NFS + Kerberos

Rick Macklem rmacklem at uoguelph.ca
Wed Feb 20 02:00:50 UTC 2013 

Momchil Ivanov wrote:
> On Tue, February 19, 2013 12:56 am, Rick Macklem wrote:
> > Thanks to Elias's hard work, a bug/fix has just been isolated in the
> > Kerberos library that causes the gssd to fail to translate a
> > principal
> > to a uid. The fix is to increase the size of the buffer passed to
> > getpwnam_r(). See this thread:
> > http://docs.FreeBSD.org/cgi/mid.cgi?CADtN0WKVzbKxhaLQw8y2KLhhRJC9n4ht9wyPmGQ+pHqSjQkVNw
> >
> > I haven't run into this bug, so I don't know what systems are
> > affected,
> > but it would explain why you can't get it working.
> >
> > I'd suggest you apply the patch in the email (increase buf to 1024)
> > and
> > then try again with libraries built with the patch.
> 
> Do I have to aplly the patch to the server only and then rebuild world
> or
> do I have to do the same on the client too? And do I need to rebuild
> heimdal on both machines?
> 
The bug should only affect the server, since the client never translates
between principal_name<->uid. (The client does a rather cheezey trick of
using the uid to select the correct credential cache file.)

> btw, I checked the logs of the kdc and could not see any trace of the
> nfs
> server trying to validate the client's ticket... Frankly, I don't know
> that should I expect there, I haven't used kerberos before, so I have
> no
> idea if it's related to the bug. Here is part of the log:
> 
> AS-REQ user at EXAMPLE.LOCAL from IPv4:X.X.X.X for
> krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL
> No preauth found, returning PREAUTH-REQUIRED -- user at EXAMPLE.LOCAL
> sending 407 bytes to IPv4:X.X.X.X
> AS-REQ user at EXAMPLE.LOCAL from IPv4:X.X.X.X for
> krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL
> Client sent patypes: encrypted-timestamp
> Looking for PKINIT pa-data -- user at EXAMPLE.LOCAL
> Looking for ENC-TS pa-data -- user at EXAMPLE.LOCAL
> ENC-TS Pre-authentication succeeded -- user at EXAMPLE.LOCAL using
> des-cbc-crc
> Client supported enctypes: des-cbc-crc
> Using des-cbc-crc/aes256-cts-hmac-sha1-96
> AS-REQ authtime: 2013-02-11T23:45:44 starttime: unset endtime:
> 2013-02-12T09:45:39 renew till: unset
> sending 552 bytes to IPv4:X.X.X.X
> 
Hmm, that sounds like you are never getting as far as sending the
ticket to the server, but I'm not at home, so I can't look and see
exactly what gets logged. (Also, I use a MIT KDC, so what gets logged
might be different.)

I've attached a trivial program that you can compile/run as root
on the NFS server to see if 128 bytes is a big enough buffer for your setup.
If it can print out the uid for the usernames you test as arguments,
the patch isn't needed for your environment.
(Oh, and it has a typo bug in the errx() arguments, but it works ok
 for testing.)

Good luck with it, rick

> Thank you,
> Momchil

More information about the freebsd-fs mailing list