https://bugzilla.novell.com/show_bug.cgi?id=853362 https://bugzilla.novell.com/show_bug.cgi?id=853362#c0 Summary: rpc.gssd segfault during the NFS mount with kerberos ticket NFS client Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: x86-64 OS/Version: openSUSE 13.1 Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: mcaj@suse.com QAContact: qa-bugs@suse.de Found By: Field Engineer Blocker: --- HI, We are using the NFS with Kerberos authentication. The ststem has been working for many years. The server is running SLES 11 SP3 and clients are SLES, SLED or OpenSUSE machines. When I updated from OpenSUSE 12.3 to 13.1 I found this bug. Also tested it on the fresh install of OpenSUSE 13.1 with the same results. Step to reproduce: 1. Install OpenSUSE 13.1 and setup there ldap/kerberos autenticication via SSSD -that is working fine there. 2. ask for keytab ticket from the server and save it into /etc/krb5.keytab 3. setup NFS client with support GSS. it might looks like this: grep -v ^# /etc/sysconfig/nfs USE_KERNEL_NFSD_NUMBER="4" MOUNTD_PORT="" NFS_SECURITY_GSS="yes" NFS3_SERVER_SUPPORT="yes" NFS4_SUPPORT="yes" NFS4_SERVER_MINOR_VERSION="0" SM_NOTIFY_OPTIONS="" NFS_START_SERVICES="yes" STATD_OPTIONS="" NFSV4LEASETIME="" RPC_PIPEFS_DIR="" SVCGSSD_OPTIONS="" NFSD_OPTIONS="" GSSD_OPTIONS="" MOUNTD_OPTIONS="" 4. check /etc/krb5.conf and add mount into /etc/fstab default_realm = SUSE.CZ allow_weak_crypto = true clockskew = 300 ticket_lifetime = 7d renew_lifetime = 27d [realms] SUSE.CZ = { kdc = [$ourkerberosserver.suse.cz] default_domain = suse.cz admin_server = [$ourkerberosserver.suse.cz] } [logging] kdc = FILE:/var/log/krb5/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log default = SYSLOG:NOTICE:DAEMON [domain_realm] .site = SUSE.CZ [appdefaults] pam = { ticket_lifetime = 7d renew_lifetime = 28d forwardable = true proxiable = true minimum_uid = 1 external = sshd use_shmem = sshd validate = false clockskew = 300 debug = true keytab = /etc/krb5.keytab } NFS mount from fstab: nfs.suse.cz:/home /home nfs4 sec=krb5i,intr,rw 0 0 the example of /etc/sssd/sssd.conf config_file_version = 2 services = nss,pam domains = default [nss] filter_groups = root filter_users = root [pam] # Section created by YaST [domain/default] ldap_uri = ldap://[$ourldap-server.suse.cz] ldap_search_base = dc=suse,dc=cz ldap_schema = rfc2307bis id_provider = ldap ldap_user_uuid = entryuuid ldap_group_uuid = entryuuid ldap_id_use_start_tls = True enumerate = False cache_credentials = False chpass_provider = krb5 auth_provider = krb5 ldap_tls_cacertdir = /etc/ssl/certs ldap_tls_cacert = /etc/ssl/certs/[$SUSE-R&D-certsfile] krb5_realm = SUSE.CZ krb5_kdcip = [$ourkerberosserver.suse.cz] krb5_validate = False krb5_renewable_lifetime = 27d krb5_lifetime = 7d krb5_keytab = /etc/krb5.keytab krb5_ccachedir = /tmp krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX 5. status NFS client: systemctl start nfs and check what happen there: systemctl status nfs nfs.service - LSB: NFS client services Loaded: loaded (/etc/init.d/nfs) Drop-In: /run/systemd/generator/nfs.service.d └─50-insserv.conf-$remote_fs.conf Active: active (running) since Tue 2013-12-03 12:02:45 CET; 2min 17s ago Process: 2061 ExecStart=/etc/init.d/nfs start (code=exited, status=0/SUCCESS) CGroup: /system.slice/nfs.service └─2096 /usr/sbin/rpc.idmapd Dec 03 12:02:30 v-opensusef-nibbler systemd[1]: Starting LSB: NFS client services... Dec 03 12:02:30 v-opensusef-nibbler sm-notify[2085]: Version 1.2.8 starting Dec 03 12:02:30 v-opensusef-nibbler nfs[2061]: Starting NFS client services: sm-notify gssd idmapd..done Dec 03 12:02:30 v-opensusef-nibbler nfs[2061]: Mounting network file systems ..mount.nfs4: mount system call failed Dec 03 12:02:45 v-opensusef-nibbler nfs[2061]: ..done Dec 03 12:02:45 v-opensusef-nibbler systemd[1]: Started LSB: NFS client services. 