https://bugzilla.novell.com/show_bug.cgi?id=817651 https://bugzilla.novell.com/show_bug.cgi?id=817651#c Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com AssignedTo|bnc-team-screening@forge.pr |nfbrown@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=817651 https://bugzilla.novell.com/show_bug.cgi?id=817651#c2 Hardy Heroin changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|hardy.heroin+novell@gmail.c | |om | --- Comment #2 from Hardy Heroin 2013-05-07 07:47:23 UTC --- No this does not fix the problem. The output of rpc.gssd with and without the extra "-k /tmp/krb5cc_0" argument is the same as before with the exception of one line: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /tmp/krb5cc_0 for connection with host w.x.y.z For completeness sake I list the ticket cache below. # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: user@EXAMPLE.LOCAL Valid starting Expires Service principal 05/07/13 09:28:04 05/07/13 19:27:26 krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL renew until 05/08/13 09:28:04 Regarding your remark Neil. I think there is more information in the thread from which the post came that I linked to, I only linked to the final post from which some intermediate information seems to be missing. The full thread is available here: http://comments.gmane.org/gmane.linux.nfs/55377 It seems that the following function calls were updated: gssd_find_existing_krb5_ccache gssd_setup_krb5_user_gss_ccache Hopefully that does fix this issue. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=817651 https://bugzilla.novell.com/show_bug.cgi?id=817651#c4 --- Comment #4 from Neil Brown 2013-05-08 06:33:41 UTC --- Created an attachment (id=538304) --> (http://bugzilla.novell.com/attachment.cgi?id=538304) nfs rpms for testing -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=817651 https://bugzilla.novell.com/show_bug.cgi?id=817651#c6 Hardy Heroin changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |hardy.heroin+novell@gmail.c | |om InfoProvider|hardy.heroin+novell@gmail.c | |om | --- Comment #6 from Hardy Heroin 2013-05-28 16:32:06 UTC --- (In reply to comment #5)

Hi, did you have a chance to test the RPM from comment #4?

I can confirm that the RPM you provided does not resolve the issue. Unfortunately I can also not tell you why not. Same error again (less obfuscated this time): handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clntf) handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 ' handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clntf) process_krb5_upcall: service is '*' Full hostname for 'pstor002.domain.local' is 'pstor002.domain.local' Name or service not known while getting full hostname for 'hppc134.DOMAIN.LOCAL' ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host pstor002.domain.local ERROR: No credentials found for connection to server pstor002.domain.local doing error downcall destroying client /var/lib/nfs/rpc_pipefs/nfs/clntf It also fails with the -k flag using either the root or the users keyab: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /tmp/krb5cc_1000 for connection with host pstor002.domain.local ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /tmp/krb5cc_0 for connection with host pstor002.domain.local I have a bit more time this week to do some debugging so any more suggestion I would be happy to try out. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=817651 https://bugzilla.novell.com/show_bug.cgi?id=817651#c8 --- Comment #8 from Hardy Heroin 2013-05-29 10:14:31 UTC --- Created an attachment (id=541721) --> (http://bugzilla.novell.com/attachment.cgi?id=541721) debug log following instructions of previous comment I have resolved the error?/warning? message "Name or service not known while getting full hostname for" by Assigning Hostname to loopback IP from Yast. This indeed adds the entry in /etc/hosts: 127.0.0.2 hppc134.DOMAIN.LOCAL hppc134 I have then tested, with and without the patches in attachment 538304, and with and without specifically specying the keytab. (I should stress that with opensuse kernel version <3.7 it "just works"). The results of this is in the attached txt file. I can see the effect of the patch as an additional entry besides root,nfs,host,etc. but it still does not work. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=817651 https://bugzilla.novell.com/show_bug.cgi?id=817651#c10 Neil Brown changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #538304|0 |1 is obsolete| | --- Comment #10 from Neil Brown 2013-05-30 06:01:50 UTC --- Created an attachment (id=541877) --> (http://bugzilla.novell.com/attachment.cgi?id=541877) New rpms to test ... or maybe late this week :-) Please install and test these. There is a new flag "-N" for "gssd" to address your particular case. See "man gssd". I've also added a GSSD_OPTIONS setting to /etc/sysconfig/nfs to make it easier to set the -n and -N flags (you will need both). You don't need the extra setting in /etc/hosts any more. Thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=817651 https://bugzilla.novell.com/show_bug.cgi?id=817651#c12 Neil Brown changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #12 from Neil Brown 2013-06-02 19:51:34 UTC --- I've submitted an update request for 12.3, and have posted the "-N" patch upstream in the hope it will be accepted. So closing this bug now. Thanks for your patience. