Re: krb5 failures with recent nfs-utils

linux-nfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "J. Bruce Fields" <bfields@fieldses.org>
To: Tigran Mkrtchyan <tigran.mkrtchyan@desy.de>
Cc: linux-nfs@vger.kernel.org
Subject: Re: krb5 failures with recent nfs-utils
Date: Thu, 14 Jul 2011 09:16:47 -0400	[thread overview]
Message-ID: <20110714131647.GC13000@fieldses.org> (raw)
In-Reply-To: <4E1E9725.5020707@desy.de>

On Thu, Jul 14, 2011 at 09:13:41AM +0200, Tigran Mkrtchyan wrote:
> On 07/14/2011 12:59 AM, J. Bruce Fields wrote:
> >On Fedora 15 I'm seeing odd krb5 behavior: the context initialization
> >appears to work fine, but then gssd sends a malformed RPCSEC_GSS_DESTROY
> >packet just before closing the connection.  The client's first operation
> >to the server using the context is rejected because the server's mic
> >verification fails.
> >
> >Has anyone else seen this?
> 
> I have reported the same issue couple of weeks ago
> 
> http://www.spinics.net/lists/linux-nfs/msg22142.html

I thought it looked familiar....

> I use suse 11.4 x86_64 and can reproduce it with native kernel
> 2.6.37.xxx and 3.0.0-rc5.
> 
> To me it looks like that in rpc packet missing verifier.

Yes.

> Nevertheless
> the message length is up to verifier. What I failed to find out it
> the message length did not take verifier in the account or verifier
> is missing in the first place. I was looking the the kernel code,
> but may be problem is in gssd. I don't know which part of gss
> handling in user space and which part is in the kernel.

It's gssd that handles the init_sec_context, and (what I didn't notice
before) you can see that the destroy rpc goes over the same tcp
connection as the init_sec_context exchange.

--b.

next prev parent reply	other threads:[~2011-07-14 13:16 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-07-13 22:59 krb5 failures with recent nfs-utils J. Bruce Fields
2011-07-14  7:13 ` Tigran Mkrtchyan
2011-07-14 13:16   ` J. Bruce Fields [this message]
2015-03-20  1:27     ` Naveen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110714131647.GC13000@fieldses.org \
    --to=bfields@fieldses.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=tigran.mkrtchyan@desy.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).