Hi Sriram,
Please send your change as a pull request against
https://github.com/nfs-ganesha/ntirpc. We need to take some care to ensure
that we properly enforce service and QOP guarantees. My understanding would
have been that any request "still being processed" has been validated and
unwrapped. If that's the case, then I do suspect that any further use of the
request version of the service value is valid.
Matt
----- Original Message -----
> From: "sriram patil" <spsrirampa...@gmail.com>
> To: nfs-ganesha-devel@lists.sourceforge.net
> Sent: Monday, December 19, 2016 2:23:36 AM
> Subject: [Nfs-ganesha-devel] Kerberos: Not working because response uses
> cached krb service from authgss_hash
>
>
>
> Hi,
>
> When handling kerberos requests ganesha fetches the cached svc_rpc_gss_data
> from authgss_hash. If the kerberos service (authentication, integrity or
> privacy) do not match with the one parsed from the request, ganesha changes
> the service value in the cache. And continues to use the cached object for
> all the further verification and when sending response to the client. Note
> that there is no local copy of the gss data in the request, it uses the
> cached object.
>
>
>
>
> Code snippet which does the above mentioned lookup:
>
>
> file: src/libntirpc/src/svc_auth_gss.c function: _svcauth_gss
>
> ` /* Context lookup. */
>
> if ((gc->gc_proc == RPCSEC_GSS_DATA)
>
> || (gc->gc_proc == RPCSEC_GSS_DESTROY)) {
>
> /* XXX fix prototype, toss junk args */
>
> gd = authgss_ctx_hash_get(gc);
>
> if (!gd)
>
> svcauth_gss_return(AUTH_REJECTEDCRED);
>
> gd_hashed = true;
>
> if (gc->gc_svc != gd->sec.svc)
>
> gd->sec.svc = gc->gc_svc;
>
> }`
>
>
>
>
> Now let’s assume that the cached gss service is set to privacy (3). Before
> the ongoing request can proceed, a new request comes in with OP_RENEW and
> gss service set to integrity (2). As specified in the above snippet, this
> will change the gss service value in the cache to integrity. This will
> affect all the requests which are still being processed and may respond to
> client with an incorrect gss service. Because of this the nfs client is
> unable to interpret the response and fails with EIO. I am using linux nfs
> client so it fails in method gss_unwrap_resp.
>
> I am continuously hitting this issue in case of server restarts when mounted
> on the client with kerberos privacy. Is there any reason why we use the gss
> service from the cache, though we have a local copy parsed from the actual
> request stored in (rq_clntcred).
>
>
> I have tried a fix to always use the gss service from the request
> (rq_clntcred). This is working as expected and no errors on the client side.
>
>
>
>
>
> Thanks,
>
>
>
> Sriram
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Nfs-ganesha-devel mailing list
> Nfs-ganesha-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel
>
--
Matt Benjamin
Red Hat, Inc.
315 West Huron Street, Suite 140A
Ann Arbor, Michigan 48103
http://www.redhat.com/en/technologies/storage
tel. 734-821-5101
fax. 734-769-8938
cel. 734-216-5309
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Nfs-ganesha-devel mailing list
Nfs-ganesha-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel
