Bug#528514: krb5 - rpc.gssd from nfs-common segfaults after upgrade
Paul, letting us know that it works against a lenny server but not a sid server is very interesting. That probably means that the etype negotiation support introduced in 1.7 is not quite doing the right thing. Things to check: [I'm not saying you should check these; this is mostly for Kerberos people including myself to look at. In particular I may not be giving enough detail here for someone not familiar with Kerberos and NFS internals. It will be a few days before I can go through this myself] * Confirm that both the lenny and sid kernels only support DES. * If sid kernel supports more than DES, it may be a config issue on the server side. * Confirm that the client is setting the allowed gss enctypes * walk through that code path and see what breaks. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#528514: krb5 - rpc.gssd from nfs-common segfaults after upgrade
Sam Hartman hartm...@debian.org writes: Paul, letting us know that it works against a lenny server but not a sid server is very interesting. That probably means that the etype negotiation support introduced in 1.7 is not quite doing the right thing. Things to check: [I'm not saying you should check these; this is mostly for Kerberos people including myself to look at. In particular I may not be giving enough detail here for someone not familiar with Kerberos and NFS internals. It will be a few days before I can go through this myself] * Confirm that both the lenny and sid kernels only support DES. * If sid kernel supports more than DES, it may be a config issue on the server side. I should point my sid box is not running a kernel from sid but rather my own builds. I've observed the problem with 2.6.29.2 and 2.6.30-rc5+. I gave the current sid 2.6.29 a shot but alas it doesn't support my goofy Apple keyboard, so I can't type in my LUKS passphrase, and I don't have any normal keyboards to hand. I think I've seen 2.6.30-pre builds from the Debian kernel team linked somewhere, so I'll track those down and try one in case the problem has something to do with how my kernel is configured. * Confirm that the client is setting the allowed gss enctypes * walk through that code path and see what breaks. -- Paul Collins Wellington, New Zealand Dag vijandelijk luchtschip de huismeester is dood -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#528514: krb5 - rpc.gssd from nfs-common segfaults after upgrade
Rebuilding my main NFSv4 client sadly coincided with this bug cropping up, so it's hard for me to be 100% certain I didn't mess something up. However, my NFSv4 client can mount an NFSv4 krb5 mount from a lenny server, but it cannot mount NFSv4 krb5 from the sid server, even with version 1.7dfsg~beta2-2 of the krb5 packages installed. Instead, the same error Mr. Litzenberger reports is logged: May 15 21:37:28 burly kernel: gss_kerberos_mech: unsupported algorithm 1 -- Paul Collins Wellington, New Zealand Dag vijandelijk luchtschip de huismeester is dood -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#528514: krb5 - rpc.gssd from nfs-common segfaults after upgrade
Package: krb5 Severity: normal I tried Sam Hartman's patch, which stopped the segfaulting, but now I get this when trying to perform an NFS mount: $ sudo mount /mnt/rivest mount.nfs4: access denied by server while mounting rivest.dlitz.net:/ xconsole shows: May 14 17:56:23 gando kernel: [ 3631.616139] gss_kerberos_mech: unsupported algorithm 1 Here's the line from my /etc/fstab: rivest.dlitz.net:/ /mnt/rivest nfs4 defaults,rw,sec=krb5,hard,intr,proto=tcp,bg,nosuid,nodev 0 0 -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.29-2-686 (SMP w/1 CPU core) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#528514: krb5 - rpc.gssd from nfs-common segfaults after upgrade
