
Committed...
This took a little longer than expected do to a fairly
nasty bug in the Fedora 10 installation....
The installation process adds both the FQDN and the host name
(i.e. the non-FQDN) to the 127.0.0.1 line in /etc/hosts. This
causes gethostname() on the FQDN to return 127.0.0.1 instead of
DNS IP address... This caused svcgssd to always fail due to
the host name not being found in the key tab.
Unfortunately it took quite a bit to figure out what host name the
kerberos libs were looking since the host name in the key tab was
indeed correct... That lib code is definitely lacking when it comes
to debug-ability... :-(
So buyer bewared... if you recently installed F-10 please check to see
if your /etc/hosts file only contains the non-FQDN host name on the
127.0.0.1 line.
Details are at: https://bugzilla.redhat.com/show_bug.cgi?id=474086
steved.