Bug 1560736 - libtirpc newer than 1.0.2-4 breaks nis because it doesn't use reserved ports
Summary: libtirpc newer than 1.0.2-4 breaks nis because it doesn't use reserved ports
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libtirpc
Version: 27
Hardware: Unspecified
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Steve Dickson
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-03-26 21:29 UTC by Edgar Hoch
Modified: 2018-04-05 23:56 UTC (History)
4 users (show)

Fixed In Version: libtirpc-1.0.3-1.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-05 23:56:40 UTC
Type: Bug


Attachments (Terms of Use)

Description Edgar Hoch 2018-03-26 21:29:12 UTC
Description of problem:
libtirpc newer that 1.0.2-4 breaks nis because it doesn't use reserved ports.

For example, yppush should use a reserved port, or the port specified with the --port option. We use and need the --port option because we want only open as less ports as neccessary in the firewall (firewalld).

I have tested with lsof and --debug option of ypserv and -v option of yppush.

With libtirpc-1.0.2-4.fc27.x86_64 installed yppush uses the port specified with --port (836 in our case).

With newer versions of libtirpc it uses the specified port to, but only for one connection. It uses another random port in the range 49152 - 65535, then ypserv prints (in debug mode) a message like "Ignored (no reserved port!)".



Version-Release number of selected component (if applicable):
Failed: libtirpc-1.0.3-0.fc27.x86_64
Failed: libtirpc-1.0.2-5.rc2.fc27.x86_64
Works: libtirpc-1.0.2-4.fc27.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Have a working nis environment with a nis master server and (at least) a nis slave server, with libtirpc-1.0.2-4 installed.

2. On nis master server:
Make any changes to nis sources files, or touch them, then run make in /var/yp. This will run yppush.
Or you can run yppush manually (replace template names, have udp port open):
/usr/sbin/yppush -vv --port 836 -d NISDOMAIN -h NISSLAVESERVER ypservers

3. Upgrade to libtirpc-1.0.3-0.
Then repeat step 2.

Actual results:
Step 2: yppush works.
Step 3: yppush waits for answer of nfs slave server, then fails with error because of timeout.

Expected results:
yppush works in step 2 and 3.

Additional info:

I have temporary downgraded libtirpc on our hosts, so it works in the moment. I will try to prevent updates for some time.

Please think about a solution. It should be possible to use reserved ports - may be by an option, a config file, or something other. ypserv also need it not only for yppush, but also for preventing password hashes (shadow.byname, or passwd.adjunct.byname) accessable by ordinary users (security option "port" instead of "none" in /etc/ypserv.conf).

Comment 1 Edgar Hoch 2018-03-26 21:58:19 UTC
Correction: ... newer than ...

Comment 2 Steve Dickson 2018-03-28 17:55:28 UTC
The work around for Fedora 27 is to set xfr_check_port: no in /etc/ypserver.conf

Comment 3 Fedora Update System 2018-03-28 21:32:24 UTC
libtirpc-1.0.3-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-4e2a6c0c93

Comment 4 Fedora Update System 2018-03-29 00:44:58 UTC
libtirpc-1.0.3-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-4e2a6c0c93

Comment 5 RobbieTheK 2018-04-04 19:06:11 UTC
The update fixes it for us.

Comment 6 Edgar Hoch 2018-04-04 20:05:41 UTC
Thanks for providing the update. nis works with it.

Comment 7 Fedora Update System 2018-04-05 23:56:40 UTC
libtirpc-1.0.3-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.