Date: Wed, 20 Feb 2013 20:37:07 +0100 From: Momchil Ivanov <momchil@xaxo.eu> To: Rick Macklem <rmacklem@uoguelph.ca> Cc: freebsd-fs@freebsd.org, Momchil Ivanov <momchil@xaxo.eu> Subject: Re: NFS + Kerberos Message-ID: <86621m4w0s.wl%momchil@xaxo.eu> In-Reply-To: <992481316.3137385.1361325642681.JavaMail.root@erie.cs.uoguelph.ca> References: <86a88ac8bb038ec5d8034724dcf80924.squirrel@webmail.xaxo.eu> <992481316.3137385.1361325642681.JavaMail.root@erie.cs.uoguelph.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
At Tue, 19 Feb 2013 21:00:42 -0500 (EST), Rick Macklem wrote: > > Momchil Ivanov wrote: > > On Tue, February 19, 2013 12:56 am, Rick Macklem wrote: > > > Thanks to Elias's hard work, a bug/fix has just been isolated in the > > > Kerberos library that causes the gssd to fail to translate a > > > principal > > > to a uid. The fix is to increase the size of the buffer passed to > > > getpwnam_r(). See this thread: > > > http://docs.FreeBSD.org/cgi/mid.cgi?CADtN0WKVzbKxhaLQw8y2KLhhRJC9n4ht9wyPmGQ+pHqSjQkVNw > > > > > > I haven't run into this bug, so I don't know what systems are > > > affected, > > > but it would explain why you can't get it working. > > > > > > I'd suggest you apply the patch in the email (increase buf to 1024) > > > and > > > then try again with libraries built with the patch. > > > > Do I have to aplly the patch to the server only and then rebuild world > > or > > do I have to do the same on the client too? And do I need to rebuild > > heimdal on both machines? > > > The bug should only affect the server, since the client never translates > between principal_name<->uid. (The client does a rather cheezey trick of > using the uid to select the correct credential cache file.) > > > btw, I checked the logs of the kdc and could not see any trace of the > > nfs > > server trying to validate the client's ticket... Frankly, I don't know > > that should I expect there, I haven't used kerberos before, so I have > > no > > idea if it's related to the bug. Here is part of the log: > > > > AS-REQ user@EXAMPLE.LOCAL from IPv4:X.X.X.X for > > krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL > > No preauth found, returning PREAUTH-REQUIRED -- user@EXAMPLE.LOCAL > > sending 407 bytes to IPv4:X.X.X.X > > AS-REQ user@EXAMPLE.LOCAL from IPv4:X.X.X.X for > > krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL > > Client sent patypes: encrypted-timestamp > > Looking for PKINIT pa-data -- user@EXAMPLE.LOCAL > > Looking for ENC-TS pa-data -- user@EXAMPLE.LOCAL > > ENC-TS Pre-authentication succeeded -- user@EXAMPLE.LOCAL using > > des-cbc-crc > > Client supported enctypes: des-cbc-crc > > Using des-cbc-crc/aes256-cts-hmac-sha1-96 > > AS-REQ authtime: 2013-02-11T23:45:44 starttime: unset endtime: > > 2013-02-12T09:45:39 renew till: unset > > sending 552 bytes to IPv4:X.X.X.X > > > Hmm, that sounds like you are never getting as far as sending the > ticket to the server, but I'm not at home, so I can't look and see > exactly what gets logged. (Also, I use a MIT KDC, so what gets logged > might be different.) > > I've attached a trivial program that you can compile/run as root > on the NFS server to see if 128 bytes is a big enough buffer for your setup. > If it can print out the uid for the usernames you test as arguments, > the patch isn't needed for your environment. > (Oh, and it has a typo bug in the errx() arguments, but it works ok > for testing.) > > Good luck with it, rick Your test program works with a regular user, but fails with root, indeed. I will try the patch. Do I need to rebuild only world or do I have to rebuild heimdal too? Thanks you, Momchil
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86621m4w0s.wl%momchil>