Bug 1005231

Summary: wrong ad machine name principal search in rpc.gssd
Product: Red Hat Enterprise Linux 6 Reporter: E. de Vries <E.deVries>
Component: nfs-utilsAssignee: Steve Dickson <steved>
Status: CLOSED DUPLICATE QA Contact: Red Hat Kernel QE team <kernel-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: bugzilla, R.Smits
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-04-28 17:16:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch for short hostname
none
patch nfs-utils 1.2.8 version to only use the short host name to create AD style principal none

Description E. de Vries 2013-09-06 13:31:05 UTC 
Created attachment 794739 [details]
patch for short hostname

Description of problem:

rpc.gssd is searching for a AD machine name principal with full qualified domain name in stead of the short name.

log with rpc.gssd -vvv (domain and realm name changed)

Sep  6 10:51:03 kova-01 rpc.gssd[1734]: No key table entry found for KOVA-01.EXAMPLE.COM$@REALM while getting keytab entry for 'KOVA-01.EXAMPLE.COM$@REALM'
Sep  6 10:51:03 kova-01 rpc.gssd[1734]: No key table entry found for root/kova-01.example.com@REALM while getting keytab entry for 'root/kova-01.example.com@REALM'
Sep  6 10:51:03 kova-01 rpc.gssd[1734]: No key table entry found for nfs/kova-01.example.com@REALM while getting keytab entry for 'nfs/kova-01.example.com@REALM'
Sep  6 10:51:03 kova-01 rpc.gssd[1734]: Success getting keytab entry for 'host/kova-01.example.com@REALM'

The search for key table entry KOVA-01.EXAMPLE.COM$@REALM should be KOVA-01$@REALM to get a valid AD machine account name.

Version-Release number of selected component (if applicable):

nfs-utils-1.2.3-36

Additional info:

The code for the generation of the ad machine name principal is found in the 
nfs-utils-1.2.3-krb5-ad-style.patch in the nfs-utils-1.2.3-36.el6.src.rpm. A minor change in the patchfile solves this problem. You will find a patch for the patchfile as attachment.

The patch works fine in my case and generates the short machine name without domain.

Regards,
Erik de Vries
Comment 2 RHEL Program Management 2013-10-14 02:20:37 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 3 David Mansfield 2013-12-06 15:49:17 UTC 
this bug also exists in latest nfs-utils (nfs-utils-1.2.8-6.0.fc19.x86_64) for fedora 19, in which the patched patch nfs-utils-1.2.3-krb5-ad-style-short-host.patch has already been integrated.  however the same basic change looks like it would work. should a separate bug be opened for Fedora?
Comment 4 David Mansfield 2013-12-06 16:20:05 UTC 
Created attachment 833678 [details]
patch nfs-utils 1.2.8 version to only use the short host name to create AD style principal

This attachment is the exact same change as the patch against the RHEL 6 version, but against the current fedora 19 nfs-utils version (nfs-utils-1.2.8-6.0).

I have tested that it "works" for retrieving the correct key from the local keytab in a standard winbind environment where HOST$@REALM.COM is present, but the value returned by "gethostname" is "host.domain.com".

I'm happy to open a separate bug against Fedora if desired.
Comment 5 Steve Dickson 2013-12-10 21:44:35 UTC 
(In reply to David Mansfield from comment #4)
> Created attachment 833678 [details]
> patch nfs-utils 1.2.8 version to only use the short host name to create AD
> style principal
> 
> This attachment is the exact same change as the patch against the RHEL 6
> version, but against the current fedora 19 nfs-utils version
> (nfs-utils-1.2.8-6.0).
> 
> I have tested that it "works" for retrieving the correct key from the local
> keytab in a standard winbind environment where HOST$@REALM.COM is present,
> but the value returned by "gethostname" is "host.domain.com".
> 
> I'm happy to open a separate bug against Fedora if desired.
Would you be comfortable sending a patch to the NFS upstream community?

The HOWTO is here:
    https://www.kernel.org/doc/Documentation/SubmittingPatches

And the list address is:
 Linux NFS Mailing list <linux-nfs.org>

I'll more than willing to help you through the process...
Comment 6 Steve Dickson 2014-04-28 17:16:03 UTC 

*** This bug has been marked as a duplicate of bug 1067423 ***
Comment 7 David Mansfield 2014-06-09 13:11:43 UTC 
I got a NEEDINFO tickler but I think bugzilla is confused. AFAICT this  issue is probably fixed upstream (see dup).