Package: krb5 Version: 1.7dfsg~beta1-4 Severity: grave Since the last upgrade, rpc.gssd segfaults: | [64599.319607] rpc.gssd[23174]: segfault at 1 ip 0804a795 sp bfe4eb10 error 4 in rpc.gssd[8048000+a000] This makes it impossible to use kerberos auth on nfs mounts. A downgrade of libgssapi-krb5-2 fixes the segfault, but produces errors now. | rpc.gssd[25105]: rpcsec_gss: gss_init_sec_context: (major) Unspecified GSS failure. Minor code may provide more information - (minor) No error | rpc.gssd[25105]: WARNING: Failed to create krb5 context for user with uid 0 with any credentials cache for server wavehammer.waldi.eu.org After a downgrade of libkrb5-3 and libkrb5support0 it works fine again. Bastian -- We have the right to survive! Not by killing others. -- Deela and Kirk, Wink of An Eye, stardate 5710.5 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#528514: krb5 - rpc.gssd from nfs-common segfaults after upgrade
severity 527468 serious reassign 527468 libgssapi-krb5-2 tags 527468 moreinfo thanks Any chance you could see where it's segfaulting with a backtrace or something? As is, the bug's not much to go on. I don't have a test environment handy and will admit that I've not had much luck getting NFS and Kerberos to work in the past when I've tried. Thanks for pointing out the failure when you downgrade libgssapi-krb5-2 but not libkrb5-3. There is an unexpressed hard dependency between the versions of libkrb5-3 and libgssapi-krb5-2. I'll add that dependency in the next upload. I don't think this meets the definition of grave: I don't think most users of the libgssapi-krb5-2 package use NFS. I do agree it's RC at least for now, although I'll have to downgrade if I can't get enough information to reproduce. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#528514: krb5 - rpc.gssd from nfs-common segfaults after upgrade
severity 527468 serious reassign 527468 libgssapi-krb5-2 tags 527468 moreinfo thanks Any chance you could see where it's segfaulting with a backtrace or something? As is, the bug's not much to go on. I don't have a test environment handy and will admit that I've not had much luck getting NFS and Kerberos to work in the past when I've tried. Thanks for pointing out the failure when you downgrade libgssapi-krb5-2 but not libkrb5-3. There is an unexpressed hard dependency between the versions of libkrb5-3 and libgssapi-krb5-2. I'll add that dependency in the next upload. I don't think this meets the definition of grave: I don't think most users of the libgssapi-krb5-2 package use NFS. I do agree it's RC at least for now, although I'll have to downgrade if I can't get enough information to reproduce. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#528514: krb5 - rpc.gssd from nfs-common segfaults after upgrade
On Wed, May 13, 2009 at 10:20:46AM -0400, Sam Hartman wrote: Any chance you could see where it's segfaulting with a backtrace or something? As is, the bug's not much to go on. The backtrace is not of much use without any debugging informations. Will try to get one with. I don't have a test environment handy and will admit that I've not had much luck getting NFS and Kerberos to work in the past when I've tried. With lenny its rather easy IMHO. I don't think this meets the definition of grave: I don't think most users of the libgssapi-krb5-2 package use NFS. I do agree it's RC at least for now, although I'll have to downgrade if I can't get enough information to reproduce. It would even fullfill critical. A segfaulting rpc.gssd breaks all nfs mounts, especially /home. Bastian -- Conquest is easy. Control is not. -- Kirk, Mirror, Mirror, stardate unknown -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#528514: krb5 - rpc.gssd from nfs-common segfaults after upgrade
On Wed, May 13, 2009 at 10:20:46AM -0400, Sam Hartman wrote: Any chance you could see where it's segfaulting with a backtrace or something? As is, the bug's not much to go on. A normal backtrace, just for the documentation: | Starting program: /usr/sbin/rpc.gssd -f | (no debugging symbols found) | (no debugging symbols found) | (no debugging symbols found) | (no debugging symbols found) | (no debugging symbols found) | [Thread debugging using libthread_db enabled] | [New Thread 0xb7d826e0 (LWP 1987)] | | Program received signal SIGSEGV, Segmentation fault. | [Switching to Thread 0xb7d826e0 (LWP 1987)] | 0x0804a3b5 in ?? () | (gdb) bt | #0 0x0804a3b5 in ?? () | #1 0xbff6a518 in ?? () | #2 0xbff6a530 in ?? () | #3 0x0001 in ?? () | #4 0xbff6a514 in ?? () | #5 0x in ?? () | #6 0xb806bff4 in ?? () from /lib/ld-linux.so.2 | #7 0x080488a8 in ?? () | #8 0xb806c670 in ?? () | #9 0xbff6a510 in ?? () | #10 0xb805ce2b in ?? () from /lib/ld-linux.so.2 | #11 0x0804c812 in ?? () | #12 0x0996d1c8 in ?? () | #13 0xbff6a564 in ?? () | #14 0x08051868 in ?? () | #15 0x03e8 in ?? () | #16 0x in ?? () A backtrace with a debugging build: | Program received signal SIGSEGV, Segmentation fault. | [Switching to Thread 0xb7e146e0 (LWP 10061)] | 0x0804a795 in serialize_krb5_ctx (ctx=0x8b8db70, buf=0xbfdfc324, endtime=0x0) at context_lucid.c:189 | 189 vers = ((gss_krb5_lucid_context_version_t *)return_ctx)-version; | (gdb) bt | #0 0x0804a795 in serialize_krb5_ctx (ctx=0x8b8db70, buf=0xbfdfc324, endtime=0x0) at context_lucid.c:189 | #1 0x0804cbda in handle_krb5_upcall (clp=0x8b8c800) at gssd_proc.c:894 | #2 0x0804b59b in gssd_run () at gssd_main_loop.c:81 | #3 0x0804b283 in main (argc=2, argv=0x0) at gssd.c:191 It does: | maj_stat = gss_export_lucid_sec_context(min_stat, ctx, 1, return_ctx); Which results in: | (gdb) p maj_stat | $4 = 0 | (gdb) p min_stat | $5 = 2249944323 | (gdb) p return_ctx | $6 = (void *) 0x1 And the extended backtrace: | #0 gss_krb5_export_lucid_sec_context (minor_status=0xbfdeb214, context_handle=0x8cde06c, version=1, kctx=0xbfdeb210) | at ../../../../src/lib/gssapi/krb5/krb5_gss_glue.c:133 | #1 0xb7fa6a67 in gss_export_lucid_sec_context (minor_status=0xbfdeb214, context_handle=0xbfdeb230, version=1, | internal_buffer=0xbfdeb210) at g_lucid_context.c:65 | #2 0x0804ad09 in serialize_krb5_ctx (ctx=0x8cde068, buf=0xbfdeb274, endtime=0x0) at context_lucid.c:180 | #3 0x0804a717 in serialize_context_for_kernel (ctx=0x8cde068, buf=0xbfdeb274, mech=0x8053368, endtime=0x0) at context.c:53 | #4 0x0804d58c in handle_krb5_upcall (clp=0x8cda800) at gssd_proc.c:894 | #5 0x0804b750 in scan_poll_results (ret=1) at gssd_main_loop.c:81 | #6 0x0804b9f9 in gssd_run () at gssd_main_loop.c:151 | #7 0x0804b69c in main (argc=4, argv=0xbfdeb4f4) at gssd.c:191 gss_export_lucid_sec_context is a simple wrapper around gss_krb5_export_lucid_sec_context. Some data from within the gss_krb5_export_lucid_sec_context function: | (gdb) n | 163 in ../../../../src/lib/gssapi/krb5/krb5_gss_glue.c | (gdb) p *kctx | $8 = (void *) 0x0 line 163: *kctx = *((void **)data_set-elements[0].value); | (gdb) n | 168 in ../../../../src/lib/gssapi/krb5/krb5_gss_glue.c | (gdb) p *kctx | $9 = (void *) 0x1 | (gdb) p data_set | $10 = (gss_buffer_set_t) 0x8cdbe40 | (gdb) p *data_set | $11 = {count = 1, elements = 0x8cddf98} | (gdb) p *data_set.elements | $12 = {length = 4, value = 0x8ce01b0} | (gdb) p data_set.elements.value | $13 = (void *) 0x8ce01b0 | (gdb) p {void **}data_set.elements.value | $15 = (void **) 0x1 Bastian -- Warp 7 -- It's a law we can live with. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#528514: krb5 - rpc.gssd from nfs-common segfaults after upgrade
Bastian == Bastian Blank wa...@debian.org writes: Bastian On Wed, May 13, 2009 at 10:20:46AM -0400, Sam Hartman wrote: Any chance you could see where it's segfaulting with a backtrace or something? As is, the bug's not much to go on. Bastian The backtrace is not of much use without any debugging Bastian informations. Will try to get one with. If it is segfaulting insiderpc.gssd then libkrb5-dbg should give you debugging symbols. I don't think this meets the definition of grave: I don't think most users of the libgssapi-krb5-2 package use NFS. I do agree it's RC at least for now, although I'll have to downgrade if I can't get enough information to reproduce. Bastian It would even fullfill critical. A segfaulting rpc.gssd Bastian breaks all nfs mounts, especially /home. Bastian Bastian No, definitely not critical: NFS is not an unrelated package. Fully breaking a package for some users simply doesn't make a bug grave. Nor does breaking a system in uncommon non-default configs. But let's fix the bug rather than arguing about severities. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#528514: krb5 - rpc.gssd from nfs-common segfaults after upgrade
Thanks much. I think I roughly understand the problem area. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org