Description of problem: ----------------------- I have an i/o and management encryption enabled volume.I am not able to mount it on my clients using SMB protocol. Details in comments. Version-Release number of selected component (if applicable): ------------------------------------------------------------- 3.7.9-6 How reproducible: ------------------ Every which way I try. Steps to Reproduce: ------------------ 1. Create a volume,enable SSL. 2. Try mounting via SMB on a linux client. Actual results: -------------- Mount fails with I/O error Expected results: ----------------- Mount should be successful. Additional info: --------------- -
******************* BEFORE ENABLING SSL ******************* [root@gqac007 ~]# mount -t cifs -o vers=3.0,rsize=1048576,wsize=1048576,username=root,password=redhat -vv //gqas013.sbu.lab.eng.bos.redhat.com/gluster-testvol /gluster-mount/ mount.cifs kernel mount options: ip=192.168.79.140,unc=\\gqas013.sbu.lab.eng.bos.redhat.com\gluster-testvol,vers=3.0,rsize=1048576,wsize=1048576,user=root,pass=******** [root@gqac007 ~]# [root@gqac007 ~]# mount |grep testvol //gqas013.sbu.lab.eng.bos.redhat.com/gluster-testvol on /gluster-mount type cifs (rw,relatime,vers=3.0,sec=ntlmssp,cache=strict,username=root,domain=GQAS013,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.79.140,file_mode=0755,dir_mode=0755,nounix,serverino,rsize=1048576,wsize=1048576,actimeo=1) [root@gqac007 ~]# From brick logs : [2016-05-28 11:21:33.086008] I [login.c:81:gf_auth] 0-auth/login: allowed user names: 5d99fc86-a351-45f8-930f-563a1d1d2ba7 [2016-05-28 11:21:33.086056] I [MSGID: 115029] [server-handshake.c:690:server_setvolume] 0-testvol-server: accepted client from gqas013.sbu.lab.eng.bos.redhat.com-8371-2016/05/28-11:21:32:993828-testvol-client-0-0-0 (version: 3.7.9)
****************** AFTER ENABLING SSL ****************** [root@gqac007 ~]# mount -t cifs -o vers=3.0,rsize=1048576,wsize=1048576,username=root,password=redhat -vv //gqas013.sbu.lab.eng.bos.redhat.com/gluster-testvol /gluster-mount/ mount.cifs kernel mount options: ip=192.168.79.140,unc=\\gqas013.sbu.lab.eng.bos.redhat.com\gluster-testvol,vers=3.0,rsize=1048576,wsize=1048576,user=root,pass=******** mount error(5): Input/output error Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) [root@gqac007 ~]# [root@gqac007 ~]# There is no update on brick logs. These are the error messages on vol.log : #tail -f /var/log/glusterfs/etc-glusterfs-glusterd.vol.log [2016-05-28 11:52:49.012342] E [socket.c:464:ssl_setup_connection] 0-socket.management: SSL connect error [2016-05-28 11:52:49.012415] E [socket.c:318:ssl_dump_error_stack] 0-socket.management: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number [2016-05-28 11:52:49.012450] E [socket.c:2505:socket_poller] 0-socket.management: server setup failed smb status shows running : [root@gqas013 ~]# service smb status smbd (pid 11989 11988 11980) is running... [root@gqas013 ~]# [root@gqas013 ~]#
If I try mounting with FUSE,I am able to mount it.So there's nothing wrong with my setup. [root@gqac007 ~]# mount -t glusterfs gqas013.sbu.lab.eng.bos.redhat.com:testvol /gluster-mount/ [root@gqac007 ~]# [root@gqac007 ~]# mount |grep test gqas013.sbu.lab.eng.bos.redhat.com:testvol on /gluster-mount type fuse.glusterfs (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other,max_read=131072) [root@gqac007 ~]# From brick logs : [2016-05-28 11:43:26.628574] I [socket.c:459:ssl_setup_connection] 0-tcp.testvol-server: peer CN = gqac007.sbu.lab.eng.bos.redhat.com [2016-05-28 11:43:26.629471] I [login.c:39:gf_auth] 0-auth/login: connecting user name: gqac007.sbu.lab.eng.bos.redhat.com [2016-05-28 11:43:26.629507] I [MSGID: 115029] [server-handshake.c:690:server_setvolume] 0-testvol-server: accepted client from gqac007.sbu.lab.eng.bos.redhat.com-9073-2016/05/28-11:43:26:445012-testvol-client-0-0-0 (version: 3.7.9) From mount log : [2016-05-28 11:43:26.551049] I [socket.c:4054:socket_init] 0-testvol-client-16: SSL support on the I/O path is ENABLED [2016-05-28 11:43:26.551070] I [socket.c:4057:socket_init] 0-testvol-client-16: SSL support for glusterd is ENABLED [2016-05-28 11:43:26.551080] I [socket.c:4074:socket_init] 0-testvol-client-16: using private polling thread
I've asked SMB team whether this is supported or not. Based on that we can take a call.
Were there any avc denials in audit.log. It is possible that smbd process wasn't allowed to look into /etc/ssl for gluster certificates.
(In reply to Raghavendra Talur from comment #7) > Were there any avc denials in audit.log. It is possible that smbd process > wasn't allowed to look into /etc/ssl for gluster certificates. Raghavendra, selinux was disabled at all times
Verified tht the same problem on Ganesha mounts as well. Ganesha Mounts fail as well on SSL enabled vols. Changing the bug summary to something more appropriate.
Upstream mainline patches posted for review: http://review.gluster.org/15072 http://review.gluster.org/15073
Update: http://review.gluster.org/15072 - Merged in upstream http://review.gluster.org/15073 - Regression failures in NetBSD. Build scripts on netbsd machines are not upto date, due to which the regression is failing.
http://review.gluster.org/15073 is merged into mainline. Both 15072 & 15073 need to be backported to 3.8 branch.
https://bugzilla.redhat.com/show_bug.cgi?id=1371475
Upstream Master: http://review.gluster.org/15072 - Merged http://review.gluster.org/15073 - Merged Uostream release-3.8: http://review.gluster.org/15361 - Post http://review.gluster.org/15359 - Post
Upstream Master: http://review.gluster.org/15072 - Merged http://review.gluster.org/15073 - Merged Uostream release-3.8: http://review.gluster.org/15361 - Merged http://review.gluster.org/15359 - Merged
As the release 3.8 patches mentioned in comment 26 are now available in rhgs-3.2.0 as part of rebase, moving the bug state to modified.
I am able to mount smb on a SSL enabled setup. Version samba-client-4.4.6-4 glusterfs-server-3.8.4-13 Marking it as verified
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2017-0486.html
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days