Bug 1273165 - rpc.gssd should not assume that the machine account is in uppercase
Summary: rpc.gssd should not assume that the machine account is in uppercase
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: nfs-utils
Version: 23
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Steve Dickson
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1273166
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-19 19:43 UTC by Scott Mayhew
Modified: 2019-10-10 10:22 UTC (History)
5 users (show)

Fixed In Version: nfs-utils-1.3.3-4.rc1.fc23
Clone Of: 1268040
Environment:
Last Closed: 2015-11-30 21:22:29 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Scott Mayhew 2015-10-19 19:43:56 UTC
+++ This bug was initially created as a clone of Bug #1268040 +++

Description of problem:

rpc.gssd first looks for an entry of the form <HOSTNAME>$@<DOMAIN>, which corresponds to the Active Directory machine account.  It assumes that <HOSTNAME> will be in uppercase because that's how the entry is created if the machine is joined to the domain using Samba.
    
But that's not necessarily the case if the another identity management solution (e.g. Centrify) is used... 

Upstream commit f7b42b9e (gssd: select non-conventional principal) allows the hostname used in the search for a keytab entry for the machine account to overridden.  However, in an environment with a lot of clients it may not be feasible to customize the krb5.conf on each of those clients. 

rpc.gssd should first look for an entry that matches the unmodified hostname and then convert it to uppercase and try again only if that failed.

Version-Release number of selected component (if applicable):
nfs-utils-1.3.2-11.fc23

How reproducible:
Easy

Steps to Reproduce:
Run rpc.gssd with -vvv and look at the logs

Actual results:

rpc.gssd searches for the machine account in all caps, for example:

Sep 28 16:40:03 smayhew-fedora rpc.gssd[7305]: Success getting keytab entry for 'SMAYHEW-FEDORA$@EXAMPLE.COM'

Expected results:

rpc.gssd should search for the machine account using the unmodified hostname (whether that be in lower case, mixed case, whatever) first.  Note in my example it fails to find a machine account keytab entry with the hostname in lower caes because I don't have one in my keytab... the point is that it did the search:

Oct  1 12:03:52 smayhew-fedora rpc.gssd[24163]: No key table entry found for smayhew-fedora$@EXAMPLE.COM while getting keytab entry for 'smayhew-fedora$@EXAMPLE.COM'
Oct  1 12:03:52 smayhew-fedora rpc.gssd[24163]: Success getting keytab entry for 'SMAYHEW-FEDORA$@EXAMPLE.COM'


Additional info:

The following patch posted to the linux-nfs list addresses this:
http://thread.gmane.org/gmane.linux.nfs/73980

Comment 1 Fedora Update System 2015-11-19 18:11:14 UTC
nfs-utils-1.3.3-4.rc1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-66b96dbd3f

Comment 2 Fedora Update System 2015-11-30 21:22:14 UTC
nfs-utils-1.3.3-4.rc1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.