From owner-freebsd-fs@FreeBSD.ORG Wed Feb 20 23:10:52 2013 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 107ECAD3 for ; Wed, 20 Feb 2013 23:10:52 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-annu.net.uoguelph.ca (esa-annu.mail.uoguelph.ca [131.104.91.36]) by mx1.freebsd.org (Postfix) with ESMTP id CF7BE15F for ; Wed, 20 Feb 2013 23:10:51 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AqAEAIVWJVGDaFvO/2dsb2JhbABFhkm6GoEZc4IfAQEEASMEUgUWGAICDRkCWQaIHwYMrgWSPoEjjBoagQM0B4ItgRMDiGaNRoEdjz6DJYFNBxcGGA X-IronPort-AV: E=Sophos;i="4.84,705,1355115600"; d="scan'208";a="15020446" Received: from erie.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.206]) by esa-annu.net.uoguelph.ca with ESMTP; 20 Feb 2013 18:10:48 -0500 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id 57C07B3FAC; Wed, 20 Feb 2013 18:10:48 -0500 (EST) Date: Wed, 20 Feb 2013 18:10:48 -0500 (EST) From: Rick Macklem To: Momchil Ivanov Message-ID: <222730394.3167100.1361401848290.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <86621m4w0s.wl%momchil@xaxo.eu> Subject: Re: NFS + Kerberos MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.91.202] X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraWebClient - FF3.0 (Win)/6.0.10_GA_2692) Cc: freebsd-fs@freebsd.org X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2013 23:10:52 -0000 Momchil Ivanov wrote: > At Tue, 19 Feb 2013 21:00:42 -0500 (EST), > Rick Macklem wrote: > > > > Momchil Ivanov wrote: > > > On Tue, February 19, 2013 12:56 am, Rick Macklem wrote: > > > > Thanks to Elias's hard work, a bug/fix has just been isolated in > > > > the > > > > Kerberos library that causes the gssd to fail to translate a > > > > principal > > > > to a uid. The fix is to increase the size of the buffer passed > > > > to > > > > getpwnam_r(). See this thread: > > > > http://docs.FreeBSD.org/cgi/mid.cgi?CADtN0WKVzbKxhaLQw8y2KLhhRJC9n4ht9wyPmGQ+pHqSjQkVNw > > > > > > > > I haven't run into this bug, so I don't know what systems are > > > > affected, > > > > but it would explain why you can't get it working. > > > > > > > > I'd suggest you apply the patch in the email (increase buf to > > > > 1024) > > > > and > > > > then try again with libraries built with the patch. > > > > > > Do I have to aplly the patch to the server only and then rebuild > > > world > > > or > > > do I have to do the same on the client too? And do I need to > > > rebuild > > > heimdal on both machines? > > > > > The bug should only affect the server, since the client never > > translates > > between principal_name<->uid. (The client does a rather cheezey > > trick of > > using the uid to select the correct credential cache file.) > > > > > btw, I checked the logs of the kdc and could not see any trace of > > > the > > > nfs > > > server trying to validate the client's ticket... Frankly, I don't > > > know > > > that should I expect there, I haven't used kerberos before, so I > > > have > > > no > > > idea if it's related to the bug. Here is part of the log: > > > > > > AS-REQ user@EXAMPLE.LOCAL from IPv4:X.X.X.X for > > > krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL > > > No preauth found, returning PREAUTH-REQUIRED -- user@EXAMPLE.LOCAL > > > sending 407 bytes to IPv4:X.X.X.X > > > AS-REQ user@EXAMPLE.LOCAL from IPv4:X.X.X.X for > > > krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL > > > Client sent patypes: encrypted-timestamp > > > Looking for PKINIT pa-data -- user@EXAMPLE.LOCAL > > > Looking for ENC-TS pa-data -- user@EXAMPLE.LOCAL > > > ENC-TS Pre-authentication succeeded -- user@EXAMPLE.LOCAL using > > > des-cbc-crc > > > Client supported enctypes: des-cbc-crc > > > Using des-cbc-crc/aes256-cts-hmac-sha1-96 > > > AS-REQ authtime: 2013-02-11T23:45:44 starttime: unset endtime: > > > 2013-02-12T09:45:39 renew till: unset > > > sending 552 bytes to IPv4:X.X.X.X > > > > > Hmm, that sounds like you are never getting as far as sending the > > ticket to the server, but I'm not at home, so I can't look and see > > exactly what gets logged. (Also, I use a MIT KDC, so what gets > > logged > > might be different.) > > > > I've attached a trivial program that you can compile/run as root > > on the NFS server to see if 128 bytes is a big enough buffer for > > your setup. > > If it can print out the uid for the usernames you test as arguments, > > the patch isn't needed for your environment. > > (Oh, and it has a typo bug in the errx() arguments, but it works ok > > for testing.) > > > > Good luck with it, rick > > Your test program works with a regular user, but fails with root, > indeed. > > I will try the patch. Do I need to rebuild only world or do I have to > rebuild heimdal too? > I would have thought kerberos was rebuilt for make buildworld. If you use heimdal from somewhere else (ports or their distro), I don't think that needs to be rebuilt, since I don't think the ..pname_to_uid() function is a part of a generic heimdal distribution, but I am not sure. Be sure to change buf[128] --> buf[1024] in both: kerberos5/lib/libgssapi_krb5/pname_to_uid.c usr.sbin/gssd/gssd.c (Or paths close to that. I might not have remembered them quite correctly;-) rick > Thanks you, > Momchil