https://bugzilla.novell.com/show_bug.cgi?id=614293
https://bugzilla.novell.com/show_bug.cgi?id=614293#c46
Neil Brown changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #443572|0 |1
is obsolete| |
--- Comment #46 from Neil Brown 2011-08-09 01:33:31 UTC ---
Created an attachment (id=444812)
--> (http://bugzilla.novell.com/attachment.cgi?id=444812)
New rpc.gssd which attempts to auto-correct
Thanks for the tcpdump traces. They largely show what I would expect.
I've modified rpc.gssd to handle failure by retrying with a reduced set of
allowed encryption types. Hopefully this will work correctly on all servers...
Please:
1/ Remove the "allow_weak_crypto = true" from the server - it seems to be
a problem. I realise you will need to wait for a quite time to do that.
2/ try to mount a file system with the attached rpc.gssd running. If you
could
collect a tcpdump trace while that happens and mail it to me that would be
great. I don't expect to find any surprised in it, but it would be nice to
be certain of that.
If you confirm that it works and there are no surprises, I will submit this
patch to Factor and try to get an update for 11.4 scheduled in due course.
Just for completeness, the change I made is below.
Thanks.
Index: nfs-utils-1.2.3/utils/gssd/gssd_proc.c
===================================================================
--- nfs-utils-1.2.3.orig/utils/gssd/gssd_proc.c 2010-09-28
22:24:16.000000000 +1000
+++ nfs-utils-1.2.3/utils/gssd/gssd_proc.c 2011-08-09 11:23:49.316191138
+1000
@@ -917,6 +917,23 @@ int create_auth_rpc_client(struct clnt_i
printerr(2, "creating context with server %s\n", clp->servicename);
auth = authgss_create_default(rpc_clnt, clp->servicename, &sec);
+#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
+ if (!auth && authtype == AUTHTYPE_KRB5 && krb5_enctypes) {
+ u_int min_stat;
+ /* The extended list of enctypes can confuse old servers */
+ gss_release_cred(&min_stat, &sec.cred);
+ free(krb5_enctypes);
+ krb5_enctypes = NULL;
+ num_krb5_enctypes = 0;
+ printerr(2, "retry auth using default encryption types\n");
+ if (limit_krb5_enctypes(&sec) == 0)
+ auth = authgss_create_default(rpc_clnt,
+ clp->servicename, &sec);
+ else
+ printerr(1, "WARNING: Failed while limiting krb5 "
+ "encryption types to default list\n");
+ }
+#endif
if (!auth) {
/* Our caller should print appropriate message */
printerr(2, "WARNING: Failed to create %s context for "
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.