Bug 433751 - rpc.gssd looks at file names rather than file ownership
rpc.gssd looks at file names rather than file ownership
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: nfs-utils (Show other bugs)
5.1
All Linux
low Severity medium
: rc
: ---
Assigned To: Steve Dickson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-21 04:09 EST by Ido Levy
Modified: 2009-06-19 22:23 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 16:01:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed upstream patch (4.22 KB, patch)
2008-09-18 10:50 EDT, Steve Dickson
no flags Details | Diff

  None (edit)
Description Ido Levy 2008-02-21 04:09:10 EST
Description of problem:

Telnet/rsh/rlogin SSO failed due to the following problem.

The current version of rpc.gssd that is shipped with RHEL 5.1 ( as part of
the nfs-utils package )
is different from nfs-utils-1.0.11 as described by Kevin Coffman:

"The latest versions of rpc.gssd look at file ownership rather than the
name.  (It does narrow the field by looking for "krb5cc_*", then
looking at file ownership.)  This change went into nfs-utils-1.0.11.

Unfortunately, gssd has no access to the user's environment variables
and cannot use that to determine the credentials cache file to use
when creating a context.

K.C."


Version-Release number of selected component (if applicable):
nfs-utils-1.0.9-24.el5

How reproducible:

Run the rpc.gssd with the -vvv option.
Then try to perform SSO using telnet/rsh/rlogin and look at the log to see how
rpc.gssd is acting

Steps to Reproduce:
1. telnet/rsh/rlogin from a Linux RHEL 5.1 client to other Linux RHEL 5.1 client
machine using the following command /usr/kerberos/bin/telnet/rsh/rlogin -F -l
<USERNAME> <HOSTNAME> when having forwardable krb5 ticket

2.
3.
  
Actual results:

rpc.gssd looks at file names

Expected results:

rpc.gssd looks at file ownership


Additional info:

"grep nfs /proc/mounts" output:
  nfs4
ro,sync,vers=4,rsize=65536,wsize=65536,acregmin=0,acregmax=0,acdirmin=0,acdirmax=0,hard,intr,noac,proto=tcp,timeo=600,retrans=3,sec=sys,
0 0

NFS local mount: 
rw,mtime,atime,quota=userquota;groupquota;filesetquota,dev=<DEVICE>

-Note: Linux NFS client is mounting via an automounter.

Output of nfsstat:
calls      retrans    authrefrsh
600        0          0

Client nfs v4:
null         read         write        commit       open         open_conf
0         0% 4         0% 0         0% 0         0% 10        1% 2         0%
open_noat    open_dgrd    close        setattr      fsinfo       renew
0         0% 0         0% 4         0% 0         0% 6         1% 0         0%
setclntid    confirm      lock         lockt        locku        access
2         0% 4         0% 0         0% 0         0% 0         0% 159      26%
getattr      lookup       lookup_root  remove       rename       link
329      55% 52        8% 3         0% 0         0% 0         0% 0         0%
symlink      create       pathconf     statfs       readlink     readdir
0         0% 0         0% 3         0% 6         1% 2         0% 3         0%
server_caps  delegreturn
9         1% 0         0%


Output from "rpcinfo -p" on the server machine and client:

 program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100011    1   udp    753  rquotad
    100011    2   udp    753  rquotad
    100011    1   tcp    756  rquotad
    100011    2   tcp    756  rquotad
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100021    1   udp  32768  nlockmgr
    100021    3   udp  32768  nlockmgr
    100021    4   udp  32768  nlockmgr
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100021    1   tcp  57623  nlockmgr
    100021    3   tcp  57623  nlockmgr
    100021    4   tcp  57623  nlockmgr
    100005    1   udp    786  mountd
    100005    1   tcp    789  mountd
    100005    2   udp    786  mountd
    100005    2   tcp    789  mountd
    100005    3   udp    786  mountd
    100005    3   tcp    789  mountd
1073741824    1   tcp  34353

Output from "ps -ef | grep rpc" on the server and client:

rpc       2143     1  0 Feb07 ?        00:00:00 portmap
root      2188     1  0 Feb07 ?        00:00:00 rpc.idmapd
root      2221     1  0 Feb07 ?        00:00:00 rpc.gssd -vvv
root      2691     1  0 Feb07 ?        00:00:00 rpc.svcgssd
root      2696     1  0 Feb07 ?        00:00:00 rpc.rquotad
root      2718    11  0 Feb07 ?        00:00:00 [rpciod/0]
root      2719    11  0 Feb07 ?        00:00:00 [rpciod/1]
root      2730     1  0 Feb07 ?        00:00:00 rpc.mountd
root     11619 11534  0 20:01 pts/1    00:00:00 grep rpc
Comment 1 RHEL Product and Program Management 2008-06-02 16:17:41 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 3 Steve Dickson 2008-09-18 10:50:50 EDT
Created attachment 317087 [details]
Proposed upstream patch

commit d4b2b6b90b927d10dba2967be85379f5b46ff231
Author: Kevin Coffman <kwc@citi.umich.edu>
Date:   Thu Feb 8 17:27:35 2007 -0500

    Use owner rather than filename format in choosing cred cache files
    
    Signed-off-by: Glenn Machin <gmachin@sandia.gov>
    Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
    
    Some installations use different name formats for their credentials
    caches.  Instead of checking that the uid is part of the name, just
    make sure that uid is the owner of the file.
    This is a modification of the original patch from Glenn.
    Signed-off-by: Neil Brown <neilb@suse.de>
Comment 4 Steve Dickson 2008-09-18 11:07:44 EDT
Fixed in nfs-utils-1.0.9-36
Comment 6 Chris Ward 2008-11-28 02:12:57 EST
Partners, this bug should be fixed in the latest RHEL 5.3 Snapshot. We believe that you have some interest in its correct functionality, so we're making a friendly request to send us some testing feedback. 

If you have a chance to test it, please share with us your findings. If you have successfully VERIFIED the fix, please add PartnerVerified to the Bugzilla keywords, along with a description of the results. Thanks!
Comment 8 errata-xmlrpc 2009-01-20 16:01:45 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0107.html

Note You need to log in before you can comment on or make changes to this bug.