From: "J. Bruce Fields" <bfields@fieldses.org>
To: NeilBrown <neilb@suse.de>
Cc: Kevin Coffman <kwc@umich.edu>, linux-nfs@vger.kernel.org
Subject: Re: Problems with kerberos auth - possibly against ADS - since nfs-utils-1.2.3
Date: Thu, 18 Aug 2011 12:43:07 -0400 [thread overview]
Message-ID: <20110818164307.GA24533@fieldses.org> (raw)
In-Reply-To: <20110818191906.13a6261f@notabene.brown>
On Thu, Aug 18, 2011 at 07:19:06PM +1000, NeilBrown wrote:
> I think that does exactly describes what we were seeing.
> We ended up working around it by adding
>
> default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
>
> to the client config, and recommending a server upgrade.
>
>
> BTW I've been trying to track down why a successful kerberos negotiation
> sends a corrupted RPCSEC_GSS_DESTROY request just before closing the
> connection.
(No useful comment here, just: thanks! That was driving me crazy, till
it just stopped happening for no apparent reason, before I got a chance
to look any closer...)
--b.
>
> There are two issues here.
> 1/ Why is it trying to send a DESTROY request
> 2/ Why is it corrupted.
>
> It is just as well that it is corrupted else the server would forget the
> session that has just been negotiated.
>
> It is sending a DESTROY request because that is what AUTH_DESTROY called in
> gssd_proc does. But it shouldn't. After a call to
> authgss_get_private_data() the context is owned by someone else so
> AUTH_DESTROY should free the memory, but not DESTROY anything on the server.
>
> I think authgss_get_private_data should clear gd->established or possibly
> gd->gc.gc_ctx.length so there is no attempt to use or destroy the auth internally
> any more.
>
> But why is it corrupted? This is because the internal_ctx_id in the gssglue
> layer has been zeroed by the call to authgss_get_private_data. I couldn't
> easily see in the code where this is happening, but tracing confirms that it
> does. A NULL internal_ctx_id doesn't stop authgss_destroy_context from
> trying to destroy the context, but it does stop it from succeeding.
>
> So I suspect all we need to do to address this is change
> authgss_get_private_data to set gd->gc.gc_ctx.length to zero.
>
> Does that seem reasonable to you?
>
>
> Thanks,
> NeilBrown
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2011-08-18 16:43 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-03 23:21 Problems with kerberos auth - possibly against ADS - since nfs-utils-1.2.3 NeilBrown
2011-08-04 0:51 ` Kevin Coffman
2011-08-04 1:13 ` NeilBrown
2011-08-04 2:57 ` Kevin Coffman
2011-08-11 5:42 ` NeilBrown
2011-08-11 14:06 ` Kevin Coffman
2011-08-18 9:19 ` NeilBrown
2011-08-18 16:43 ` J. Bruce Fields [this message]
2011-08-23 0:16 ` NeilBrown
2011-08-23 0:41 ` Kevin Coffman
2011-08-23 19:48 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110818164307.GA24533@fieldses.org \
--to=bfields@fieldses.org \
--cc=kwc@umich.edu \
--cc=linux-nfs@vger.kernel.org \
--cc=neilb@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.