Bug 1273165 - rpc.gssd should not assume that the machine account is in uppercase
rpc.gssd should not assume that the machine account is in uppercase
Product: Fedora
Classification: Fedora
Component: nfs-utils (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Steve Dickson
Fedora Extras Quality Assurance
Depends On: 1273166
  Show dependency treegraph
Reported: 2015-10-19 15:43 EDT by Scott Mayhew
Modified: 2016-06-15 03:31 EDT (History)
5 users (show)

See Also:
Fixed In Version: nfs-utils-1.3.3-4.rc1.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1268040
Last Closed: 2015-11-30 16:22:29 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Scott Mayhew 2015-10-19 15:43:56 EDT
+++ This bug was initially created as a clone of Bug #1268040 +++

Description of problem:

rpc.gssd first looks for an entry of the form <HOSTNAME>$@<DOMAIN>, which corresponds to the Active Directory machine account.  It assumes that <HOSTNAME> will be in uppercase because that's how the entry is created if the machine is joined to the domain using Samba.
But that's not necessarily the case if the another identity management solution (e.g. Centrify) is used... 

Upstream commit f7b42b9e (gssd: select non-conventional principal) allows the hostname used in the search for a keytab entry for the machine account to overridden.  However, in an environment with a lot of clients it may not be feasible to customize the krb5.conf on each of those clients. 

rpc.gssd should first look for an entry that matches the unmodified hostname and then convert it to uppercase and try again only if that failed.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Run rpc.gssd with -vvv and look at the logs

Actual results:

rpc.gssd searches for the machine account in all caps, for example:

Sep 28 16:40:03 smayhew-fedora rpc.gssd[7305]: Success getting keytab entry for 'SMAYHEW-FEDORA$@EXAMPLE.COM'

Expected results:

rpc.gssd should search for the machine account using the unmodified hostname (whether that be in lower case, mixed case, whatever) first.  Note in my example it fails to find a machine account keytab entry with the hostname in lower caes because I don't have one in my keytab... the point is that it did the search:

Oct  1 12:03:52 smayhew-fedora rpc.gssd[24163]: No key table entry found for smayhew-fedora$@EXAMPLE.COM while getting keytab entry for 'smayhew-fedora$@EXAMPLE.COM'
Oct  1 12:03:52 smayhew-fedora rpc.gssd[24163]: Success getting keytab entry for 'SMAYHEW-FEDORA$@EXAMPLE.COM'

Additional info:

The following patch posted to the linux-nfs list addresses this:
Comment 1 Fedora Update System 2015-11-19 13:11:14 EST
nfs-utils-1.3.3-4.rc1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-66b96dbd3f
Comment 2 Fedora Update System 2015-11-30 16:22:14 EST
nfs-utils-1.3.3-4.rc1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.