krb5 failures with recent nfs-utils

krb5 failures with recent nfs-utils

[J. Bruce Fields]

On Fedora 15 I'm seeing odd krb5 behavior: the context initialization
appears to work fine, but then gssd sends a malformed RPCSEC_GSS_DESTROY
packet just before closing the connection.  The client's first operation
to the server using the context is rejected because the server's mic
verification fails.

Has anyone else seen this?

I'll keep investigating.

--b.

Re: krb5 failures with recent nfs-utils

[Tigran Mkrtchyan]

On 07/14/2011 12:59 AM, J. Bruce Fields wrote:
> On Fedora 15 I'm seeing odd krb5 behavior: the context initialization
> appears to work fine, but then gssd sends a malformed RPCSEC_GSS_DESTROY
> packet just before closing the connection.  The client's first operation
> to the server using the context is rejected because the server's mic
> verification fails.
>
> Has anyone else seen this?

I have reported the same issue couple of weeks ago

http://www.spinics.net/lists/linux-nfs/msg22142.html

I use suse 11.4 x86_64 and can reproduce it with native kernel 
2.6.37.xxx and 3.0.0-rc5.

To me it looks like that in rpc packet missing verifier. Nevertheless
the message length is up to verifier. What I failed to find out it the 
message length did not take verifier in the account or verifier is 
missing in the first place. I was looking the the kernel code, but may 
be problem is in gssd. I don't know which part of gss handling in user 
space and which part is in the kernel.

Tigran.
>
> I'll keep investigating.
>
> --b.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: krb5 failures with recent nfs-utils

[J. Bruce Fields]

On Thu, Jul 14, 2011 at 09:13:41AM +0200, Tigran Mkrtchyan wrote:
> On 07/14/2011 12:59 AM, J. Bruce Fields wrote:
> >On Fedora 15 I'm seeing odd krb5 behavior: the context initialization
> >appears to work fine, but then gssd sends a malformed RPCSEC_GSS_DESTROY
> >packet just before closing the connection.  The client's first operation
> >to the server using the context is rejected because the server's mic
> >verification fails.
> >
> >Has anyone else seen this?
> 
> I have reported the same issue couple of weeks ago
> 
> http://www.spinics.net/lists/linux-nfs/msg22142.html

I thought it looked familiar....

> I use suse 11.4 x86_64 and can reproduce it with native kernel
> 2.6.37.xxx and 3.0.0-rc5.
> 
> To me it looks like that in rpc packet missing verifier.

Yes.

> Nevertheless
> the message length is up to verifier. What I failed to find out it
> the message length did not take verifier in the account or verifier
> is missing in the first place. I was looking the the kernel code,
> but may be problem is in gssd. I don't know which part of gss
> handling in user space and which part is in the kernel.

It's gssd that handles the init_sec_context, and (what I didn't notice
before) you can see that the destroy rpc goes over the same tcp
connection as the init_sec_context exchange.

--b.

Re: krb5 failures with recent nfs-utils

[Naveen]

I still face this issue in SuSe 11.3 x86_64. 
Don't see any updates in the bug. Any help, tx