613682 – Unable to get Kerberos tickets from an AD to work with RHEL 6 beta

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 613682 - Unable to get Kerberos tickets from an AD to work with RHEL 6 beta

Summary: Unable to get Kerberos tickets from an AD to work with RHEL 6 beta

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	libtirpc
Sub Component:
Version:	6.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Steve Dickson
QA Contact:	Karel Volný
Docs Contact:
URL:
Whiteboard:
Duplicates (4):	619792 621238 629304 643528 (view as bug list)
Depends On:
Blocks:	625051 629304
TreeView+	depends on / blocked

Reported:	2010-07-12 15:01 UTC by Sachin Prabhu
Modified:	2018-10-27 12:48 UTC (History)
CC List:	15 users (show)
Fixed In Version:	libtirpc-0.2.1-1.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	629304 (view as bug list)
Environment:
Last Closed:	2010-11-10 21:04:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Wireshark Dump of kernel protocal error between RHEL6 and an AD (3.79 KB, application/octet-stream) 2010-07-29 21:23 UTC, Steve Dickson	no flags	Details
Complete wireshark trace between a RHEL6 client and a RHEL6 server using the AD as the KDC (16.39 KB, application/octet-stream) 2010-07-30 17:25 UTC, Steve Dickson	no flags	Details
Complete wireshark trace between a RHEL5 and a RHEL6 server using the AD as the KDC (11.46 KB, application/octet-stream) 2010-07-30 17:26 UTC, Steve Dickson	no flags	Details
View All

Description Sachin Prabhu 2010-07-12 15:01:53 UTC

We have a report of a user unable to get kerberos authentication working on RHEL 6 beta. This was working fine on RHEL 5.

The user has the setting allow_weak_crypto enabled in krb5.conf during testing. The NFS server was a Netapp Server which also servers to other RHEL 5 clients on the same network. 

The tcpdump shows that each call to NULL which initialises the authentication mechanism is a malformed packet.

Comment 8 J. Bruce Fields 2010-07-16 15:30:35 UTC

Possibly same problem as that reported here?:

http://marc.info/?l=linux-nfs&m=127791326101175&w=2

(Unfortunately, no solution there.)

Comment 11 J. Bruce Fields 2010-07-29 17:51:52 UTC

"The tcpdump shows that each call to NULL which initialises the authentication
mechanism is a malformed packet."

Yes, the NULL init_sec_context rpc call has a partial argument--the length field is there, but not the following contents.  The length is 0x545 == 1349, which is probably larger than we're used to seeing.  Hm.

Even if the original source of the problem is some misconfiguration, we should be catching the problem rather than sending a corrupt packet.

Comment 12 Steve Dickson 2010-07-29 21:17:45 UTC

But I don't this is cause of this failure.... since I've seen this malformed
packets on system were the mount worked... I could be wrong... but I'm
thinking that malformed packet is a red herring...

Comment 13 Steve Dickson 2010-07-29 21:23:48 UTC

Created attachment 435409 [details]
Wireshark Dump of kernel protocal error between RHEL6 and an AD

This attachment show that the AD is basically failing every
single request the RHEL box sends... its not a pretty sight

Comment 17 Nalin Dahyabhai 2010-07-29 22:18:54 UTC

(In reply to comment #11)
> "The tcpdump shows that each call to NULL which initialises the authentication
> mechanism is a malformed packet."
> 
> Yes, the NULL init_sec_context rpc call has a partial argument--the length
> field is there, but not the following contents.  The length is 0x545 == 1349,
> which is probably larger than we're used to seeing.  Hm.

I think you're onto something here.  Ticket sizes from an AD server tend to be larger than those we get from Unix KDCs because an AD server defaults to including authorization data that Unix KDCs don't.  Steve's traffic log shows an initial response-too-big error reply when the AS-REP was sent over UDP, which has historically been triggered by this (it wasn't worked-around at the krb5 level, by retrying KDC requests over TCP, until krb5 1.3.x).

Comment 18 Steve Dickson 2010-07-30 10:05:13 UTC

Interesting... when gssd is compile without linking in 
libtirpc (--disable-tirpc) the malformed NULL disappears,
as least using a Linux (RHEL5) KDC....

Comment 19 Jeff Layton 2010-07-30 11:25:42 UTC

Looking at the capture. The thing wireshark seems to be complaining about is that there is an extra 4 bytes at the end of the NULL call packet. The earlier NULL calls that aren't malformed don't have any bytes after the verifier.

I also suspect that the malformed packet is a red herring. It's certainly a bug and probably one in libtirpc, but it's hard to imagine that the server would just drop it on the floor due to that. I may be wrong though.

Comment 20 Jeff Layton 2010-07-30 11:35:10 UTC

Ahh sorry, didn't see Bruce's response in comment 11. Yeah, there does seem to be another problem there too.

Does the libtirpc you're testing have this patch?

commit 599511589ca7ddb3b2eac8d3aa5b0b38be7a7691
Author: Jeff Layton <jlayton>
Date:   Fri Mar 5 14:27:13 2010 -0500

    libtirpc: allow larger ticket sizes with RPCSEC_GSS

...that's definitely one you'll want if you're working with AD tickets.

Comment 21 J. Bruce Fields 2010-07-30 13:43:07 UTC

Yep, great Jeff, I'd be almost positive that's the fix.

Note the init_sec_context NULL differs from the earlier NULLs in that it should actually have a payload--the payload contains the important cryptographic content--so the extra 4 bytes without the following opaque data is a real problem.

Comment 22 Steve Dickson 2010-07-30 14:39:35 UTC

Ok its verified.... the 
 
http://people.redhat.com/steved/.tmp/libtirpc-0.2.1-1.bz613682.el6.x86_64.rpm

does in deed take care of the null... that's the good news..
The bad is I have been using that version of libtirpc 
in my test bed when trying to get a ticket from the AD...

Comment 23 Steve Dickson 2010-07-30 17:25:02 UTC

Created attachment 435607 [details]
Complete wireshark trace between a RHEL6 client and a RHEL6 server using the AD as the KDC

Comment 24 Steve Dickson 2010-07-30 17:26:03 UTC

Created attachment 435608 [details]
Complete wireshark trace between a RHEL5 and a RHEL6 server using the AD as the KDC

Comment 26 Steve Dickson 2010-07-30 19:04:51 UTC

*** Bug 619792 has been marked as a duplicate of this bug. ***

Comment 29 Nalin Dahyabhai 2010-08-04 17:02:56 UTC

*** Bug 621238 has been marked as a duplicate of this bug. ***

Comment 38 Karel Volný 2010-09-01 15:05:43 UTC

all I can say is that the libtirpc patch is in place, but I cannot verify due
to bug #629304 ...

however, there are reports that it works for other people, see comment #25 and
the duplicate bugs

Comment 39 releng-rhel@redhat.com 2010-11-10 21:04:47 UTC

Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Comment 40 J. Bruce Fields 2010-11-23 21:01:42 UTC

*** Bug 643528 has been marked as a duplicate of this bug. ***

Comment 41 Steve Dickson 2010-11-28 19:36:23 UTC

*** Bug 629304 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.