6. when you try restart NFS the status is even more chatty :systemctl restart nfs;systemctl -l status nfs nfs.service - LSB: NFS client services Loaded: loaded (/etc/init.d/nfs) Drop-In: /run/systemd/generator/nfs.service.d └─50-insserv.conf-$remote_fs.conf Active: active (running) since Tue 2013-12-03 12:05:24 CET; 31s ago Process: 2321 ExecStop=/etc/init.d/nfs stop (code=exited, status=0/SUCCESS) Process: 2346 ExecStart=/etc/init.d/nfs start (code=exited, status=0/SUCCESS) CGroup: /system.slice/nfs.service ├─2365 /usr/sbin/rpc.gssd -D └─2370 /usr/sbin/rpc.idmapd Dec 03 12:05:24 v-opensusef-nibbler sm-notify[2359]: Already notifying clients; Exiting! Dec 03 12:05:24 v-opensusef-nibbler nfs[2346]: Starting NFS client services: sm-notify gssd idmapd..done Dec 03 12:05:24 v-opensusef-nibbler rpc.gssd[2365]: ERROR: GSS-API: error in gss_export_lucid_sec_context(): GSS_S_BAD_MECH (An unsupported mechanism was requested) - Unknown error Dec 03 12:05:24 v-opensusef-nibbler rpc.gssd[2365]: ERROR: failed serializing krb5 context for kernel Dec 03 12:05:24 v-opensusef-nibbler rpc.gssd[2365]: WARNING: Failed to serialize krb5 context for user with uid 0 for server lizard.suse.cz Dec 03 12:05:24 v-opensusef-nibbler rpc.gssd[2365]: ERROR: GSS-API: error in gss_export_lucid_sec_context(): GSS_S_BAD_MECH (An unsupported mechanism was requested) - Unknown error Dec 03 12:05:24 v-opensusef-nibbler rpc.gssd[2365]: ERROR: failed serializing krb5 context for kernel Dec 03 12:05:24 v-opensusef-nibbler rpc.gssd[2365]: WARNING: Failed to serialize krb5 context for user with uid 0 for server lizard.suse.cz Dec 03 12:05:24 v-opensusef-nibbler nfs[2346]: Mounting network file systems ..mount.nfs4: access denied by server while mounting nfs.suse.cz:/home Dec 03 12:05:24 v-opensusef-nibbler nfs[2346]: ..done Dec 03 12:05:24 v-opensusef-nibbler systemd[1]: Started LSB: NFS client services. 7. and see dmesg : [ 20.188572] RPC: Registered named UNIX socket transport module. [ 20.188575] RPC: Registered udp transport module. [ 20.188576] RPC: Registered tcp transport module. [ 20.188576] RPC: Registered tcp NFSv4.1 backchannel transport module. [ 20.190626] FS-Cache: Loaded [ 20.192473] FS-Cache: Netfs 'nfs' registered for caching [ 20.260984] NFS: Registering the id_resolver key type [ 20.260992] Key type id_resolver registered [ 20.260993] Key type id_legacy registered [ 20.268579] rpc.gssd[2091]: segfault at 1 ip 00007f9a4e3cabe5 sp 00007fffad1316e0 error 4 in libgssglue.so.1.0.0[7f9a4e3c7000+9000] [ 20.268713] NFS: nfs4_discover_server_trunking unhandled error -32. Exiting with error EIO [ 35.273089] RPC: AUTH_GSS upcall timed out. Please check user daemon is running. [ 50.318045] RPC: AUTH_GSS upcall timed out. Please check user daemon is running. [ 50.583714] systemd-journald[207]: Received request to flush runtime journal from PID 1 8. I have tried also the manual mount with verbose mode: mount nfs.suse.cz:/home /home -t nfs -o sec=krb5,intr,rw -vv mount.nfs: timeout set for Tue Dec 3 12:51:12 2013 mount.nfs: trying text-based options 'sec=krb5,intr,vers=4,addr=xx.xx.xx.xx,clientaddr=xx.xx.xx.xx' mount.nfs: mount(2): Permission denied mount.nfs: access denied by server while mounting nfs.suse.cz:/home reproducible: on 13.1 All the time. I think the reason why the nfs client with GSS is not working is the segfault of rpc.gssd. The same setting is working on the previews version OpenSUSE 12.3. And also SLED and SLESS machine with 11SP3 version are working fine. The mount without sec=krb5 GSS is working fine. If you need access into our suse.cz network or any other help with debugging, please let me know. Have nice day. Martin Caj. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.