Date: Fri, 15 Feb 2013 12:42:26 -0500 (EST) From: Benjamin Kaduk <kaduk@MIT.EDU> To: =?ISO-8859-15?Q?Elias_M=E5rtenson?= <lokedhs@gmail.com> Cc: Rick Macklem <rmacklem@uoguelph.ca>, freebsd-current@freebsd.org Subject: Re: Possible bug in NFSv4 with krb5p security? Message-ID: <alpine.GSO.1.10.1302151236120.9389@multics.mit.edu> In-Reply-To: <CADtN0WL%2BWxvsQBE70apKxqKPmfhh40=MqTC_FGKAJD-xBnQimA@mail.gmail.com> References: <CADtN0W%2Bgd_2%2B=vxZQdL61NJAtHqpbE3BAaUp%2BQ9kAd0SXckkqw@mail.gmail.com> <336731055.3000548.1360798935813.JavaMail.root@erie.cs.uoguelph.ca> <CADtN0WL%2BWxvsQBE70apKxqKPmfhh40=MqTC_FGKAJD-xBnQimA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. ---559023410-1646422927-1360950146=:9389 Content-Type: TEXT/PLAIN; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On Sat, 16 Feb 2013, Elias M=E5rtenson wrote: > > Thank you. I did exactly that and I found out some more. > > The problem occurss in file gss.c, in the > function gssd_pname_to_uid_1_svc(). This function is responsible for taki= ng > a principal and returning the Unix user ID that this principal correspond= s > to. I did confirm that this function is called with elias@REALM, which is > the correct principal. It then calls the libgssapi function > gss_pname_to_uid() which does the actual lookup. > > The problem is that after the lookup (which succeeds by the way), it > returns user ID 0 (i.e. root, what!?). Of course, this uid later gets > mapped to nobody, resulting in the behaviour that I see. > > I tried to add more debugging information in libgssapi.so.10, but if I ju= st > try to add some printf() statements, the entire thing hangs. I'm not sure > how to proceed from there. > > Oh, and the libgssapi function gss_pname_to_uid() actually delegates the > actual lookup to a function that depends on what security mechanism is in > place. My printf()'s (that caused the hang) attempted to print what > mechanism was actually used. Unless things are very messed up, it should be using the krb5 mechanism,=20 which I believe will boil down to krb5_aname_to_localname, per=20 heimdal/lib/gssapi/krb5/pname_to_uid.c. I'm not sure how this would end=20 up with success but uid 0, though. Do you have the default realm set in krb5.conf? Having it set to a=20 different value than the realm of elias@REALM could result in strange=20 behavior. > And yet one more thing: Heimdal ships with its own version of libgssapi. = I > can link gssd to it, but it won't run properly (it hangs pretty early). I have forgotten: you are using Heimdal from ports, not from the base=20 system? I remember it being easy to get into subtly-broken configurations= =20 when both a ports and a base version are present. -Ben Kaduk ---559023410-1646422927-1360950146=:9389--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.GSO.1.10.1302151236120.9389>