| Summary: | [gssproxy] Unspecified GSS failure occurs when mount with krb5 | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | ChunYu Wang <chunwang> | |
| Component: | gssproxy | Assignee: | Robbie Harwood <rharwood> | |
| Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 7.3 | CC: | chunwang, fs-qe, pasik, rharwood, riehecky, rvdwees, sorlov, tscherf, yoyang | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Linux | |||
| URL: | https://pagure.io/gssproxy/pull-request/251 | |||
| Whiteboard: | ||||
| Fixed In Version: | gssproxy-0.7.0-29.el7 | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1759665 (view as bug list) | Environment: | ||
| Last Closed: | 2020-09-29 20:08:59 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 1759665, 1788833 | |||
My apologies, I'm having trouble understanding this bug report. Please correct me if either of these are incorrect: - Nothing is broken (NFS with krb5 security appears to a user to be functioning correctly) - Warnings are generated in the gssproxy logs Assuming those are both correct: NFS (and many other applications) make calls into GSSAPI that can "fail" in the sense that they return an error code, but this failure code is "expected" in the sense that the application alters its behavior accordingly and keeps going. However, there is no mechanism to tell gssproxy that these calls can fail, so it logs warnings about them as it does on any failed call. (In reply to Robbie Harwood from comment #1) Hi, Robbie, - Nothing is broken, the NFS function based on krb5 are as normal - The warnings could be found at many places, and if I run rpc.gssd -vvvvvvf in other terminal. It just prints some information as this printerr of this function gssd_inotify_clnt(struct topdir *tdi, struct clnt_info *clp, const struct inotify_event *ev) { printerr(5, "inotify event for clntdir (%s) - " "ev->wd (%d) ev->name (%s) ev->mask (0x%08x)\n", clp->relpath, ev->wd, ev->len > 0 ? ev->name : "<?>", ev->mask); ... } I found this information here [http://www.spinics.net/lists/linux-nfs/msg48184.html] Fix verified for RHEL 7.9, compose RHEL-7.9-20200407.0 ipa-server-4.6.8-1.el7.x86_64 Using upstream automated test: test_integration/test_nfs.py::TestNFS::test_prepare_users PASSED [ 25%] test_integration/test_nfs.py::TestNFS::test_krb5_nfsd PASSED [ 50%] test_integration/test_nfs.py::TestNFS::test_krb5_nfs_manual_configuration PASSED [ 75%] test_integration/test_nfs.py::TestNFS::test_automount PASSED [100%] Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (gssproxy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3961 |
Description of problem: When trying to mount an NFS export with kerberos-5 security enabled, the gssproxy returns warning every time but not avoiding the normal functions. The warnings are all like: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found With checking further information, the serial number 1 2 840 113554 1 2 2 is pointing to the mechanism of gss on kerberos. If it is functioning right, there may not appear that kind of warnings. Version-Release number of selected component (if applicable): gssproxy-0.4.1-10.el7.x86_64 nfs-utils-1.3.0-0.33.el7.x86_64 kernel-3.10.0-495.el7.x86_64 RHEL 7.3 Beta (Maipo) How reproducible: 100% Steps to Reproduce: 1. Configure a sever and a client with Kerberos 2. Export a dir from the server and mount it on the client(NFS, sec=krb5) 3. When the mounting process is complete check the /var/log/message there appears a group of Warnings. Actual results: [root@ibm-x3550m4-02 ~]# systemctl restart gssproxy [root@ibm-x3550m4-02 ~]# systemctl status gssproxy -l ● gssproxy.service - GSSAPI Proxy Daemon Loaded: loaded (/usr/lib/systemd/system/gssproxy.