From owner-freebsd-fs@FreeBSD.ORG Wed Feb 20 19:37:23 2013 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 876ED807 for ; Wed, 20 Feb 2013 19:37:23 +0000 (UTC) (envelope-from momchil@xaxo.eu) Received: from vps2.xaxo.eu (vps2.xaxo.eu [78.47.156.66]) by mx1.freebsd.org (Postfix) with ESMTP id 13A4CEE4 for ; Wed, 20 Feb 2013 19:37:22 +0000 (UTC) Received: from t61.xaxo.eu ([10.75.23.6]) by vps2.xaxo.eu (8.14.4/8.14.4) with ESMTP id r1KJbE4D087018; Wed, 20 Feb 2013 20:37:14 +0100 (CET) (envelope-from momchil@xaxo.eu) Date: Wed, 20 Feb 2013 20:37:07 +0100 Message-ID: <86621m4w0s.wl%momchil@xaxo.eu> From: Momchil Ivanov To: Rick Macklem Subject: Re: NFS + Kerberos In-Reply-To: <992481316.3137385.1361325642681.JavaMail.root@erie.cs.uoguelph.ca> References: <86a88ac8bb038ec5d8034724dcf80924.squirrel@webmail.xaxo.eu> <992481316.3137385.1361325642681.JavaMail.root@erie.cs.uoguelph.ca> MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: freebsd-fs@freebsd.org, Momchil Ivanov X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2013 19:37:23 -0000 At Tue, 19 Feb 2013 21:00:42 -0500 (EST), Rick Macklem wrote: > > Momchil Ivanov wrote: > > On Tue, February 19, 2013 12:56 am, Rick Macklem wrote: > > > Thanks to Elias's hard work, a bug/fix has just been isolated in the > > > Kerberos library that causes the gssd to fail to translate a > > > principal > > > to a uid. The fix is to increase the size of the buffer passed to > > > getpwnam_r(). See this thread: > > > http://docs.FreeBSD.org/cgi/mid.cgi?CADtN0WKVzbKxhaLQw8y2KLhhRJC9n4ht9wyPmGQ+pHqSjQkVNw > > > > > > I haven't run into this bug, so I don't know what systems are > > > affected, > > > but it would explain why you can't get it working. > > > > > > I'd suggest you apply the patch in the email (increase buf to 1024) > > > and > > > then try again with libraries built with the patch. > > > > Do I have to aplly the patch to the server only and then rebuild world > > or > > do I have to do the same on the client too? And do I need to rebuild > > heimdal on both machines? > > > The bug should only affect the server, since the client never translates > between principal_name<->uid. (The client does a rather cheezey trick of > using the uid to select the correct credential cache file.) > > > btw, I checked the logs of the kdc and could not see any trace of the > > nfs > > server trying to validate the client's ticket... Frankly, I don't know > > that should I expect there, I haven't used kerberos before, so I have > > no > > idea if it's related to the bug. Here is part of the log: > > > > AS-REQ user@EXAMPLE.LOCAL from IPv4:X.X.X.X for > > krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL > > No preauth found, returning PREAUTH-REQUIRED -- user@EXAMPLE.LOCAL > > sending 407 bytes to IPv4:X.X.X.X > > AS-REQ user@EXAMPLE.LOCAL from IPv4:X.X.X.X for > > krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL > > Client sent patypes: encrypted-timestamp > > Looking for PKINIT pa-data -- user@EXAMPLE.LOCAL > > Looking for ENC-TS pa-data -- user@EXAMPLE.LOCAL > > ENC-TS Pre-authentication succeeded -- user@EXAMPLE.LOCAL using > > des-cbc-crc > > Client supported enctypes: des-cbc-crc > > Using des-cbc-crc/aes256-cts-hmac-sha1-96 > > AS-REQ authtime: 2013-02-11T23:45:44 starttime: unset endtime: > > 2013-02-12T09:45:39 renew till: unset > > sending 552 bytes to IPv4:X.X.X.X > > > Hmm, that sounds like you are never getting as far as sending the > ticket to the server, but I'm not at home, so I can't look and see > exactly what gets logged. (Also, I use a MIT KDC, so what gets logged > might be different.) > > I've attached a trivial program that you can compile/run as root > on the NFS server to see if 128 bytes is a big enough buffer for your setup. > If it can print out the uid for the usernames you test as arguments, > the patch isn't needed for your environment. > (Oh, and it has a typo bug in the errx() arguments, but it works ok > for testing.) > > Good luck with it, rick Your test program works with a regular user, but fails with root, indeed. I will try the patch. Do I need to rebuild only world or do I have to rebuild heimdal too? Thanks you, Momchil