Bug 1340608 - [RFE] : Support SSL enabled volume via SMB v3 [NEEDINFO]
Summary: [RFE] : Support SSL enabled volume via SMB v3
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: core
Version: rhgs-3.1
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
: RHGS 3.2.0
Assignee: rjoseph
QA Contact: Vivek Das
URL:
Whiteboard:
Depends On:
Blocks: Gluster-HC-2 1311843 1351503 1351530 1362602 1371650
TreeView+ depends on / blocked
 
Reported: 2016-05-28 17:15 UTC by Ambarish
Modified: 2017-03-23 05:33 UTC (History)
11 users (show)

Fixed In Version: glusterfs-3.8.4-1
Doc Type: Enhancement
Doc Text:
Red Hat Gluster Storage now provides support for Samba to enable Transport Layer Security (SSL) on a management connection between the smbd and glusterd services. Libgfapi now checks for the /var/lib/glusterd/secure-access file before making an RPC connection and enables SSL on the management connection if the file is present.
Clone Of:
: 1362602 1371475 (view as bug list)
Environment:
Last Closed: 2017-03-23 05:33:13 UTC
lbailey: needinfo? (rjoseph)


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0486 normal SHIPPED_LIVE Moderate: Red Hat Gluster Storage 3.2.0 security, bug fix, and enhancement update 2017-03-23 09:18:45 UTC

Description Ambarish 2016-05-28 17:15:08 UTC
Description of problem:
-----------------------

I have an i/o and management encryption enabled volume.I am not able to mount it on my clients using SMB protocol.
Details in comments.

Version-Release number of selected component (if applicable):
-------------------------------------------------------------

3.7.9-6

How reproducible:
------------------

Every which way I try.

Steps to Reproduce:
------------------

1. Create a volume,enable SSL.

2. Try mounting via SMB on a linux client.

Actual results:
--------------

Mount fails with I/O error


Expected results:
-----------------

Mount should be successful.

Additional info:
---------------
-

Comment 2 Ambarish 2016-05-28 17:17:12 UTC
*******************
BEFORE ENABLING SSL
*******************

[root@gqac007 ~]# mount -t cifs -o vers=3.0,rsize=1048576,wsize=1048576,username=root,password=redhat -vv //gqas013.sbu.lab.eng.bos.redhat.com/gluster-testvol /gluster-mount/
mount.cifs kernel mount options: ip=192.168.79.140,unc=\\gqas013.sbu.lab.eng.bos.redhat.com\gluster-testvol,vers=3.0,rsize=1048576,wsize=1048576,user=root,pass=********
[root@gqac007 ~]# 


[root@gqac007 ~]# mount |grep testvol
//gqas013.sbu.lab.eng.bos.redhat.com/gluster-testvol on /gluster-mount type cifs (rw,relatime,vers=3.0,sec=ntlmssp,cache=strict,username=root,domain=GQAS013,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.79.140,file_mode=0755,dir_mode=0755,nounix,serverino,rsize=1048576,wsize=1048576,actimeo=1)
[root@gqac007 ~]# 

From brick logs :

[2016-05-28 11:21:33.086008] I [login.c:81:gf_auth] 0-auth/login: allowed user names: 5d99fc86-a351-45f8-930f-563a1d1d2ba7
[2016-05-28 11:21:33.086056] I [MSGID: 115029] [server-handshake.c:690:server_setvolume] 0-testvol-server: accepted client from gqas013.sbu.lab.eng.bos.redhat.com-8371-2016/05/28-11:21:32:993828-testvol-client-0-0-0 (version: 3.7.9)

Comment 3 Ambarish 2016-05-28 17:19:03 UTC
******************
AFTER ENABLING SSL
******************

[root@gqac007 ~]# mount -t cifs -o vers=3.0,rsize=1048576,wsize=1048576,username=root,password=redhat -vv //gqas013.sbu.lab.eng.bos.redhat.com/gluster-testvol /gluster-mount/
mount.cifs kernel mount options: ip=192.168.79.140,unc=\\gqas013.sbu.lab.eng.bos.redhat.com\gluster-testvol,vers=3.0,rsize=1048576,wsize=1048576,user=root,pass=********
mount error(5): Input/output error
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
[root@gqac007 ~]# 
[root@gqac007 ~]# 

There is no update on brick logs.

These are the error messages on vol.log :

#tail -f /var/log/glusterfs/etc-glusterfs-glusterd.vol.log 

[2016-05-28 11:52:49.012342] E [socket.c:464:ssl_setup_connection] 0-socket.management: SSL connect error
[2016-05-28 11:52:49.012415] E [socket.c:318:ssl_dump_error_stack] 0-socket.management:   error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[2016-05-28 11:52:49.012450] E [socket.c:2505:socket_poller] 0-socket.management: server setup failed


smb status shows running :

[root@gqas013 ~]# service smb status
smbd (pid 11989 11988 11980) is running...
[root@gqas013 ~]# 
[root@gqas013 ~]#

Comment 4 Ambarish 2016-05-28 17:20:53 UTC
If I try mounting with FUSE,I am able to mount it.So there's nothing wrong with my setup.

