Bug#803710: nfs-common: gssd does DNS reverse lookups for servers without -D
Package: nfs-common
Version: 1:1.2.8-9
Severity: normal
Tags: patch, fixed-upstream
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
The man page states for the '-D' option:
| DNS Reverse lookups are not used for determining the server names pass
| to GSSAPI. This option will reverses that and forces the use of DNS
| Reverse resolution of the server's IP address to retrieve the
| server name to use in GSAPI authentication.
However, this is not true for the version packaged in Debian:
# ps auxwwf|grep '[g]ssd'
root 32062 0.0 0.0 34980 2656 ? Ss 22:18 0:00 /usr/sbin/rpc.gssd -vvv
# dig +short fate.yath.de aaaa
2001:4c50:43f:c700:d2bf:9cff:fe46:a724
# dig +short -x 2001:4c50:43f:c700:d2bf:9cff:fe46:a724 ptr
# mount fate.yath.de:/data /mnt -t nfs -o vers=4.0,sec=krb5p
(hangs)
After tens of minutes it aborts with "NFS: nfs4_discover_server_trunking
unhandled error -512. Exiting with error EIO".
Meanwhile in syslog, tons of these:
rpc.gssd[32062]: ERROR: unable to resolve 2001:4c50:43f:c700:d2bf:9cff:fe46:a724 to hostname: Name or service not known
rpc.gssd[32062]: ERROR: failed to read service info
rpc.gssd[32062]: ERROR: unable to resolve 2001:4c50:43f:c700:d2bf:9cff:fe46:a724 to hostname: Name or service not known
rpc.gssd[32062]: ERROR: failed to read service info
rpc.gssd[32062]: ERROR: unable to resolve 2001:4c50:43f:c700:d2bf:9cff:fe46:a724 to hostname: Name or service not known
rpc.gssd[32062]: ERROR: failed to read service info
This has been fixed in recent upstream versions (#756900). I have
however attached a patch that backports this specific fix from
nfs-utils-1.3.3 to Debian’s 1.2.8.
Sebastian
- -- Package-specific info:
- -- rpcinfo --
- -- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages nfs-common depends on:
ii adduser 3.113+nmu3
ii initscripts 2.88dsf-59.2
ii libc6 2.19-22
ii libcap2 1:2.24-12
ii libcomerr2 1.42.13-1
ii libdevmapper1.02.1 2:1.02.104-1
ii libevent-2.0-5 2.0.21-stable-2
ii libgssapi-krb5-2 1.13.2+dfsg-3
ii libk5crypto3 1.13.2+dfsg-3
ii libkeyutils1 1.5.9-8
ii libkrb5-3 1.13.2+dfsg-3
ii libmount1 2.27-3
ii libnfsidmap2 0.25-5
ii libtirpc1 0.2.5-1
ii libwrap0 7.6.q-25
ii lsb-base 9.20150917
ii rpcbind 0.2.1-6.1
ii ucf 3.0030
Versions of packages nfs-common recommends:
ii python 2.7.9-1
Versions of packages nfs-common suggests:
pn open-iscsi <none>
pn watchdog <none>
- -- Configuration Files:
/etc/default/nfs-common changed [not included]
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBVjaEy/hx3EthBlqjAQg8XQ//RcUedQyQXQ42y6qAfUqBmbvv5gWHAm/4
RNu2FgnVg9drztx6V42g9J6YBma9CNrcmq2HU41Sb8OZMugXbJFvnCo8rBYmXNDj
JSIwyXSs/YgtSv6Vro9vLtYlGoKeaBFRCpylmfUdSfdDx0Hw0Ik3Q6wN/LP68ksl
0KnXNUYBQVQpwtDcYRcidRewrhcapdTcjJ2AlPKbsHPu6GAuHm96HyFK8M3I7FNX
0A7SnIY0wT0MvOm/F+dB6v01JGsa1VuqedlqEI+7uJdRv1Re2gmeNhTnwGXawNHh
TVlw+3h/4jfbDkQDb+Q8XVH+d4uRofHwU7+gCLC/p4zMjc1/ad54vVjPT8+GuanJ
y8rWGK5Q66+qSLAzY8Q1N6UQTbBfx1/LJs1RP242yGsbo0UG9ixNjy+Byd0AA8cV
m8u7DD8HJVjPALg9PeokcwBjjRcBXAVRmleEb9FHqNrh0lnXWj5WlsiwfgdO/867
CFu60IacHAoXswOdW1ALqAi5GzcnMOhmCBWe6TTge6uWJLOSggFS6PEjuNNcbc1H
YI/LWd3phEUR5Hiif9JcwBJe1Z3oBDnhLZ9sP98Yr8tqVID6OyfyBG+tgpcRQYx6
lbF1w4L5GYR/SjaLPzBzG2bkFFC3+aQbASOjJXT+CcVvnVbwt9cgzMk3sb/6Z0wp
2ALwOvVxxek=
=0M+G
-----END PGP SIGNATURE-----
--- nfs-utils-1.2.8.orig/utils/gssd/gssd_proc.c 2015-11-01 22:04:38.975460740 +0100
+++ nfs-utils-1.2.8/utils/gssd/gssd_proc.c 2015-11-01 22:10:37.794464626 +0100
@@ -176,23 +176,21 @@
char *hostname;
char hbuf[NI_MAXHOST];
unsigned char buf[sizeof(struct in6_addr)];
- int servername = 0;
- if (avoid_dns) {
+ while (avoid_dns) {
/*
* Determine if this is a server name, or an IP address.
* If it is an IP address, do the DNS lookup otherwise
* skip the DNS lookup.
*/
- servername = 0;
- if (strchr(name, '.') && inet_pton(AF_INET, name, buf) == 1)
- servername = 1; /* IPv4 */
- else if (strchr(name, ':') && inet_pton(AF_INET6, name, buf) == 1)
- servername = 1; /* or IPv6 */
+ if (strchr(name, '.') == NULL)
+ break; /* local name */
+ else if (inet_pton(AF_INET, name, buf) == 1)
+ break; /* IPv4 address */
+ else if (inet_pton(AF_INET6, name, buf) == 1)
+ break; /* IPv6 addrss */
- if (servername) {
- return strdup(name);
- }
+ return strdup(name);
}
switch (sa->sa_family) {
Reply to: