Date: Wed, 20 Feb 2013 18:10:48 -0500 (EST) From: Rick Macklem <rmacklem@uoguelph.ca> To: Momchil Ivanov <momchil@xaxo.eu> Cc: freebsd-fs@freebsd.org Subject: Re: NFS + Kerberos Message-ID: <222730394.3167100.1361401848290.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <86621m4w0s.wl%momchil@xaxo.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
Momchil Ivanov wrote: > At Tue, 19 Feb 2013 21:00:42 -0500 (EST), > Rick Macklem wrote: > > > > Momchil Ivanov wrote: > > > On Tue, February 19, 2013 12:56 am, Rick Macklem wrote: > > > > Thanks to Elias's hard work, a bug/fix has just been isolated in > > > > the > > > > Kerberos library that causes the gssd to fail to translate a > > > > principal > > > > to a uid. The fix is to increase the size of the buffer passed > > > > to > > > > getpwnam_r(). See this thread: > > > > http://docs.FreeBSD.org/cgi/mid.cgi?CADtN0WKVzbKxhaLQw8y2KLhhRJC9n4ht9wyPmGQ+pHqSjQkVNw > > > > > > > > I haven't run into this bug, so I don't know what systems are > > > > affected, > > > > but it would explain why you can't get it working. > > > > > > > > I'd suggest you apply the patch in the email (increase buf to > > > > 1024) > > > > and > > > > then try again with libraries built with the patch. > > > > > > Do I have to aplly the patch to the server only and then rebuild > > > world > > > or > > > do I have to do the same on the client too? And do I need to > > > rebuild > > > heimdal on both machines? > > > > > The bug should only affect the server, since the client never > > translates > > between principal_name<->uid. (The client does a rather cheezey > > trick of > > using the uid to select the correct credential cache file.) > > > > > btw, I checked the logs of the kdc and could not see any trace of > > > the > > > nfs > > > server trying to validate the client's ticket... Frankly, I don't > > > know > > > that should I expect there, I haven't used kerberos before, so I > > > have > > > no > > > idea if it's related to the bug. Here is part of the log: > > > > > > AS-REQ user@EXAMPLE.LOCAL from IPv4:X.X.X.X for > > > krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL > > > No preauth found, returning PREAUTH-REQUIRED -- user@EXAMPLE.LOCAL > > > sending 407 bytes to IPv4:X.X.X.X > > > AS-REQ user@EXAMPLE.LOCAL from IPv4:X.X.X.X for > > > krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL > > > Client sent patypes: encrypted-timestamp > > > Looking for PKINIT pa-data -- user@EXAMPLE.LOCAL > > > Looking for ENC-TS pa-data -- user@EXAMPLE.LOCAL > > > ENC-TS Pre-authentication succeeded -- user@EXAMPLE.LOCAL using > > > des-cbc-crc > > > Client supported enctypes: des-cbc-crc > > > Using des-cbc-crc/aes256-cts-hmac-sha1-96 > > > AS-REQ authtime: 2013-02-11T23:45:44 starttime: unset endtime: > > > 2013-02-12T09:45:39 renew till: unset > > > sending 552 bytes to IPv4:X.X.X.X > > > > > Hmm, that sounds like you are never getting as far as sending the > > ticket to the server, but I'm not at home, so I can't look and see > > exactly what gets logged. (Also, I use a MIT KDC, so what gets > > logged > > might be different.) > > > > I've attached a trivial program that you can compile/run as root > > on the NFS server to see if 128 bytes is a big enough buffer for > > your setup. > > If it can print out the uid for the usernames you test as arguments, > > the patch isn't needed for your environment. > > (Oh, and it has a typo bug in the errx() arguments, but it works ok > > for testing.) > > > > Good luck with it, rick > > Your test program works with a regular user, but fails with root, > indeed. > > I will try the patch. Do I need to rebuild only world or do I have to > rebuild heimdal too? > I would have thought kerberos was rebuilt for make buildworld. If you use heimdal from somewhere else (ports or their distro), I don't think that needs to be rebuilt, since I don't think the ..pname_to_uid() function is a part of a generic heimdal distribution, but I am not sure. Be sure to change buf[128] --> buf[1024] in both: kerberos5/lib/libgssapi_krb5/pname_to_uid.c usr.sbin/gssd/gssd.c (Or paths close to that. I might not have remembered them quite correctly;-) rick > Thanks you, > Momchil
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?222730394.3167100.1361401848290.JavaMail.root>