Bug 1340608 – [RFE] : Support SSL enabled volume via SMB v3

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1340608 - [RFE] : Support SSL enabled volume via SMB v3 [NEEDINFO]

Summary:	[RFE] : Support SSL enabled volume via SMB v3

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Gluster Storage
Classification:	Red Hat
Component:	core (Show other bugs)
Sub Component:
Version:	3.1
Hardware:	x86_64 Linux

Priority	unspecified Severity high
Target Milestone:	---
Target Release:	RHGS 3.2.0
Assigned To:	rjoseph
QA Contact:	Vivek Das
Docs Contact:

URL:
Whiteboard:
Keywords:	FutureFeature

Depends On:
Blocks:	Gluster-HC-2 1311843 1351503 1351530 1362602 1371650
	Show dependency tree / graph

Reported:	2016-05-28 13:15 EDT by Ambarish
Modified:	2017-03-23 01:33 EDT (History)
CC List:	11 users (show)

See Also:
Fixed In Version:	glusterfs-3.8.4-1
Doc Type:	Enhancement
Doc Text:	Red Hat Gluster Storage now provides support for Samba to enable Transport Layer Security (SSL) on a management connection between the smbd and glusterd services. Libgfapi now checks for the /var/lib/glusterd/secure-access file before making an RPC connection and enables SSL on the management connection if the file is present.
Story Points:	---
Clone Of:
Clones:	1362602 1371475 (view as bug list)
Environment:
Last Closed:	2017-03-23 01:33:13 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Flags:	lbailey: needinfo? (rjoseph)

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:0486	normal	SHIPPED_LIVE	Moderate: Red Hat Gluster Storage 3.2.0 security, bug fix, and enhancement update	2017-03-23 05:18:45 EDT

Groups: None (edit)

Description Ambarish 2016-05-28 13:15:08 EDT

Description of problem:
-----------------------

I have an i/o and management encryption enabled volume.I am not able to mount it on my clients using SMB protocol.
Details in comments.

Version-Release number of selected component (if applicable):
-------------------------------------------------------------

3.7.9-6

How reproducible:
------------------

Every which way I try.

Steps to Reproduce:
------------------

1. Create a volume,enable SSL.

2. Try mounting via SMB on a linux client.

Actual results:
--------------

Mount fails with I/O error


Expected results:
-----------------

Mount should be successful.

Additional info:
---------------
-

Comment 2 Ambarish 2016-05-28 13:17:12 EDT

*******************
BEFORE ENABLING SSL
*******************

[root@gqac007 ~]# mount -t cifs -o vers=3.0,rsize=1048576,wsize=1048576,username=root,password=redhat -vv //gqas013.sbu.lab.eng.bos.redhat.com/gluster-testvol /gluster-mount/
mount.cifs kernel mount options: ip=192.168.79.140,unc=\\gqas013.sbu.lab.eng.bos.redhat.com\gluster-testvol,vers=3.0,rsize=1048576,wsize=1048576,user=root,pass=********
[root@gqac007 ~]# 


[root@gqac007 ~]# mount |grep testvol
//gqas013.sbu.lab.eng.bos.redhat.com/gluster-testvol on /gluster-mount type cifs (rw,relatime,vers=3.0,sec=ntlmssp,cache=strict,username=root,domain=GQAS013,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.79.140,file_mode=0755,dir_mode=0755,nounix,serverino,rsize=1048576,wsize=1048576,actimeo=1)
[root@gqac007 ~]# 

From brick logs :

[2016-05-28 11:21:33.086008] I [login.c:81:gf_auth] 0-auth/login: allowed user names: 5d99fc86-a351-45f8-930f-563a1d1d2ba7
[2016-05-28 11:21:33.086056] I [MSGID: 115029] [server-handshake.c:690:server_setvolume] 0-testvol-server: accepted client from gqas013.sbu.lab.eng.bos.redhat.com-8371-2016/05/28-11:21:32:993828-testvol-client-0-0-0 (version: 3.7.9)

Comment 3 Ambarish 2016-05-28 13:19:03 EDT

******************
AFTER ENABLING SSL
******************

[root@gqac007 ~]# mount -t cifs -o vers=3.0,rsize=1048576,wsize=1048576,username=root,password=redhat -vv //gqas013.sbu.lab.eng.bos.redhat.com/gluster-testvol /gluster-mount/
mount.cifs kernel mount options: ip=192.168.79.140,unc=\\gqas013.sbu.lab.eng.bos.redhat.com\gluster-testvol,vers=3.0,rsize=1048576,wsize=1048576,user=root,pass=********
mount error(5): Input/output error
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
[root@gqac007 ~]# 
[root@gqac007 ~]# 

There is no update on brick logs.

