[Bug 235582] rpc_svc_gss / nfsd kernel panic
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Fri Feb 8 23:17:42 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=235582
--- Comment #5 from Rick Macklem <rmacklem at FreeBSD.org> ---
Well, if I understood the comments, that would suggest client->cl_cname is
NULL.
That is weird. I'm not a Kerberos guy, but this says that the server
was able to handle the GSSAPI initialization token (basically a Kerberos
session ticket + some GSSAPI gobbly gook), but the GSSAPI library
doesn't return a principal name for the gss_accept_sec_context() even
though it returns GSS_S_COMPLETE.
What does this mean in Kerberos land? I have no idea.
I can see two ways to handle it.
1 - Consider it a failed authentication.
OR
2 - Map it to "nobody".
Basically that principal name in client->cl_cname is looked up in the
password database and, if it is not found, then the credentials of
"nobody" are used instead of the credentials for the user in the
password database.
--> Since no entry in the password database gets "nobody", it seems
that "no principal name" might get the same treatment?
I think I'll generate a patch for #2 above and attach it to this PR#,
although I have no way to test it.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-fs
mailing list