Bug 1560736

Summary: libtirpc newer than 1.0.2-4 breaks nis because it doesn't use reserved ports
Product: [Fedora] Fedora Reporter: Edgar Hoch <edgar.hoch>
Component: libtirpcAssignee: Steve Dickson <steved>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 27CC: chuck.lever, jlayton, rkudyba, steved
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: libtirpc-1.0.3-1.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-05 23:56:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Edgar Hoch 2018-03-26 21:29:12 UTC
Description of problem:
libtirpc newer that 1.0.2-4 breaks nis because it doesn't use reserved ports.

For example, yppush should use a reserved port, or the port specified with the --port option. We use and need the --port option because we want only open as less ports as neccessary in the firewall (firewalld).

I have tested with lsof and --debug option of ypserv and -v option of yppush.

With libtirpc-1.0.2-4.fc27.x86_64 installed yppush uses the port specified with --port (836 in our case).

With newer versions of libtirpc it uses the specified port to, but only for one connection. It uses another random port in the range 49152 - 65535, then ypserv prints (in debug mode) a message like "Ignored (no reserved port!)".



Version-Release number of selected component (if applicable):
Failed: libtirpc-1.0.3-0.fc27.x86_64
Failed: libtirpc-1.0.2-5.rc2.fc27.x86_64
Works: libtirpc-1.0.2-4.fc27.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Have a working nis environment with a nis master server and (at least) a nis slave server, with libtirpc-1.0.2-4 installed.

2. On nis master server:
Make any changes to nis sources files, or touch them, then run make in /var/yp. This will run yppush.
Or you can run yppush manually (replace template names, have udp port open):
/usr/sbin/yppush -vv --port 836 -d NISDOMAIN -h NISSLAVESERVER ypservers

3. Upgrade to libtirpc-1.0.3-0.
Then repeat step 2.

Actual results:
Step 2: yppush works.
Step 3: yppush waits for answer of nfs slave server, then fails with error because of timeout.

Expected results:
yppush works in step 2 and 3.

Additional info:

I have temporary downgraded libtirpc on our hosts, so it works in the moment. I will try to prevent updates for some time.

Please think about a solution. It should be possible to use reserved ports - may be by an option, a config file, or something other. ypserv also need it not only for yppush, but also for preventing password hashes (shadow.byname, or passwd.adjunct.byname) accessable by ordinary users (security option "port" instead of "none" in /etc/ypserv.conf).

Comment 1 Edgar Hoch 2018-03-26 21:58:19 UTC
Correction: ... newer than ...

Comment 2 Steve Dickson 2018-03-28 17:55:28 UTC
The work around for Fedora 27 is to set xfr_check_port: no in /etc/ypserver.conf

Comment 3 Fedora Update System 2018-03-28 21:32:24 UTC
libtirpc-1.0.3-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-4e2a6c0c93

Comment 4 Fedora Update System 2018-03-29 00:44:58 UTC
libtirpc-1.0.3-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-4e2a6c0c93

Comment 5 RobbieTheK 2018-04-04 19:06:11 UTC
The update fixes it for us.

Comment 6 Edgar Hoch 2018-04-04 20:05:41 UTC
Thanks for providing the update. nis works with it.

Comment 7 Fedora Update System 2018-04-05 23:56:40 UTC
libtirpc-1.0.3-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.