Bug 1386759 - nfs-utils requires a fix to support NFS/RDMA mounts with Kerberos (krb5)
Summary: nfs-utils requires a fix to support NFS/RDMA mounts with Kerberos (krb5)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nfs-utils
Version: 7.2
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Steve Dickson
QA Contact: Yongcheng Yang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-19 15:10 UTC by Chuck Lever
Modified: 2017-08-01 19:48 UTC (History)
4 users (show)

Fixed In Version: nfs-utils-1.3.0-0.36.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 19:48:51 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2233 0 normal SHIPPED_LIVE nfs-utils bug fix and enhancement update 2017-08-01 18:19:33 UTC

Description Chuck Lever 2016-10-19 15:10:20 UTC 
Description of problem:
When mounting an NFS/RDMA server with a Kerberos security flavor, the mount command fails. gssd emits this warning to /var/log/messages:

Oct 19 10:57:44 oracle-102 rpc.gssd[31880]: WARNING: unrecognized protocol, 'rdma', requested for connection to server oracle-ib-101.nfsv4bat.org for user with uid 0

gssd packaged with RHEL 7 is missing upstream commit 959efe8fe0f5.

Version-Release number of selected component (if applicable):
RHEL 7.2

How reproducible:
100%

Steps to Reproduce:

Configure client and server with krb5.conf and krb5.keytab, enable secure NFS on both sides.

Actual results:

[root@oracle-102 ~]# mount -v -o vers=3,rdma,port=20049,sec=krb5 oracle-ib-101:/export/tmp /mnt/oracle-ib-101
mount.nfs: timeout set for Wed Oct 19 10:59:44 2016
mount.nfs: trying text-based options 'vers=3,rdma,port=20049,sec=krb5,addr=10.0.0.101'
mount.nfs: mount(2): Permission denied
mount.nfs: access denied by server while mounting oracle-ib-101:/export/tmp

Expected results:
The mount should succeed.

Additional info:

This commit is required to support NFS/RDMA mounts with all flavors of Kerberos.
Comment 2 Steve Dickson 2016-10-19 17:06:42 UTC 
Needed commit

commit 1ee2184248251ff44ae1ba557f12151cb8cf93ff
Author: Chuck Lever <chuck.lever>
Date:   Mon Nov 2 08:47:41 2015 -0500

    gssd: Make TCP the default protocol for GSSD connections.
    
    No failure case if gssd doesn't recognize the kernel's requested
    protocol. Caught with "protocol=rdma" upcall.
    
    Signed-off-by: Chuck Lever <chuck.lever>
    Signed-off-by: Steve Dickson <steved>
Comment 4 Sachin Prabhu 2017-02-28 19:13:55 UTC 
Steve, 

We also need the upstream commit 959efe8fe0f5cf8882b6401efddf02cba033cb32

gssd: Convert 'rdma' to 'tcp' protocol

Sachin Prabhu
Comment 9 Yongcheng Yang 2017-03-30 03:09:54 UTC 
Moving to VERIFIED according to the test logs Comment #8, thanks Jianhong for the help.

Will include this case as regression tests in the future.
Comment 10 errata-xmlrpc 2017-08-01 19:48:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2233
Note You need to log in before you can comment on or make changes to this bug.