Date: Tue, 4 Sep 2012 16:50:29 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: Herbert Poeckl <freebsdml@ist.tugraz.at> Cc: freebsd-stable@FreeBSD.org Subject: Re: Need help with nfsv4 and krb5 access denied Message-ID: <235272548.47771.1346791829286.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <5045FD86.7060209@ist.tugraz.at>
next in thread | previous in thread | raw e-mail | index | archive | help
Herbert Poeckl wrote: > On 09/03/2012 09:25 PM, Rick Macklem wrote: > > Herbert Poeckl wrote: > >> On 6/25/12 1:21 PM, Herbert Poeckl wrote: > >>> We are getting access denied error on our debian clients when > >>> mounting > >>> nfsv4 network drives with kerberos 5 authentication. > >>> > >>> What is wired about this, is that it works with one server, but > >>> not > >>> with > >>> a second server. > >> [..] > >> > >> For the records: > >> > >> The problem was fixed in this post: > >> http://lists.freebsd.org/pipermail/freebsd-fs/2012-August/015047.html > >> > > Ok, so are you saying that the patch in Attila's email fixed your > > problem? > > Yes it does. Sorry I missed your following post to his message. > No problem. In case you haven't seen it yet, it basically sounds like a Linux client issue from what Attila reports, but changing the code so that it doesn't invalidate the client's security handle when the DESTROY fails due to an invalid checksum, seems reasonable. > > > If so, please try the attached patch. (It doesn't set the client > > security > > handle stale when DESTROY fails, due to an invalid encrypted > > checksum. It > > is similar to his patch, but only for the DESTROY case, which seems > > to be > > ok to do from my understanding of the RPCSEC_GSS. It doesn't include > > the > > timer changes, which shouldn't affect the outcome from afaik.) > > Just tried your patch, and it fixes the problem too. > Ok, thanks for testing it. If Attila reports that it fixes the problem for him too, I'll commit it. Glad that we seem to have lucked out and resolved this, due to Attila's work on it. > > > To consider the client security handle still valid when a data (real > > RPC > > in the message) phase entry fails the encrypted checksum seems > > riskier to > > do, so I'd like to avoid that in any patch for head. > > > > rick > > Kind regards, > Herbert > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to > "freebsd-stable-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?235272548.47771.1346791829286.JavaMail.root>