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=817651 https://bugzilla.novell.com/show_bug.cgi?id=817651#c Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |obs:running:1730:moderate -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=817651 https://bugzilla.novell.com/show_bug.cgi?id=817651#c15 --- Comment #15 from Hardy Heroin 2013-06-05 04:16:29 UTC --- Yes, I've been following the discussion on http://news.gmane.org/gmane.linux.nfs You are correct to assume that our administrator does not hand out keytabs. I have given the link to this bug report as well as the NFS mailing list to our network architect, perhaps he has time to comment on the matter. I believe the problem is that when keytabs are handed out, there a risk of invalidating all other users' credentials somehow, although I do not pretend to understand exactly how that works. In the meantime I'm happy to test any kernel fixes. I use kernel-desktop. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=817651 https://bugzilla.novell.com/show_bug.cgi?id=817651#c17 --- Comment #17 from Hardy Heroin 2013-06-07 06:46:02 UTC --- Created an attachment (id=543267) --> (http://bugzilla.novell.com/attachment.cgi?id=543267) Test results following installation of kernel in comment 16 Yes that kernel works, although I still need the "-n" flag, which means that the nfs client utilities still need a patch which adds the possibility of specifying GSSD_OPTIONS in /etc/sysconfig/nfs I ran a few tests (8 in total) of different combinations of issues the mount statement and rpc.gssd flags while having (or not having) kerberos credentials for user and/or root. One of the things that puzzles me: - given a valid user mountable entry in /etc/fstab/ - why can't I mount that entry as user without a valid kerberos ticket for root? I can browse as a user even when the root credentials are destroyed (and thus root can no longer browse), then why do I need it for mounting as user? For some reason it only considers '/tmp/krb5cc_0' when I mount as user, when it should also be looking at '/tmp/krb5cc_1000' since it was user uid=1000 that issued the mount command. (Test 8) - I can mount as user when root has a ticket (and it will say '/tmp/krb5cc_1000' is valid). (Test 7) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=817651 https://bugzilla.novell.com/show_bug.cgi?id=817651#c19 --- Comment #19 from Neil Brown 2013-06-11 22:06:22 UTC --- Thanks for all the tests. Your results agree with my understanding of how it should work. When you run mount as a non-privileged user, it relies on the fact that /sbin/mount.nfs is "setuid" to root, so the actual mount system-call runs as root and consequently uses root's privileged to communicate with the NFS server. To allow the mount to succeed without root having any credentials, we would need to mount systemcall to authenticate to the server using credentials based on the 'real-uid' rather than 'effective-uid'.... I wonder if that is a good idea. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=817651 https://bugzilla.novell.com/show_bug.cgi?id=817651#c21 --- Comment #21 from Hardy Heroin 2013-06-12 00:28:25 UTC --- Great! Thank you for this and all the effort you put it. Regarding your Comment #19. I think it would be a great benefit to the user if it were possible to mount without the root user needing to have kerberos credentials. I think it is inconsistent that you may browse a mounted mount without root credentials but you may not mount it, even though it is set 'mountable by user in fstab' - it just doesn't make sense to me. Do you think you can dicusss this with the other NFS maintainers? Also consider the case where automount has been set up. When a user logs in (after a fresh reboot and without a valid kerberos ticket for root) his or her home would need to be automatically mounted - would this work then? The user authenticates with his or her login credentials and would aquire a valid ticket, but can the automount process then use this to do the mount, or would it crash on account of root not having valid credentials. Or would the ticket somehow (by means of the PAM authentication process) be 'issued' to root as well? This is confusing to me and perhaps you can give it some thought. Meanwhile I'm going to try and test this out next week (set up automount). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=817651 https://bugzilla.novell.com/show_bug.cgi?id=817651#c Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|obs:running:1730:moderate |obs:running:1730:moderate | |obs:running:2034:moderate -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=817651 https://bugzilla.novell.com/show_bug.cgi?id=817651#c24 --- Comment #24 from Swamp Workflow Management 2013-12-30 20:11:53 UTC --- openSUSE-SU-2013:1971-1: An update that solves 34 vulnerabilities and has 19 fixes is now available. Category: security (moderate) Bug References: 799516,801341,802347,804198,807153,807188,807471,808827,809906,810144,810473,811882,812116,813733,813889,814211,814336,814510,815256,815320,816668,816708,817651,818053,818561,821612,821735,822575,822579,823267,823342,823517,823633,823797,824171,824295,826102,826350,826374,827749,827750,828119,828191,828714,829539,831058,831956,832615,833321,833585,834647,837258,838346 CVE References: CVE-2013-0914,CVE-2013-1059,CVE-2013-1819,CVE-2013-1929,CVE-2013-1979,CVE-2013-2141,CVE-2013-2148,CVE-2013-2164,CVE-2013-2206,CVE-2013-2232,CVE-2013-2234,CVE-2013-2237,CVE-2013-2546,CVE-2013-2547,CVE-2013-2548,CVE-2013-2634,CVE-2013-2635,CVE-2013-2851,CVE-2013-2852,CVE-2013-3222,CVE-2013-3223,CVE-2013-3224,CVE-2013-3226,CVE-2013-3227,CVE-2013-3228,CVE-2013-3229,CVE-2013-3230,CVE-2013-3231,CVE-2013-3232,CVE-2013-3233,CVE-2013-3234,CVE-2013-3235,CVE-2013-3301,CVE-2013-4162 Sources used: openSUSE 12.3 (src): kernel-docs-3.7.10-1.24.1, kernel-source-3.7.10-1.24.1, kernel-syms-3.7.10-1.24.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=817651 Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|obs:running:2034:moderate | -- You are receiving this mail because: You are on the CC list for the bug.