NFS + Kerberos

Momchil Ivanov momchil at xaxo.eu
Wed Feb 20 19:37:23 UTC 2013 

At Tue, 19 Feb 2013 21:00:42 -0500 (EST),
Rick Macklem wrote:
> 
> Momchil Ivanov wrote:
> > On Tue, February 19, 2013 12:56 am, Rick Macklem wrote:
> > > Thanks to Elias's hard work, a bug/fix has just been isolated in the
> > > Kerberos library that causes the gssd to fail to translate a
> > > principal
> > > to a uid. The fix is to increase the size of the buffer passed to
> > > getpwnam_r(). See this thread:
> > > http://docs.FreeBSD.org/cgi/mid.cgi?CADtN0WKVzbKxhaLQw8y2KLhhRJC9n4ht9wyPmGQ+pHqSjQkVNw
> > >
> > > I haven't run into this bug, so I don't know what systems are
> > > affected,
> > > but it would explain why you can't get it working.
> > >
> > > I'd suggest you apply the patch in the email (increase buf to 1024)
> > > and
> > > then try again with libraries built with the patch.
> > 
> > Do I have to aplly the patch to the server only and then rebuild world
> > or
> > do I have to do the same on the client too? And do I need to rebuild
> > heimdal on both machines?
> > 
> The bug should only affect the server, since the client never translates
> between principal_name<->uid. (The client does a rather cheezey trick of
> using the uid to select the correct credential cache file.)
> 
> > btw, I checked the logs of the kdc and could not see any trace of the
> > nfs
> > server trying to validate the client's ticket... Frankly, I don't know
> > that should I expect there, I haven't used kerberos before, so I have
> > no
> > idea if it's related to the bug. Here is part of the log:
> > 
> > AS-REQ user at EXAMPLE.LOCAL from IPv4:X.X.X.X for
> > krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL
> > No preauth found, returning PREAUTH-REQUIRED -- user at EXAMPLE.LOCAL
> > sending 407 bytes to IPv4:X.X.X.X
> > AS-REQ user at EXAMPLE.LOCAL from IPv4:X.X.X.X for
> > krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL
> > Client sent patypes: encrypted-timestamp
> > Looking for PKINIT pa-data -- user at EXAMPLE.LOCAL
> > Looking for ENC-TS pa-data -- user at EXAMPLE.LOCAL
> > ENC-TS Pre-authentication succeeded -- user at EXAMPLE.LOCAL using
> > des-cbc-crc
> > Client supported enctypes: des-cbc-crc
> > Using des-cbc-crc/aes256-cts-hmac-sha1-96
> > AS-REQ authtime: 2013-02-11T23:45:44 starttime: unset endtime:
> > 2013-02-12T09:45:39 renew till: unset
> > sending 552 bytes to IPv4:X.X.X.X
> > 
> Hmm, that sounds like you are never getting as far as sending the
> ticket to the server, but I'm not at home, so I can't look and see
> exactly what gets logged. (Also, I use a MIT KDC, so what gets logged
> might be different.)
> 
> I've attached a trivial program that you can compile/run as root
> on the NFS server to see if 128 bytes is a big enough buffer for your setup.
> If it can print out the uid for the usernames you test as arguments,
> the patch isn't needed for your environment.
> (Oh, and it has a typo bug in the errx() arguments, but it works ok
>  for testing.)
> 
> Good luck with it, rick

Your test program works with a regular user, but fails with root,
indeed.

I will try the patch. Do I need to rebuild only world or do I have to
rebuild heimdal too?

Thanks you,
Momchil

More information about the freebsd-fs mailing list