From owner-freebsd-stable@FreeBSD.ORG Tue Sep 4 20:50:36 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2C59F106566B for ; Tue, 4 Sep 2012 20:50:36 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id D63C98FC1C for ; Tue, 4 Sep 2012 20:50:35 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ap8EAOpoRlCDaFvO/2dsb2JhbABFhgW2JoIgAQEBAwEBAQEgKyALGw4KAgINGQIpAQkmBggHBAEcBIdmBgundJMJgSGJaBqGBoESA5MtgiyBFI8Ggn+BRQ X-IronPort-AV: E=Sophos;i="4.80,370,1344225600"; d="scan'208";a="177692154" Received: from erie.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.206]) by esa-jnhn-pri.mail.uoguelph.ca with ESMTP; 04 Sep 2012 16:50:29 -0400 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id 4B851B4061; Tue, 4 Sep 2012 16:50:29 -0400 (EDT) Date: Tue, 4 Sep 2012 16:50:29 -0400 (EDT) From: Rick Macklem To: Herbert Poeckl Message-ID: <235272548.47771.1346791829286.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <5045FD86.7060209@ist.tugraz.at> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.91.202] X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraWebClient - FF3.0 (Win)/6.0.10_GA_2692) Cc: freebsd-stable@FreeBSD.org Subject: Re: Need help with nfsv4 and krb5 access denied X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2012 20:50:36 -0000 Herbert Poeckl wrote: > On 09/03/2012 09:25 PM, Rick Macklem wrote: > > Herbert Poeckl wrote: > >> On 6/25/12 1:21 PM, Herbert Poeckl wrote: > >>> We are getting access denied error on our debian clients when > >>> mounting > >>> nfsv4 network drives with kerberos 5 authentication. > >>> > >>> What is wired about this, is that it works with one server, but > >>> not > >>> with > >>> a second server. > >> [..] > >> > >> For the records: > >> > >> The problem was fixed in this post: > >> http://lists.freebsd.org/pipermail/freebsd-fs/2012-August/015047.html > >> > > Ok, so are you saying that the patch in Attila's email fixed your > > problem? > > Yes it does. Sorry I missed your following post to his message. > No problem. In case you haven't seen it yet, it basically sounds like a Linux client issue from what Attila reports, but changing the code so that it doesn't invalidate the client's security handle when the DESTROY fails due to an invalid checksum, seems reasonable. > > > If so, please try the attached patch. (It doesn't set the client > > security > > handle stale when DESTROY fails, due to an invalid encrypted > > checksum. It > > is similar to his patch, but only for the DESTROY case, which seems > > to be > > ok to do from my understanding of the RPCSEC_GSS. It doesn't include > > the > > timer changes, which shouldn't affect the outcome from afaik.) > > Just tried your patch, and it fixes the problem too. > Ok, thanks for testing it. If Attila reports that it fixes the problem for him too, I'll commit it. Glad that we seem to have lucked out and resolved this, due to Attila's work on it. > > > To consider the client security handle still valid when a data (real > > RPC > > in the message) phase entry fails the encrypted checksum seems > > riskier to > > do, so I'd like to avoid that in any patch for head. > > > > rick > > Kind regards, > Herbert > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to > "freebsd-stable-unsubscribe@freebsd.org"