Bug 613682 - Unable to get Kerberos tickets from an AD to work with RHEL 6 beta
Unable to get Kerberos tickets from an AD to work with RHEL 6 beta
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libtirpc (Show other bugs)
6.0
All Linux
high Severity high
: rc
: ---
Assigned To: Steve Dickson
Karel Volný
: Regression
: 619792 621238 629304 643528 (view as bug list)
Depends On:
Blocks: 625051 629304
  Show dependency treegraph
 
Reported: 2010-07-12 11:01 EDT by Sachin Prabhu
Modified: 2010-11-28 14:36 EST (History)
15 users (show)

See Also:
Fixed In Version: libtirpc-0.2.1-1.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 629304 (view as bug list)
Environment:
Last Closed: 2010-11-10 16:04:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Wireshark Dump of kernel protocal error between RHEL6 and an AD (3.79 KB, application/octet-stream)
2010-07-29 17:23 EDT, Steve Dickson
no flags Details
Complete wireshark trace between a RHEL6 client and a RHEL6 server using the AD as the KDC (16.39 KB, application/octet-stream)
2010-07-30 13:25 EDT, Steve Dickson
no flags Details
Complete wireshark trace between a RHEL5 and a RHEL6 server using the AD as the KDC (11.46 KB, application/octet-stream)
2010-07-30 13:26 EDT, Steve Dickson
no flags Details

  None (edit)
Description Sachin Prabhu 2010-07-12 11:01:53 EDT
We have a report of a user unable to get kerberos authentication working on RHEL 6 beta. This was working fine on RHEL 5.

The user has the setting allow_weak_crypto enabled in krb5.conf during testing. The NFS server was a Netapp Server which also servers to other RHEL 5 clients on the same network. 

The tcpdump shows that each call to NULL which initialises the authentication mechanism is a malformed packet.
Comment 8 J. Bruce Fields 2010-07-16 11:30:35 EDT
Possibly same problem as that reported here?:

http://marc.info/?l=linux-nfs&m=127791326101175&w=2

(Unfortunately, no solution there.)
Comment 11 J. Bruce Fields 2010-07-29 13:51:52 EDT
"The tcpdump shows that each call to NULL which initialises the authentication
mechanism is a malformed packet."

Yes, the NULL init_sec_context rpc call has a partial argument--the length field is there, but not the following contents.  The length is 0x545 == 1349, which is probably larger than we're used to seeing.  Hm.

Even if the original source of the problem is some misconfiguration, we should be catching the problem rather than sending a corrupt packet.
Comment 12 Steve Dickson 2010-07-29 17:17:45 EDT
But I don't this is cause of this failure.... since I've seen this malformed
packets on system were the mount worked... I could be wrong... but I'm
thinking that malformed packet is a red herring...
Comment 13 Steve Dickson 2010-07-29 17:23:48 EDT
Created attachment 435409 [details]
Wireshark Dump of kernel protocal error between RHEL6 and an AD

This attachment show that the AD is basically failing every
single request the RHEL box sends... its not a pretty sight
Comment 17 Nalin Dahyabhai 2010-07-29 18:18:54 EDT
(In reply to comment #11)
> "The tcpdump shows that each call to NULL which initialises the authentication
> mechanism is a malformed packet."
> 
> Yes, the NULL init_sec_context rpc call has a partial argument--the length
> field is there, but not the following contents.  The length is 0x545 == 1349,
> which is probably larger than we're used to seeing.  Hm.

I think you're onto something here.  Ticket sizes from an AD server tend to be larger than those we get from Unix KDCs because an AD server defaults to including authorization data that Unix KDCs don't.  Steve's traffic log shows an initial response-too-big error reply when the AS-REP was sent over UDP, which has historically been triggered by this (it wasn't worked-around at the krb5 level, by retrying KDC requests over TCP, until krb5 1.3.x).
Comment 18 Steve Dickson 2010-07-30 06:05:13 EDT
Interesting... when gssd is compile without linking in 
libtirpc (--disable-tirpc) the malformed NULL disappears,
as least using a Linux (RHEL5) KDC....
Comment 19 Jeff Layton 2010-07-30 07:25:42 EDT
Looking at the capture. The thing wireshark seems to be complaining about is that there is an extra 4 bytes at the end of the NULL call packet. The earlier NULL calls that aren't malformed don't have any bytes after the verifier.

I also suspect that the malformed packet is a red herring. It's certainly a bug and probably one in libtirpc, but it's hard to imagine that the server would just drop it on the floor due to that. I may be wrong though.
Comment 20 Jeff Layton 2010-07-30 07:35:10 EDT
Ahh sorry, didn't see Bruce's response in comment 11. Yeah, there does seem to be another problem there too.

Does the libtirpc you're testing have this patch?

commit 599511589ca7ddb3b2eac8d3aa5b0b38be7a7691
Author: Jeff Layton <jlayton@redhat.com>
Date:   Fri Mar 5 14:27:13 2010 -0500

    libtirpc: allow larger ticket sizes with RPCSEC_GSS

...that's definitely one you'll want if you're working with AD tickets.
Comment 21 J. Bruce Fields 2010-07-30 09:43:07 EDT
Yep, great Jeff, I'd be almost positive that's the fix.

Note the init_sec_context NULL differs from the earlier NULLs in that it should actually have a payload--the payload contains the important cryptographic content--so the extra 4 bytes without the following opaque data is a real problem.
Comment 22 Steve Dickson 2010-07-30 10:39:35 EDT
Ok its verified.... the 
 
http://people.redhat.com/steved/.tmp/libtirpc-0.2.1-1.bz613682.el6.x86_64.rpm

does in deed take care of the null... that's the good news..
The bad is I have been using that version of libtirpc 
in my test bed when trying to get a ticket from the AD...
Comment 23 Steve Dickson 2010-07-30 13:25:02 EDT
Created attachment 435607 [details]
Complete wireshark trace between a RHEL6 client and a RHEL6 server using the AD as the KDC
Comment 24 Steve Dickson 2010-07-30 13:26:03 EDT
Created attachment 435608 [details]
Complete wireshark trace between a RHEL5 and a RHEL6 server using the AD as the KDC
Comment 26 Steve Dickson 2010-07-30 15:04:51 EDT
*** Bug 619792 has been marked as a duplicate of this bug. ***
Comment 29 Nalin Dahyabhai 2010-08-04 13:02:56 EDT
*** Bug 621238 has been marked as a duplicate of this bug. ***
Comment 38 Karel Volný 2010-09-01 11:05:43 EDT
all I can say is that the libtirpc patch is in place, but I cannot verify due
to bug #629304 ...

however, there are reports that it works for other people, see comment #25 and
the duplicate bugs
Comment 39 releng-rhel@redhat.com 2010-11-10 16:04:47 EST
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.
Comment 40 J. Bruce Fields 2010-11-23 16:01:42 EST
*** Bug 643528 has been marked as a duplicate of this bug. ***
Comment 41 Steve Dickson 2010-11-28 14:36:23 EST
*** Bug 629304 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.