From: "J. Bruce Fields" <bfields@fieldses.org>
To: NeilBrown <neilb@suse.de>
Cc: Kevin Coffman <kwc@umich.edu>, linux-nfs@vger.kernel.org
Subject: Re: Problems with kerberos auth - possibly against ADS - since nfs-utils-1.2.3
Date: Thu, 18 Aug 2011 12:43:07 -0400 [thread overview]
Message-ID: <20110818164307.GA24533@fieldses.org> (raw)
In-Reply-To: <20110818191906.13a6261f@notabene.brown>
On Thu, Aug 18, 2011 at 07:19:06PM +1000, NeilBrown wrote:
> I think that does exactly describes what we were seeing.
> We ended up working around it by adding
>
> default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
>
> to the client config, and recommending a server upgrade.
>
>
> BTW I've been trying to track down why a successful kerberos negotiation
> sends a corrupted RPCSEC_GSS_DESTROY request just before closing the
> connection.
(No useful comment here, just: thanks! That was driving me crazy, till
it just stopped happening for no apparent reason, before I got a chance
to look any closer...)
--b.
>
> There are two issues here.
> 1/ Why is it trying to send a DESTROY request
> 2/ Why is it corrupted.
>
> It is just as well that it is corrupted else the server would forget the
> session that has just been negotiated.
>
> It is sending a DESTROY request because that is what AUTH_DESTROY called in
> gssd_proc does. But it shouldn't. After a call to
> authgss_get_private_data() the context is owned by someone else so
> AUTH_DESTROY should free the memory, but not DESTROY anything on the server.
>
> I think authgss_get_private_data should clear gd->established or possibly
> gd->gc.gc_ctx.length so there is no attempt to use or destroy the auth internally
> any more.
>
> But why is it corrupted? This is because the internal_ctx_id in the gssglue
> layer has been zeroed by the call to authgss_get_private_data. I couldn't
> easily see in the code where this is happening, but tracing confirms that it
> does. A NULL internal_ctx_id doesn't stop authgss_destroy_context from
> trying to destroy the context, but it does stop it from succeeding.
>
> So I suspect all we need to do to address this is change
> authgss_get_private_data to set gd->gc.gc_ctx.length to zero.
>
> Does that seem reasonable to you?
>
>
> Thanks,
> NeilBrown
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2011-08-18 16:43 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-03 23:21 Problems with kerberos auth - possibly against ADS - since nfs-utils-1.2.3 NeilBrown
2011-08-04 0:51 ` Kevin Coffman
2011-08-04 1:13 ` NeilBrown
2011-08-04 2:57 ` Kevin Coffman
2011-08-11 5:42 ` NeilBrown
2011-08-11 14:06 ` Kevin Coffman
2011-08-18 9:19 ` NeilBrown
2011-08-18 16:43 ` J. Bruce Fields [this message]
2011-08-23 0:16 ` NeilBrown
2011-08-23 0:41 ` Kevin Coffman
2011-08-23 19:48 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110818164307.GA24533@fieldses.org \
--to=bfields@fieldses.org \
--cc=kwc@umich.edu \
--cc=linux-nfs@vger.kernel.org \
--cc=neilb@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox