From owner-freebsd-fs@FreeBSD.ORG Wed Aug 29 13:29:17 2012 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 188951065686 for ; Wed, 29 Aug 2012 13:29:17 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id C42D08FC1A for ; Wed, 29 Aug 2012 13:29:16 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ap8EAGQYPlCDaFvO/2dsb2JhbABFhgO1c4IgAQEBAwEBAQEgKyALBRYYAgINGQIpAQkmBggHBAEaAgSHZgYLqDeTE4EhigGFLYESA5MrgiuBFI8Bgn+BRQ X-IronPort-AV: E=Sophos;i="4.80,334,1344225600"; d="scan'208";a="176995433" Received: from erie.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.206]) by esa-jnhn-pri.mail.uoguelph.ca with ESMTP; 29 Aug 2012 09:29:10 -0400 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id E8F77B401F; Wed, 29 Aug 2012 09:29:09 -0400 (EDT) Date: Wed, 29 Aug 2012 09:29:09 -0400 (EDT) From: Rick Macklem To: =?utf-8?Q?Attila_Bog=C3=A1r?= Message-ID: <487642909.1254184.1346246949938.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <503CE012.3040408@linguamatics.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.91.202] X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraWebClient - FF3.0 (Win)/6.0.10_GA_2692) Cc: freebsd-fs@FreeBSD.org Subject: Re: Need hints debugging KGSSAPI X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Aug 2012 13:29:17 -0000 Attila wrote: > Hi, > > I'd like to spend some time finding out myself what's wrong with the > kerberized nfs server on the FreeBSD 9-STABLE. > > I thought the solution is to simply force DES+RFC1964 GSSAPI, but > unfortunately it's not that simple. > I built a patched nfs-utils package by merging the patch referenced > from > https://bugzilla.redhat.com/show_bug.cgi?id=802469 - with the legacy > option did not resolve the problem. > > I have some wireshark traces which show that one EL6 box get 3 times > auth_denied however the other succeeds for the 3rd time. I can > reproduce this. > > My kernel is a GENERIC + some option as per Rick's page: > options KGSSAPI > device crypto > device cryptodev > > I know, that all interesting NFS/GSSAPI job is done within kernel > space. > Not exactly. All the KGSSAPI does is package up the arguments for the GSS api call and then do an upcall to the userland gssd. The userland gssd does the GSS api call against the Kerberos libraries it has been linked to and then passes the results of that call back down into the kernel. So, once you get past the RPCSEC_GSS stuff and down to the actual GSS API call, it is the userland Kerberos libraries that do the interesting stuff. (There are a few tricks, like a "hidden effective uid argument" for init_sec_context(), but mostly the KGSSAPI/gssd just passes arguments between the kernel call and the userland Kerberos library.) > I suppose it's not possible to unload the KGSSAPI module: > http://svnweb.freebsd.org/base/head/sys/kgssapi/gss_impl.c?view=markup&pathrev=224084 > > What's the best way to debug the kernel other than inserting debug > messages into the source tree+recompiling+rebooting? > I'm an old fashioned printf() guy, so that's what I do. If it appears that it is the upcall to the userland gssd that generates a failed reply, then the problem is most likely the userland Kerberos libraries. (I'd probably cram a pile of printf()s in the rpcsec_gss and kgssapi sources, especially at the kgssapi upcalls to the userland gssd, to try and figure out where the "authentication failure" is occurring.) I've already emailed this person w.r.t. making sure he isn't seeing the "non-atomic export update" problem. Since mountd deletes all exports and then re-adds them non-atomically, the security flavours allowed will be messed up whenever mountd gets a HUP signal. (This happens automagically whenever a "mount" of a file system happens on the NFS server, since "mount" sends "mountd" a HUP signal.) If it is the userland Kerberos libraries, I'd try installing a vanilla up to date Heimdal distro (it usually installs easily in somewhere like /usr/heimdal) and then I'd rebuild gssd.c linked to those libraries and see if I could get that to work. Long ago, to get kerberized NFS to work on OpenBSD, I'd statically link the gssd I had for it (very different than the FreeBSD gssd) to freshly built Heimdal libraries. rick > What debugger do you recommend? > Is there an up-to-date tutorial on FreeBSD kernel debugging? > > Any constructive comments appreciated. > > Thanks, > Attila > _______________________________________________ > freebsd-fs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"