[Nfs-ganesha-devel] Kerberos: Not working because response uses cached krb service from authgss_hash

Sun, 18 Dec 2016 23:25:45 -0800 

Hi,

When handling kerberos requests ganesha fetches the cached svc_rpc_gss_data
from authgss_hash. If the kerberos service (authentication, integrity or
privacy) do not match with the one parsed from the request, ganesha changes
the service value in the cache. And continues to use the cached object for
all the further verification and when sending response to the client. Note
that there is no local copy of the gss data in the request, it uses the
cached object.


Code snippet which does the above mentioned lookup:

file: src/libntirpc/src/svc_auth_gss.c  function: _svcauth_gss

`        /* Context lookup. */

        if ((gc->gc_proc == RPCSEC_GSS_DATA)

            || (gc->gc_proc == RPCSEC_GSS_DESTROY)) {

                /* XXX fix prototype, toss junk args */

                gd = authgss_ctx_hash_get(gc);

                if (!gd)

                        svcauth_gss_return(AUTH_REJECTEDCRED);

                gd_hashed = true;

                if (gc->gc_svc != gd->sec.svc)

                        gd->sec.svc = gc->gc_svc;

        }`


Now let’s assume that the cached gss service is set to privacy (3). Before
the ongoing request can proceed, a new request comes in with OP_RENEW and
gss service set to integrity (2). As specified in the above snippet, this
will change the gss service value in the cache to integrity. This will
affect all the requests which are still being processed and may respond to
client with an incorrect gss service. Because of this the nfs client is
unable to interpret the response and fails with EIO. I am using linux nfs
client so it fails in method gss_unwrap_resp.

I am continuously hitting this issue in case of server restarts when
mounted on the client with kerberos privacy. Is there any reason why we use
the gss service from the cache, though we have a local copy parsed from the
actual request stored in (rq_clntcred).

I have tried a fix to always use the gss service from the request
(rq_clntcred). This is working as expected and no errors on the client side.


Thanks,

Sriram

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Nfs-ganesha-devel mailing list
Nfs-ganesha-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel

Reply via email to