[root@gqac007 ~]# mount -t glusterfs gqas013.sbu.lab.eng.bos.redhat.com:testvol /gluster-mount/ 
[root@gqac007 ~]# 
[root@gqac007 ~]# mount |grep test
gqas013.sbu.lab.eng.bos.redhat.com:testvol on /gluster-mount type fuse.glusterfs (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other,max_read=131072)
[root@gqac007 ~]# 

From brick logs :

[2016-05-28 11:43:26.628574] I [socket.c:459:ssl_setup_connection] 0-tcp.testvol-server: peer CN = gqac007.sbu.lab.eng.bos.redhat.com
[2016-05-28 11:43:26.629471] I [login.c:39:gf_auth] 0-auth/login: connecting user name: gqac007.sbu.lab.eng.bos.redhat.com
[2016-05-28 11:43:26.629507] I [MSGID: 115029] [server-handshake.c:690:server_setvolume] 0-testvol-server: accepted client from gqac007.sbu.lab.eng.bos.redhat.com-9073-2016/05/28-11:43:26:445012-testvol-client-0-0-0 (version: 3.7.9)


From mount log :

[2016-05-28 11:43:26.551049] I [socket.c:4054:socket_init] 0-testvol-client-16: SSL support on the I/O path is ENABLED
[2016-05-28 11:43:26.551070] I [socket.c:4057:socket_init] 0-testvol-client-16: SSL support for glusterd is ENABLED
[2016-05-28 11:43:26.551080] I [socket.c:4074:socket_init] 0-testvol-client-16: using private polling thread

Comment 6 Atin Mukherjee 2016-05-30 04:48:23 UTC
I've asked SMB team whether this is supported or not. Based on that we can take a call.

Comment 7 Raghavendra Talur 2016-05-30 06:40:46 UTC
Were there any avc denials in audit.log. It is possible that smbd process wasn't allowed to look into /etc/ssl for gluster certificates.

Comment 8 Ambarish 2016-05-30 07:20:32 UTC
(In reply to Raghavendra Talur from comment #7)
> Were there any avc denials in audit.log. It is possible that smbd process
> wasn't allowed to look into /etc/ssl for gluster certificates.

Raghavendra,

selinux was disabled at all times

Comment 15 Ambarish 2016-06-16 16:24:33 UTC
Verified tht the same problem on Ganesha mounts as well.
Ganesha Mounts fail as well on SSL enabled vols. 
Changing the bug summary to something more appropriate.

Comment 17 Atin Mukherjee 2016-08-09 04:21:45 UTC
Upstream mainline patches posted for review:

http://review.gluster.org/15072
http://review.gluster.org/15073

Comment 19 rjoseph 2016-08-23 11:10:46 UTC
Update:

http://review.gluster.org/15072 - Merged in upstream
http://review.gluster.org/15073 - Regression failures in NetBSD. Build scripts on netbsd machines are not upto date, due to which the regression is failing.

Comment 20 Atin Mukherjee 2016-08-30 05:57:32 UTC
http://review.gluster.org/15073 is merged into mainline.

Both 15072 & 15073 need to be backported to 3.8 branch.

Comment 25 rjoseph 2016-08-30 17:40:56 UTC
Upstream Master: 

http://review.gluster.org/15072 - Merged
http://review.gluster.org/15073 - Merged

Uostream release-3.8:
http://review.gluster.org/15361 - Post
http://review.gluster.org/15359 - Post

Comment 26 rjoseph 2016-08-31 22:33:58 UTC
Upstream Master: 

http://review.gluster.org/15072 - Merged
http://review.gluster.org/15073 - Merged

Uostream release-3.8:
http://review.gluster.org/15361 - Merged
http://review.gluster.org/15359 - Merged

Comment 27 Atin Mukherjee 2016-09-17 11:29:50 UTC
As the release 3.8 patches mentioned in comment 26 are now available in rhgs-3.2.0 as part of rebase, moving the bug state to modified.

Comment 31 Vivek Das 2017-02-07 05:37:09 UTC
I am able to mount smb on a SSL enabled setup.

Version
samba-client-4.4.6-4
glusterfs-server-3.8.4-13

Marking it as verified

Comment 34 errata-xmlrpc 2017-03-23 05:33:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0486.html


Note You need to log in before you can comment on or make changes to this bug.