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2016-09-06 01:46:36 EDT; 2s ago Process: 28913 ExecStart=/usr/sbin/gssproxy -D (code=exited, status=0/SUCCESS) Main PID: 28914 (gssproxy) CGroup: /system.slice/gssproxy.service └─28914 /usr/sbin/gssproxy -D Sep 06 01:46:36 ibm-x3550m4-02.rhts.eng.pek2.redhat.com systemd[1]: Starting GSSAPI Proxy Daemon... Sep 06 01:46:36 ibm-x3550m4-02.rhts.eng.pek2.redhat.com systemd[1]: Started GSSAPI Proxy Daemon. [root@ibm-x3550m4-02 ~]# mount -o sec=krb5 $HOSTNAME:/export_test/ /mnt/mnt_test/ [root@ibm-x3550m4-02 ~]# umount /mnt/mnt_test/ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ mount/umount with kerberos [root@ibm-x3550m4-02 ~]# systemctl status gssproxy -l ● gssproxy.service - GSSAPI Proxy Daemon Loaded: loaded (/usr/lib/systemd/system/gssproxy.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2016-09-06 01:46:36 EDT; 17s ago Process: 28913 ExecStart=/usr/sbin/gssproxy -D (code=exited, status=0/SUCCESS) Main PID: 28914 (gssproxy) CGroup: /system.slice/gssproxy.service └─28914 /usr/sbin/gssproxy -D Sep 06 01:46:36 ibm-x3550m4-02.rhts.eng.pek2.redhat.com systemd[1]: Starting GSSAPI Proxy Daemon... Sep 06 01:46:36 ibm-x3550m4-02.rhts.eng.pek2.redhat.com systemd[1]: Started GSSAPI Proxy Daemon. Sep 06 01:46:49 ibm-x3550m4-02.rhts.eng.pek2.redhat.com gssproxy[28914]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found Sep 06 01:46:49 ibm-x3550m4-02.rhts.eng.pek2.redhat.com gssproxy[28913]: gssproxy[28914]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found Sep 06 01:46:49 ibm-x3550m4-02.rhts.eng.pek2.redhat.com gssproxy[28914]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found Sep 06 01:46:49 ibm-x3550m4-02.rhts.eng.pek2.redhat.com gssproxy[28913]: gssproxy[28914]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found Sep 06 01:46:49 ibm-x3550m4-02.rhts.eng.pek2.redhat.com gssproxy[28913]: gssproxy[28914]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found Sep 06 01:46:49 ibm-x3550m4-02.rhts.eng.pek2.redhat.com gssproxy[28914]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found ^^^^^^^^^^^^^^^^^^^^^^^^^^ the warning looks similar with bug 1266564 comment 2 [root@ibm-x3550m4-02 ~]# journalctl -ab -u rpc-gssd -u gssproxy -o cat Starting GSSAPI Proxy Daemon... Started GSSAPI Proxy Daemon. Starting RPC security service for NFS client and server... Started RPC security service for NFS client and server. rpc-gssd.service: main process exited, code=killed, status=11/SEGV Unit rpc-gssd.service entered failed state. rpc-gssd.service failed. Starting RPC security service for NFS client and server... Started RPC security service for NFS client and server. gssproxy[793]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found mmap: Invalid argument (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found gssproxy[793]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found Stopping GSSAPI Proxy Daemon... Starting GSSAPI Proxy Daemon... Started GSSAPI Proxy Daemon. (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found gssproxy[28914]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found gssproxy[28914]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found gssproxy[28914]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found [root@ibm-x3550m4-02 ~]# [root@ibm-x3550m4-02 ~]# rpm -q gssproxy gssproxy-0.4.1-10.el7.x86_64 [root@ibm-x3550m4-02 ~]# rpm -q nfs-utils nfs-utils-1.3.0-0.33.el7.x86_64 [root@ibm-x3550m4-02 ~]# rpm -q kernel kernel-3.10.0-500.el7.x86_64 [root@ibm-x3550m4-02 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.3 Beta (Maipo) [root@ibm-x3550m4-02 ~]# Expected results: If it is functioning right, there may not appear that kind of warnings. Additional info: For learning the meanings of the OID: { 1 2 840 113554 1 2 2 }, I refer to this page: https://www.ibm.com/support/knowledgecenter/SSLTBW_1.13.0/com.ibm.zos.r13.euvfb00/objid.htm