[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#675176: svcgssd not working with '-n' option after lenny to squeeze upgrade

Package: nfs-kernel-server
Version: 1:1.2.2-4squeeze2
Severity: important

After upgrading a HA cluster from Lenny to Squeeze, the nfs service stopped
working.

The problem was specifying the '-n' option in RPCSVCGSSDOPTS. This
option allows the server to accept requests for any key in its keytab.

Without '-n' nodes will only accept mounts from clients using their node
name (i.e. nodeX.example.com) instead of the cluster's name
(as in nfsserver.example.com).

I applied the attached patch in order to be able to pass '-p
nfsserver.example.com' to svcgssd. This solves the problem partially
since it won't allow clients to mount an exported directory using the
node's name, which was possible previously.

The patch was posted by Eberhard Kuemmerle at the linux-nfs list and
applied upstream in 1.2.3.

The error from rpc.svcgssd in 1.2.2 using '-n' is:

May 30 12:23:51 rasca rpc.svcgssd[1991]: leaving poll
May 30 12:23:51 rasca rpc.svcgssd[1991]: handling null request
May 30 12:23:51 rasca rpc.svcgssd[1991]: WARNING: gss_set_allowable_enctypes failed
May 30 12:23:51 rasca rpc.svcgssd[1991]: ERROR: GSS-API: error in svcgssd_limit_krb5_enctypes: gss_set_allowable_enctypes(): No credentials were supplied, or the credentials were unavailable or inaccessible - (0x08142008)
May 30 12:23:51 rasca rpc.svcgssd[1991]: sending null reply
May 30 12:23:51 rasca rpc.svcgssd[1991]: writing message: \x [snip]
May 30 12:23:51 rasca rpc.svcgssd[1991]: finished handling null request
May 30 12:23:51 rasca rpc.svcgssd[1991]: entering poll


This bug is still present (and worse) in 1:1.2.5-4~bpo60 which is probably
menacing Wheeze :-(

Trying to use this option on 1:1.2.5-4~bpo60 makes rpc.svcgssd fail to start
with the following error:

May 30 13:06:12 rasca rpc.svcgssd[2761]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_BAD_NAME (An invalid name was supplied) - Unknown error
May 30 13:06:12 rasca rpc.svcgssd[2761]: unable to obtain nameless credentials


Thanks,

Alberto

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3

Index: nfs-utils-1.2.2/utils/gssd/gss_util.c
===================================================================
--- nfs-utils-1.2.2.orig/utils/gssd/gss_util.c	2012-05-29 16:27:59.100011446 +0200
+++ nfs-utils-1.2.2/utils/gssd/gss_util.c	2012-05-29 16:28:27.312001093 +0200
@@ -191,7 +191,7 @@
 }
 
 int
-gssd_acquire_cred(char *server_name)
+gssd_acquire_cred(char *server_name, const gss_OID oid)
 {
 	gss_buffer_desc name;
 	gss_name_t target_name;
@@ -207,7 +207,7 @@
 		name.length = strlen(server_name);
 
 		maj_stat = gss_import_name(&min_stat, &name,
-				(const gss_OID) GSS_C_NT_HOSTBASED_SERVICE,
+				oid,
 				&target_name);
 
 		if (maj_stat != GSS_S_COMPLETE) {
Index: nfs-utils-1.2.2/utils/gssd/gss_util.h
===================================================================
--- nfs-utils-1.2.2.orig/utils/gssd/gss_util.h	2012-05-29 16:28:02.879999946 +0200
+++ nfs-utils-1.2.2/utils/gssd/gss_util.h	2012-05-29 16:28:27.312001093 +0200
@@ -37,7 +37,7 @@
 
 extern gss_cred_id_t	gssd_creds;
 
-int gssd_acquire_cred(char *server_name);
+int gssd_acquire_cred(char *server_name, const gss_OID oid);
 void pgsserr(char *msg, u_int32_t maj_stat, u_int32_t min_stat,
 	const gss_OID mech);
 int gssd_check_mechs(void);
Index: nfs-utils-1.2.2/utils/gssd/gssd.h
===================================================================
--- nfs-utils-1.2.2.orig/utils/gssd/gssd.h	2012-05-29 16:28:06.220000902 +0200
+++ nfs-utils-1.2.2/utils/gssd/gssd.h	2012-05-29 16:28:27.312001093 +0200
@@ -100,7 +100,6 @@
 void handle_krb5_upcall(struct clnt_info *clp);
 void handle_spkm3_upcall(struct clnt_info *clp);
 void handle_gssd_upcall(struct clnt_info *clp);
-int gssd_acquire_cred(char *server_name);
 void gssd_run(void);
 
 
Index: nfs-utils-1.2.2/utils/gssd/svcgssd.c
===================================================================
--- nfs-utils-1.2.2.orig/utils/gssd/svcgssd.c	2012-05-29 16:28:09.660002070 +0200
+++ nfs-utils-1.2.2/utils/gssd/svcgssd.c	2012-05-29 16:29:04.516001466 +0200
@@ -173,7 +173,7 @@
 static void
 usage(char *progname)
 {
-	fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r] [-i]\n",
+	fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r] [-i] [-p principal]\n",
 		progname);
 	exit(1);
 }
@@ -186,9 +186,10 @@
 	int verbosity = 0;
 	int rpc_verbosity = 0;
 	int idmap_verbosity = 0;
-	int opt;
+	int opt, status;
 	extern char *optarg;
 	char *progname;
+	char *principal = NULL;
 
 	while ((opt = getopt(argc, argv, "fivrnp:")) != -1) {
 		switch (opt) {
@@ -207,6 +208,9 @@
 			case 'r':
 				rpc_verbosity++;
 				break;
+			case 'p':
+				principal = optarg;
+				break;
 			default:
 				usage(argv[0]);
 				break;
@@ -250,12 +254,20 @@
 	signal(SIGTERM, sig_die);
 	signal(SIGHUP, sig_hup);
 
-	if (get_creds && !gssd_acquire_cred(GSSD_SERVICE_NAME)) {
-                printerr(0, "unable to obtain root (machine) credentials\n");
-                printerr(0, "do you have a keytab entry for "
-			    "nfs/<your.host>@<YOUR.REALM> in "
-			    "/etc/krb5.keytab?\n");
-		exit(1);
+	if (get_creds) {
+		if (principal)
+			status = gssd_acquire_cred(principal,
+				((const gss_OID)GSS_C_NT_USER_NAME));
+		else
+			status = gssd_acquire_cred(GSSD_SERVICE_NAME,
+				(const gss_OID)GSS_C_NT_HOSTBASED_SERVICE);
+		if (status == FALSE) {
+			printerr(0, "unable to obtain root (machine) credentials\n");
+			printerr(0, "do you have a keytab entry for "
+				"nfs/<your.host>@<YOUR.REALM> in "
+				"/etc/krb5.keytab?\n");
+			exit(1);
+		}
 	}
 
 	if (!fg)
Reply to: