Bug#753732: NFS sec=krb5 does not work with cross-realm

To: submit@bugs.debian.org
Subject: Bug#753732: NFS sec=krb5 does not work with cross-realm
From: Jaap Winius <jwinius@umrk.nl>
Date: Fri, 04 Jul 2014 16:36:12 +0200
Message-id: <[🔎] 20140704163612.72596sahmrddtk2k@bitis.umrk.nl>
Reply-to: Jaap Winius <jwinius@umrk.nl>, 753732@bugs.debian.org

Package: nfs-common
Version: 1.2.6-4

NFS with sec=krb5i or sec=krb5p using MIT Kerberos does not work whencross-realm authentication is used -- only when clients have anKerberos ticket for the same realm. This happens consistently and incases when cross-realm authentication does work with other services onthe same machine, such as SSH.

To illustrate, I've included two sets of NFS debug output from both aclient (daboia.dapadam.nl) and a server (cerastes.dapadam.nl): one setwith a successful authentication and the other with a failure. Thefirst set involves a user, jwinius, with an MIT Kerberos ticket fromthe same realm, DAPADAM.NL, that results in a successful authentication:


=== Begin === Success, client log output =================

Jul 1 16:08:37 daboia rpc.gssd[1422]: handling gssd upcall(/var/lib/nfs/rpc_pipefs/nfs/clnt0)Jul 1 16:08:37 daboia rpc.gssd[1422]: handle_gssd_upcall: 'mech=krb5uid=10000 enctypes=18,17,16,23,3,1,2 'Jul 1 16:08:37 daboia rpc.gssd[1422]: handling krb5 upcall(/var/lib/nfs/rpc_pipefs/nfs/clnt0)Jul 1 16:08:37 daboia rpc.gssd[1422]: process_krb5_upcall: service is'<null>'Jul 1 16:08:37 daboia rpc.gssd[1422]: getting credentials for clientwith uid 10000 for server cerastes.dapadam.nlJul 1 16:08:37 daboia rpc.gssd[1422]: CC file'/tmp/krb5cc_0_8TcUINGCct' being considered, with preferred realm'DAPADAM.NL'Jul 1 16:08:37 daboia rpc.gssd[1422]: CC file'/tmp/krb5cc_0_8TcUINGCct' owned by 0, not 10000Jul 1 16:08:37 daboia rpc.gssd[1422]: CC file'/tmp/krb5cc_machine_DAPADAM.NL' being considered, with preferredrealm 'DAPADAM.NL'Jul 1 16:08:37 daboia rpc.gssd[1422]: CC file'/tmp/krb5cc_machine_DAPADAM.NL' owned by 0, not 10000Jul 1 16:08:37 daboia rpc.gssd[1422]: CC file'/tmp/krb5cc_10000_HFd9c1oOJy' being considered, with preferred realm'DAPADAM.NL'Jul 1 16:08:37 daboia rpc.gssd[1422]: CC file'/tmp/krb5cc_10000_HFd9c1oOJy'(jwinius@DAPADAM.NL) passed all checksand has mtime of 1404223701Jul 1 16:08:37 daboia rpc.gssd[1422]: CC file '/tmp/krb5cc_0' beingconsidered, with preferred realm 'DAPADAM.NL'Jul 1 16:08:37 daboia rpc.gssd[1422]: CC file '/tmp/krb5cc_0' ownedby 0, not 10000Jul 1 16:08:37 daboia rpc.gssd[1422]: usingFILE:/tmp/krb5cc_10000_HFd9c1oOJy as credentials cache for client withuid 10000 for server cerastes.dapadam.nlJul 1 16:08:37 daboia rpc.gssd[1422]: using environment variable toselect krb5 ccache FILE:/tmp/krb5cc_10000_HFd9c1oOJyJul 1 16:08:37 daboia rpc.gssd[1422]: creating context using fsuid10000 (save_uid 0)Jul 1 16:08:37 daboia rpc.gssd[1422]: creating tcp client for servercerastes.dapadam.nl

Jul  1 16:08:37 daboia rpc.gssd[1422]: DEBUG: port already set to 2049

Jul 1 16:08:37 daboia rpc.gssd[1422]: creating context with servernfs@cerastes.dapadam.nlJul 1 16:08:37 daboia rpc.gssd[1422]: DEBUG: serialize_krb5_ctx:lucid version!

Jul  1 16:08:37 daboia rpc.gssd[1422]: prepare_krb5_rfc4121_buffer: protocol 1

Jul 1 16:08:37 daboia rpc.gssd[1422]: prepare_krb5_rfc4121_buffer:serializing key with enctype 18 and size 32

Jul  1 16:08:37 daboia rpc.gssd[1422]: doing downcall

Jul 1 16:08:37 daboia rpc.idmapd[1417]: nfs4_name_to_uid: callingnsswitch->name_to_uidJul 1 16:08:37 daboia rpc.idmapd[1417]: nss_getpwnam: name'jwinius@dapadam.nl' domain 'dapadam.nl': resulting localname 'jwinius'Jul 1 16:08:37 daboia rpc.idmapd[1417]: nfs4_name_to_uid:nsswitch->name_to_uid returned 0Jul 1 16:08:37 daboia rpc.idmapd[1417]: nfs4_name_to_uid: finalreturn value is 0Jul 1 16:08:37 daboia rpc.idmapd[1417]: Client 0: (user) name"jwinius@dapadam.nl" -> id "10000"Jul 1 16:08:37 daboia rpc.idmapd[1417]: nfs4_name_to_gid: callingnsswitch->name_to_gidJul 1 16:08:37 daboia rpc.idmapd[1417]: nfs4_name_to_gid:nsswitch->name_to_gid returned 0Jul 1 16:08:37 daboia rpc.idmapd[1417]: nfs4_name_to_gid: finalreturn value is 0Jul 1 16:08:37 daboia rpc.idmapd[1417]: Client 0: (group) name"jwinius@dapadam.nl" -> id "10000"Jul 1 16:08:37 daboia rpc.gssd[1422]: dir_notify_handler: sig 37 si0x7fff3cdee670 data 0x7fff3cdee540

Jul  1 16:08:37 daboia rpc.idmapd[1417]: New client: 2

Jul 1 16:17:01 daboia /USR/SBIN/CRON[2399]: (root) CMD ( cd / &&run-parts --report /etc/cron.hourly)

=== End ===== Success, client log output =================

=== Begin === Success, server log output =================
Jul  1 16:08:37 cerastes rpc.svcgssd[3295]: leaving poll
Jul  1 16:08:37 cerastes rpc.svcgssd[3295]: handling null request

Jul 1 16:08:37 cerastes rpc.svcgssd[3295]:svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7enctypes from the kernel

Jul  1 16:08:37 cerastes rpc.svcgssd[3295]: sname = jwinius@DAPADAM.NL

Jul 1 16:08:37 cerastes rpc.svcgssd[3295]: DEBUG: serialize_krb5_ctx:lucid version!Jul 1 16:08:37 cerastes rpc.svcgssd[3295]:prepare_krb5_rfc4121_buffer: protocol 1Jul 1 16:08:37 cerastes rpc.svcgssd[3295]:prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32

Jul  1 16:08:37 cerastes rpc.svcgssd[3295]: doing downcall

Jul 1 16:08:37 cerastes rpc.svcgssd[3295]: mech: krb5, hndl len: 4,ctx len 52, timeout: 1404310094 (86377 from now), clnt: <null>, uid:10000, gid: 10000, num

Jul  1 16:08:37 cerastes rpc.svcgssd[3295]:   (   1) 10000
Jul  1 16:08:37 cerastes rpc.svcgssd[3295]: sending null reply

Jul 1 16:08:37 cerastes rpc.svcgssd[3295]: writing message: \x\x6082025806092a864886f71201020201006e82024730820243a003020105a10302010ea20703050020000000a38201

Jul  1 16:08:37 cerastes rpc.svcgssd[3295]: finished handling null request
Jul  1 16:08:37 cerastes rpc.svcgssd[3295]: entering poll

Jul 1 16:08:37 cerastes rpc.idmapd[1579]: nfsdcb: authbuf=gss/krb5iauthtype=userJul 1 16:08:37 cerastes rpc.idmapd[1579]: nfs4_uid_to_name: callingnsswitch->uid_to_nameJul 1 16:08:37 cerastes rpc.idmapd[1579]: nfs4_uid_to_name:nsswitch->uid_to_name returned 0Jul 1 16:08:37 cerastes rpc.idmapd[1579]: nfs4_uid_to_name: finalreturn value is 0Jul 1 16:08:37 cerastes rpc.idmapd[1579]: Server : (user) id "0" ->name "root@dapadam.nl"Jul 1 16:08:37 cerastes rpc.idmapd[1579]: nfsdcb: authbuf=gss/krb5iauthtype=groupJul 1 16:08:37 cerastes rpc.idmapd[1579]: nfs4_gid_to_name: callingnsswitch->gid_to_nameJul 1 16:08:37 cerastes rpc.idmapd[1579]: nfs4_gid_to_name:nsswitch->gid_to_name returned 0Jul 1 16:08:37 cerastes rpc.idmapd[1579]: nfs4_gid_to_name: finalreturn value is 0Jul 1 16:08:37 cerastes rpc.idmapd[1579]: Server : (group) id "0" ->name "root@dapadam.nl"Jul 1 16:08:37 cerastes rpc.idmapd[1579]: nfsdcb: authbuf=gss/krb5iauthtype=userJul 1 16:08:37 cerastes rpc.idmapd[1579]: nfs4_uid_to_name: callingnsswitch->uid_to_nameJul 1 16:08:37 cerastes rpc.idmapd[1579]: nfs4_uid_to_name:nsswitch->uid_to_name returned 0Jul 1 16:08:37 cerastes rpc.idmapd[1579]: nfs4_uid_to_name: finalreturn value is 0Jul 1 16:08:37 cerastes rpc.idmapd[1579]: Server : (user) id "10000"-> name "jwinius@dapadam.nl"Jul 1 16:08:37 cerastes rpc.idmapd[1579]: nfsdcb: authbuf=gss/krb5iauthtype=groupJul 1 16:08:37 cerastes rpc.idmapd[1579]: nfs4_gid_to_name: callingnsswitch->gid_to_nameJul 1 16:08:37 cerastes rpc.idmapd[1579]: nfs4_gid_to_name:nsswitch->gid_to_name returned 0Jul 1 16:08:37 cerastes rpc.idmapd[1579]: nfs4_gid_to_name: finalreturn value is 0Jul 1 16:08:37 cerastes rpc.idmapd[1579]: Server : (group) id "10000"-> name "jwinius@dapadam.nl"Jul 1 16:17:01 cerastes /USR/SBIN/CRON[3331]: (root) CMD ( cd / &&run-parts --report /etc/cron.hourly)

=== End ===== Success, server log output =================

The second set involves a user account with the same name, jwinius,but with a Kerberos ticket from a different, albeit trusted realm:UMRK.NL. This always results in an authentication failure:


=== Begin === Failure, client log output =================

Jul 1 16:22:19 daboia rpc.gssd[1423]: handling gssd upcall(/var/lib/nfs/rpc_pipefs/nfs/clnt0)Jul 1 16:22:19 daboia rpc.gssd[1423]: handle_gssd_upcall: 'mech=krb5uid=10000 enctypes=18,17,16,23,3,1,2 'Jul 1 16:22:19 daboia rpc.gssd[1423]: handling krb5 upcall(/var/lib/nfs/rpc_pipefs/nfs/clnt0)Jul 1 16:22:19 daboia rpc.gssd[1423]: process_krb5_upcall: service is'<null>'Jul 1 16:22:19 daboia rpc.gssd[1423]: getting credentials for clientwith uid 10000 for server cerastes.dapadam.nlJul 1 16:22:19 daboia rpc.gssd[1423]: CC file'/tmp/krb5cc_machine_DAPADAM.NL' being considered, with preferredrealm 'DAPADAM.NL'Jul 1 16:22:19 daboia rpc.gssd[1423]: CC file'/tmp/krb5cc_machine_DAPADAM.NL' owned by 0, not 10000Jul 1 16:22:19 daboia rpc.gssd[1423]: CC file'/tmp/krb5cc_10000_goDYeANk0D' being considered, with preferred realm'DAPADAM.NL'Jul 1 16:22:19 daboia rpc.gssd[1423]: CC file'/tmp/krb5cc_10000_goDYeANk0D'(jwinius@UMRK.NL) passed all checks andhas mtime of 1404224533Jul 1 16:22:19 daboia rpc.gssd[1423]: CC file'/tmp/krb5cc_0_emiVRCT1ma' being considered, with preferred realm'DAPADAM.NL'Jul 1 16:22:19 daboia rpc.gssd[1423]: CC file'/tmp/krb5cc_0_emiVRCT1ma' owned by 0, not 10000Jul 1 16:22:19 daboia rpc.gssd[1423]: CC file '/tmp/krb5cc_0' beingconsidered, with preferred realm 'DAPADAM.NL'Jul 1 16:22:19 daboia rpc.gssd[1423]: CC file '/tmp/krb5cc_0' ownedby 0, not 10000Jul 1 16:22:19 daboia rpc.gssd[1423]: usingFILE:/tmp/krb5cc_10000_goDYeANk0D as credentials cache for client withuid 10000 for server cerastes.dapadam.nlJul 1 16:22:19 daboia rpc.gssd[1423]: using environment variable toselect krb5 ccache FILE:/tmp/krb5cc_10000_goDYeANk0DJul 1 16:22:19 daboia rpc.gssd[1423]: creating context using fsuid10000 (save_uid 0)Jul 1 16:22:19 daboia rpc.gssd[1423]: creating tcp client for servercerastes.dapadam.nl

Jul  1 16:22:19 daboia rpc.gssd[1423]: DEBUG: port already set to 2049

Jul 1 16:22:19 daboia rpc.gssd[1423]: creating context with servernfs@cerastes.dapadam.nlJul 1 16:22:19 daboia rpc.gssd[1423]: DEBUG: serialize_krb5_ctx:lucid version!

Jul  1 16:22:19 daboia rpc.gssd[1423]: prepare_krb5_rfc4121_buffer: protocol 1

Jul 1 16:22:19 daboia rpc.gssd[1423]: prepare_krb5_rfc4121_buffer:serializing key with enctype 18 and size 32

Jul  1 16:22:19 daboia rpc.gssd[1423]: doing downcall

Jul 1 16:22:19 daboia rpc.idmapd[1418]: nfs4_name_to_uid: callingnsswitch->name_to_uidJul 1 16:22:19 daboia rpc.idmapd[1418]: nss_getpwnam: name'jwinius@dapadam.nl' domain 'dapadam.nl': resulting localname 'jwinius'Jul 1 16:22:19 daboia rpc.idmapd[1418]: nfs4_name_to_uid:nsswitch->name_to_uid returned 0Jul 1 16:22:19 daboia rpc.idmapd[1418]: nfs4_name_to_uid: finalreturn value is 0Jul 1 16:22:19 daboia rpc.idmapd[1418]: Client 0: (user) name"jwinius@dapadam.nl" -> id "10000"Jul 1 16:22:19 daboia rpc.idmapd[1418]: nfs4_name_to_gid: callingnsswitch->name_to_gidJul 1 16:22:19 daboia rpc.idmapd[1418]: nfs4_name_to_gid:nsswitch->name_to_gid returned 0Jul 1 16:22:19 daboia rpc.idmapd[1418]: nfs4_name_to_gid: finalreturn value is 0Jul 1 16:22:19 daboia rpc.idmapd[1418]: Client 0: (group) name"jwinius@dapadam.nl" -> id "10000"Jul 1 16:22:19 daboia rpc.gssd[1423]: dir_notify_handler: sig 37 si0x7fffcbbd9ef0 data 0x7fffcbbd9dc0

Jul  1 16:22:19 daboia rpc.idmapd[1418]: New client: 2
=== End ===== Failure, client log output =================

=== Begin === Failure, server log output =================
Jul  1 16:22:18 cerastes rpc.svcgssd[3295]: leaving poll
Jul  1 16:22:18 cerastes rpc.svcgssd[3295]: handling null request

Jul 1 16:22:18 cerastes rpc.svcgssd[3295]:svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7enctypes from the kernel