These are the error messages on vol.log :

#tail -f /var/log/glusterfs/etc-glusterfs-glusterd.vol.log 

[2016-05-28 11:52:49.012342] E [socket.c:464:ssl_setup_connection] 0-socket.management: SSL connect error
[2016-05-28 11:52:49.012415] E [socket.c:318:ssl_dump_error_stack] 0-socket.management:   error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[2016-05-28 11:52:49.012450] E [socket.c:2505:socket_poller] 0-socket.management: server setup failed


smb status shows running :

[root@gqas013 ~]# service smb status
smbd (pid 11989 11988 11980) is running...
[root@gqas013 ~]# 
[root@gqas013 ~]#

Comment 4 Ambarish 2016-05-28 13:20:53 EDT

If I try mounting with FUSE,I am able to mount it.So there's nothing wrong with my setup.

[root@gqac007 ~]# mount -t glusterfs gqas013.sbu.lab.eng.bos.redhat.com:testvol /gluster-mount/ 
[root@gqac007 ~]# 
[root@gqac007 ~]# mount |grep test
gqas013.sbu.lab.eng.bos.redhat.com:testvol on /gluster-mount type fuse.glusterfs (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other,max_read=131072)
[root@gqac007 ~]# 

From brick logs :

[2016-05-28 11:43:26.628574] I [socket.c:459:ssl_setup_connection] 0-tcp.testvol-server: peer CN = gqac007.sbu.lab.eng.bos.redhat.com
[2016-05-28 11:43:26.629471] I [login.c:39:gf_auth] 0-auth/login: connecting user name: gqac007.sbu.lab.eng.bos.redhat.com
[2016-05-28 11:43:26.629507] I [MSGID: 115029] [server-handshake.c:690:server_setvolume] 0-testvol-server: accepted client from gqac007.sbu.lab.eng.bos.redhat.com-9073-2016/05/28-11:43:26:445012-testvol-client-0-0-0 (version: 3.7.9)


From mount log :

[2016-05-28 11:43:26.551049] I [socket.c:4054:socket_init] 0-testvol-client-16: SSL support on the I/O path is ENABLED
[2016-05-28 11:43:26.551070] I [socket.c:4057:socket_init] 0-testvol-client-16: SSL support for glusterd is ENABLED
[2016-05-28 11:43:26.551080] I [socket.c:4074:socket_init] 0-testvol-client-16: using private polling thread

Comment 6 Atin Mukherjee 2016-05-30 00:48:23 EDT

I've asked SMB team whether this is supported or not. Based on that we can take a call.

Comment 7 Raghavendra Talur 2016-05-30 02:40:46 EDT

Were there any avc denials in audit.log. It is possible that smbd process wasn't allowed to look into /etc/ssl for gluster certificates.

Comment 8 Ambarish 2016-05-30 03:20:32 EDT

(In reply to Raghavendra Talur from comment #7)
> Were there any avc denials in audit.log. It is possible that smbd process
> wasn't allowed to look into /etc/ssl for gluster certificates.

Raghavendra,

selinux was disabled at all times

Comment 15 Ambarish 2016-06-16 12:24:33 EDT

Verified tht the same problem on Ganesha mounts as well.
Ganesha Mounts fail as well on SSL enabled vols. 
Changing the bug summary to something more appropriate.

Comment 17 Atin Mukherjee 2016-08-09 00:21:45 EDT

Upstream mainline patches posted for review:

http://review.gluster.org/15072
http://review.gluster.org/15073

Comment 19 rjoseph 2016-08-23 07:10:46 EDT

Update:

http://review.gluster.org/15072 - Merged in upstream
http://review.gluster.org/15073 - Regression failures in NetBSD. Build scripts on netbsd machines are not upto date, due to which the regression is failing.

Comment 20 Atin Mukherjee 2016-08-30 01:57:32 EDT

http://review.gluster.org/15073 is merged into mainline.

Both 15072 & 15073 need to be backported to 3.8 branch.

Comment 24 rjoseph 2016-08-30 05:56:37 EDT

https://bugzilla.redhat.com/show_bug.cgi?id=1371475

Comment 25 rjoseph 2016-08-30 13:40:56 EDT

Upstream Master: 

http://review.gluster.org/15072 - Merged
http://review.gluster.org/15073 - Merged

Uostream release-3.8:
http://review.gluster.org/15361 - Post
http://review.gluster.org/15359 - Post

Comment 26 rjoseph 2016-08-31 18:33:58 EDT

Upstream Master: 

http://review.gluster.org/15072 - Merged
http://review.gluster.org/15073 - Merged

Uostream release-3.8:
http://review.gluster.org/15361 - Merged
http://review.gluster.org/15359 - Merged

Comment 27 Atin Mukherjee 2016-09-17 07:29:50 EDT

As the release 3.8 patches mentioned in comment 26 are now available in rhgs-3.2.0 as part of rebase, moving the bug state to modified.

Comment 31 Vivek Das 2017-02-07 00:37:09 EST

I am able to mount smb on a SSL enabled setup.

Version
samba-client-4.4.6-4
glusterfs-server-3.8.4-13

Marking it as verified

Comment 34 errata-xmlrpc 2017-03-23 01:33:13 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0486.html

Note You need to log in before you can comment on or make changes to this bug.