Description of problem: Telnet/rsh/rlogin SSO failed due to the following problem. The current version of rpc.gssd that is shipped with RHEL 5.1 ( as part of the nfs-utils package ) is different from nfs-utils-1.0.11 as described by Kevin Coffman: "The latest versions of rpc.gssd look at file ownership rather than the name. (It does narrow the field by looking for "krb5cc_*", then looking at file ownership.) This change went into nfs-utils-1.0.11. Unfortunately, gssd has no access to the user's environment variables and cannot use that to determine the credentials cache file to use when creating a context. K.C." Version-Release number of selected component (if applicable): nfs-utils-1.0.9-24.el5 How reproducible: Run the rpc.gssd with the -vvv option. Then try to perform SSO using telnet/rsh/rlogin and look at the log to see how rpc.gssd is acting Steps to Reproduce: 1. telnet/rsh/rlogin from a Linux RHEL 5.1 client to other Linux RHEL 5.1 client machine using the following command /usr/kerberos/bin/telnet/rsh/rlogin -F -l <USERNAME> <HOSTNAME> when having forwardable krb5 ticket 2. 3. Actual results: rpc.gssd looks at file names Expected results: rpc.gssd looks at file ownership Additional info: "grep nfs /proc/mounts" output: nfs4 ro,sync,vers=4,rsize=65536,wsize=65536,acregmin=0,acregmax=0,acdirmin=0,acdirmax=0,hard,intr,noac,proto=tcp,timeo=600,retrans=3,sec=sys, 0 0 NFS local mount: rw,mtime,atime,quota=userquota;groupquota;filesetquota,dev=<DEVICE> -Note: Linux NFS client is mounting via an automounter. Output of nfsstat: calls retrans authrefrsh 600 0 0 Client nfs v4: null read write commit open open_conf 0 0% 4 0% 0 0% 0 0% 10 1% 2 0% open_noat open_dgrd close setattr fsinfo renew 0 0% 0 0% 4 0% 0 0% 6 1% 0 0% setclntid confirm lock lockt locku access 2 0% 4 0% 0 0% 0 0% 0 0% 159 26% getattr lookup lookup_root remove rename link 329 55% 52 8% 3 0% 0 0% 0 0% 0 0% symlink create pathconf statfs readlink readdir 0 0% 0 0% 3 0% 6 1% 2 0% 3 0% server_caps delegreturn 9 1% 0 0% Output from "rpcinfo -p" on the server machine and client: program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100011 1 udp 753 rquotad 100011 2 udp 753 rquotad 100011 1 tcp 756 rquotad 100011 2 tcp 756 rquotad 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 4 udp 2049 nfs 100021 1 udp 32768 nlockmgr 100021 3 udp 32768 nlockmgr 100021 4 udp 32768 nlockmgr 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100021 1 tcp 57623 nlockmgr 100021 3 tcp 57623 nlockmgr 100021 4 tcp 57623 nlockmgr 100005 1 udp 786 mountd 100005 1 tcp 789 mountd 100005 2 udp 786 mountd 100005 2 tcp 789 mountd 100005 3 udp 786 mountd 100005 3 tcp 789 mountd 1073741824 1 tcp 34353 Output from "ps -ef | grep rpc" on the server and client: rpc 2143 1 0 Feb07 ? 00:00:00 portmap root 2188 1 0 Feb07 ? 00:00:00 rpc.idmapd root 2221 1 0 Feb07 ? 00:00:00 rpc.gssd -vvv root 2691 1 0 Feb07 ? 00:00:00 rpc.svcgssd root 2696 1 0 Feb07 ? 00:00:00 rpc.rquotad root 2718 11 0 Feb07 ? 00:00:00 [rpciod/0] root 2719 11 0 Feb07 ? 00:00:00 [rpciod/1] root 2730 1 0 Feb07 ? 00:00:00 rpc.mountd root 11619 11534 0 20:01 pts/1 00:00:00 grep rpc
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Created attachment 317087 [details] Proposed upstream patch commit d4b2b6b90b927d10dba2967be85379f5b46ff231 Author: Kevin Coffman <kwc.edu> Date: Thu Feb 8 17:27:35 2007 -0500 Use owner rather than filename format in choosing cred cache files Signed-off-by: Glenn Machin <gmachin> Signed-off-by: Kevin Coffman <kwc.edu> Some installations use different name formats for their credentials caches. Instead of checking that the uid is part of the name, just make sure that uid is the owner of the file. This is a modification of the original patch from Glenn. Signed-off-by: Neil Brown <neilb>
Fixed in nfs-utils-1.0.9-36
Partners, this bug should be fixed in the latest RHEL 5.3 Snapshot. We believe that you have some interest in its correct functionality, so we're making a friendly request to send us some testing feedback. If you have a chance to test it, please share with us your findings. If you have successfully VERIFIED the fix, please add PartnerVerified to the Bugzilla keywords, along with a description of the results. Thanks!
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0107.html