Re: krb5 failures with recent nfs-utils

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "J. Bruce Fields" <bfields@fieldses.org>
To: Tigran Mkrtchyan <tigran.mkrtchyan@desy.de>
Cc: linux-nfs@vger.kernel.org
Subject: Re: krb5 failures with recent nfs-utils
Date: Thu, 14 Jul 2011 09:16:47 -0400	[thread overview]
Message-ID: <20110714131647.GC13000@fieldses.org> (raw)
In-Reply-To: <4E1E9725.5020707@desy.de>

On Thu, Jul 14, 2011 at 09:13:41AM +0200, Tigran Mkrtchyan wrote:
> On 07/14/2011 12:59 AM, J. Bruce Fields wrote:
> >On Fedora 15 I'm seeing odd krb5 behavior: the context initialization
> >appears to work fine, but then gssd sends a malformed RPCSEC_GSS_DESTROY
> >packet just before closing the connection.  The client's first operation
> >to the server using the context is rejected because the server's mic
> >verification fails.
> >
> >Has anyone else seen this?
> 
> I have reported the same issue couple of weeks ago
> 
> http://www.spinics.net/lists/linux-nfs/msg22142.html

I thought it looked familiar....

> I use suse 11.4 x86_64 and can reproduce it with native kernel
> 2.6.37.xxx and 3.0.0-rc5.
> 
> To me it looks like that in rpc packet missing verifier.

Yes.

> Nevertheless
> the message length is up to verifier. What I failed to find out it
> the message length did not take verifier in the account or verifier
> is missing in the first place. I was looking the the kernel code,
> but may be problem is in gssd. I don't know which part of gss
> handling in user space and which part is in the kernel.

It's gssd that handles the init_sec_context, and (what I didn't notice
before) you can see that the destroy rpc goes over the same tcp
connection as the init_sec_context exchange.

--b.

next prev parent reply	other threads:[~2011-07-14 13:16 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-07-13 22:59 krb5 failures with recent nfs-utils J. Bruce Fields
2011-07-14  7:13 ` Tigran Mkrtchyan
2011-07-14 13:16   ` J. Bruce Fields [this message]
2015-03-20  1:27     ` Naveen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110714131647.GC13000@fieldses.org \
    --to=bfields@fieldses.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=tigran.mkrtchyan@desy.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.