|
1 | 1 | # Setting KRB5_TRACE for gssproxy |
2 | 2 |
|
3 | | -Enabling `KRB5_TRACE` output as described in `# man gssproxy.conf`: |
| 3 | +This document explain how to obtain KRB5 tracing output. |
4 | 4 |
|
5 | | -**At level 3 and above, KRB5_TRACE output is logged. If KRB5_TRACE was |
6 | | -already set in the execution environment, trace output is sent to its |
7 | | -value instead.** |
| 5 | +It is possible to get KRB5 tracing information together with gssproxy |
| 6 | +debugging information on Standard Error[^1] by simply running the |
| 7 | +process at debug level 3: `gssproxy -d --debug-level=3` |
8 | 8 |
|
9 | | -can be done either by including `KRB5_TRACE=/path/to/location` when |
10 | | -executing gssproxy at the command line or by including a location within |
11 | | -a drop file loaded by systemd. Systemd uses unix sockets to redirect |
12 | | -outputs to the journal, and this means `/dev/stderr` ends up pointing to |
13 | | -a name that cannot be used as a path to open the stderr descriptor. |
14 | | -A drop file is necessary to record `KRB5_TRACE` information as gssproxy |
15 | | -directs `KRB5_TRACE` to `/dev/stderr` by default. |
| 9 | +In cases where it may be convenient to have a separate file with KRB5 |
| 10 | +tracing it is possible to do so by making sure the KRB5_TRACE |
| 11 | +environment is set when the gssproxy process is executed[^2]. |
16 | 12 |
|
17 | 13 | The output can be directed to any location, but gssproxy only has write |
18 | 14 | access to `/var/lib/gssproxy` by default. This means that for a host |
19 | 15 | system using SELinux either a custom module policy will need to be |
20 | 16 | created or SELinux will need to be put into permissive mode. |
21 | 17 |
|
22 | | -As setting `KRB5_TRACE` output is not designed to be continually logged |
| 18 | +As setting `KRB5_TRACE` output is not designed to be used in production |
23 | 19 | nor treated as traditional log output, it is recommended to direct the |
24 | | -trace output to `/var/lib/gssproxy`. |
| 20 | +trace output to `/var/lib/gssproxy` to avoid changes to SELinux policy. |
| 21 | + |
| 22 | +Ways to obtain KRB5 tracing output: |
25 | 23 |
|
26 | 24 | - Increase gssproxy debugging so that `KRB5_TRACE` information is logged |
27 | 25 | as described in `# man gssproxy.conf`. |
28 | 26 |
|
29 | | -~~~~ |
| 27 | +``` |
30 | 28 | # echo ' debug_level = 3' >> /etc/gssproxy/gssproxy.conf |
31 | | -~~~~ |
32 | | - |
33 | | - - Create a drop file for gssproxy to log `KRB5_TRACE` output to a file |
34 | | -under `/var/lib/gssproxy` |
| 29 | +# pkill -HUP gssproxy |
| 30 | +``` |
35 | 31 |
|
36 | | -~~~~ |
| 32 | +- Create a systemd drop file for gssproxy to log `KRB5_TRACE` output |
| 33 | +``` |
37 | 34 | # mkdir /etc/systemd/system/gssproxy.service.d |
38 | | -
|
39 | 35 | # cat <<EOF > /etc/systemd/system/gssproxy.service.d/99-trace.conf |
40 | 36 | [Service] |
41 | 37 | Environment=KRB5_TRACE=/var/lib/gssproxy/gssproxy.krb5_trace |
42 | 38 | EOF |
43 | | -~~~~ |
44 | 39 |
|
45 | | - - Reload the service files and restart the `gssproxy` service |
46 | | - |
47 | | -~~~~ |
48 | 40 | # systemctl daemon-reload |
49 | | -
|
50 | 41 | # systemctl restart gssproxy |
51 | | -~~~~ |
| 42 | +``` |
| 43 | + |
| 44 | +--- |
| 45 | +[^1]: Until recently, an [issue](https://github.com/gssapi/gssproxy/issues/44) |
| 46 | +with how the standard error is setup **required** redirection to an |
| 47 | +actual file in order to obtain any KRB5 Tracing information. If you are |
| 48 | +using an older version of gssproxy you will need to set the KRB5_TRACE |
| 49 | +environment variable to an actual file, changing debug level will not |
| 50 | +be sufficient. |
| 51 | + |
| 52 | +[^2]: Setting KRB5_TRACE will cause KRB5 tracing information to be |
| 53 | +emitted regradless of gssproxy's debug level. |
0 commit comments