Date: Tue, 19 Feb 2013 21:00:42 -0500 (EST) From: Rick Macklem <rmacklem@uoguelph.ca> To: Momchil Ivanov <momchil@xaxo.eu> Cc: freebsd-fs@freebsd.org Subject: Re: NFS + Kerberos Message-ID: <992481316.3137385.1361325642681.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <86a88ac8bb038ec5d8034724dcf80924.squirrel@webmail.xaxo.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
------=_Part_3137384_634441493.1361325642679 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Momchil Ivanov wrote: > On Tue, February 19, 2013 12:56 am, Rick Macklem wrote: > > Thanks to Elias's hard work, a bug/fix has just been isolated in the > > Kerberos library that causes the gssd to fail to translate a > > principal > > to a uid. The fix is to increase the size of the buffer passed to > > getpwnam_r(). See this thread: > > http://docs.FreeBSD.org/cgi/mid.cgi?CADtN0WKVzbKxhaLQw8y2KLhhRJC9n4ht9wyPmGQ+pHqSjQkVNw > > > > I haven't run into this bug, so I don't know what systems are > > affected, > > but it would explain why you can't get it working. > > > > I'd suggest you apply the patch in the email (increase buf to 1024) > > and > > then try again with libraries built with the patch. > > Do I have to aplly the patch to the server only and then rebuild world > or > do I have to do the same on the client too? And do I need to rebuild > heimdal on both machines? > The bug should only affect the server, since the client never translates between principal_name<->uid. (The client does a rather cheezey trick of using the uid to select the correct credential cache file.) > btw, I checked the logs of the kdc and could not see any trace of the > nfs > server trying to validate the client's ticket... Frankly, I don't know > that should I expect there, I haven't used kerberos before, so I have > no > idea if it's related to the bug. Here is part of the log: > > AS-REQ user@EXAMPLE.LOCAL from IPv4:X.X.X.X for > krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL > No preauth found, returning PREAUTH-REQUIRED -- user@EXAMPLE.LOCAL > sending 407 bytes to IPv4:X.X.X.X > AS-REQ user@EXAMPLE.LOCAL from IPv4:X.X.X.X for > krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL > Client sent patypes: encrypted-timestamp > Looking for PKINIT pa-data -- user@EXAMPLE.LOCAL > Looking for ENC-TS pa-data -- user@EXAMPLE.LOCAL > ENC-TS Pre-authentication succeeded -- user@EXAMPLE.LOCAL using > des-cbc-crc > Client supported enctypes: des-cbc-crc > Using des-cbc-crc/aes256-cts-hmac-sha1-96 > AS-REQ authtime: 2013-02-11T23:45:44 starttime: unset endtime: > 2013-02-12T09:45:39 renew till: unset > sending 552 bytes to IPv4:X.X.X.X > Hmm, that sounds like you are never getting as far as sending the ticket to the server, but I'm not at home, so I can't look and see exactly what gets logged. (Also, I use a MIT KDC, so what gets logged might be different.) I've attached a trivial program that you can compile/run as root on the NFS server to see if 128 bytes is a big enough buffer for your setup. If it can print out the uid for the usernames you test as arguments, the patch isn't needed for your environment. (Oh, and it has a typo bug in the errx() arguments, but it works ok for testing.) Good luck with it, rick > Thank you, > Momchil ------=_Part_3137384_634441493.1361325642679--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?992481316.3137385.1361325642681.JavaMail.root>