Jul  1 16:22:18 cerastes rpc.svcgssd[3295]: sname = jwinius@UMRK.NL

Jul 1 16:22:18 cerastes rpc.svcgssd[3295]: nss_gss_princ_to_ids:Local-Realm 'UMRK.NL': NOT FOUNDJul 1 16:22:18 cerastes rpc.svcgssd[3295]: DEBUG: serialize_krb5_ctx:lucid version!Jul 1 16:22:18 cerastes rpc.svcgssd[3295]:prepare_krb5_rfc4121_buffer: protocol 1Jul 1 16:22:18 cerastes rpc.svcgssd[3295]:prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32

Jul  1 16:22:18 cerastes rpc.svcgssd[3295]: doing downcall

Jul 1 16:22:18 cerastes rpc.svcgssd[3295]: mech: krb5, hndl len: 4,ctx len 52, timeout: 1404299912 (75374 from now), clnt: <null>, uid:-1, gid: -1, num aux g

Jul  1 16:22:18 cerastes rpc.svcgssd[3295]: sending null reply

Jul 1 16:22:18 cerastes rpc.svcgssd[3295]: writing message: \x\x6082025106092a864886f71201020201006e8202403082023ca003020105a10302010ea20703050020000000a38201

Jul  1 16:22:18 cerastes rpc.svcgssd[3295]: finished handling null request
Jul  1 16:22:18 cerastes rpc.svcgssd[3295]: entering poll

Jul 1 16:22:18 cerastes rpc.idmapd[1579]: nfsdcb: authbuf=gss/krb5iauthtype=userJul 1 16:22:18 cerastes rpc.idmapd[1579]: nfs4_uid_to_name: callingnsswitch->uid_to_nameJul 1 16:22:18 cerastes rpc.idmapd[1579]: nfs4_uid_to_name:nsswitch->uid_to_name returned 0Jul 1 16:22:18 cerastes rpc.idmapd[1579]: nfs4_uid_to_name: finalreturn value is 0Jul 1 16:22:18 cerastes rpc.idmapd[1579]: Server : (user) id "10000"-> name "jwinius@dapadam.nl"Jul 1 16:22:18 cerastes rpc.idmapd[1579]: nfsdcb: authbuf=gss/krb5iauthtype=groupJul 1 16:22:18 cerastes rpc.idmapd[1579]: nfs4_gid_to_name: callingnsswitch->gid_to_nameJul 1 16:22:18 cerastes rpc.idmapd[1579]: nfs4_gid_to_name:nsswitch->gid_to_name returned 0Jul 1 16:22:18 cerastes rpc.idmapd[1579]: nfs4_gid_to_name: finalreturn value is 0Jul 1 16:22:18 cerastes rpc.idmapd[1579]: Server : (group) id "10000"-> name "jwinius@dapadam.nl"

=== End ===== Failure, server log output =================

The user experience ends with a "Permission denied" message, althoughthe client does receive a Kerberos service ticket despite the failure.The rpc.idmapd daemon seems to translate the jwinius@UMRK.NL accountto "jwinius@dapadam.nl" with user ID 10000. In some situations thismight be incorrect, but here it's okay because both accounts belong tothe same person.

When authentication fails, the only evidence that I can see for thisin the server's log output is in the fifth line shown:"nss_gss_princ_to_ids: Local-Realm 'UMRK.NL': NOT FOUND". Apparently,the local Kerberos KDC is not interrogated and the trust entry for theUMRK.NL realm is never discovered.

For both machines, the verbosity for rpc.idmapd was set to 5, rpc.gssdwas used with the options "-D -vvvvvvvvvv" (see Debian bug report#728255 for why I use -D) and rpc.svcgssd was run with the option"-vvvvvvvvvv". The rpc.mountd daemon was also running (with option"--port 32767"), but rpc.statd was disabled. Moreover, I generally getbetter results when running rpc.svcgssd on the client as well as theserver; this daemon is actually part of the nfs-common package,although the startup script does not yet reflect this and needs to bemodified for it to start on the client.

Reply to:

Prev by Date: Bug#690009: "Invalid iomem size. You may experience problems." I do, experience problems.
Next by Date: Bug#753656: linux-image-3.14-1-rt-amd64: Kernel panic caused by ohci_hcd
Previous by thread: Bug#690009: "Invalid iomem size. You may experience problems." I do, experience problems.
Next by thread: Bug#748615: the system reboot after mounting the partitions
Index(es):
- Date
- Thread