Re: [Nfs-ganesha-devel] Kerberos: Not working because response uses cached krb service from authgss_hash

2016-12-19 Thread sriram patil 
Hi Matt,

Following is the link for pull request.

Pull request.


Will add a separate pull request for ganesha changes as well.

Thanks,
Sriram


On Mon, Dec 19, 2016 at 8:46 PM, Matt Benjamin  wrote:

> Hi Sriram,
>
> Please send your change as a pull request against https://github.com/nfs-
> ganesha/ntirpc.  We need to take some care to ensure that we properly
> enforce service and QOP guarantees.  My understanding would have been that
> any request "still being processed" has been validated and unwrapped.  If
> that's the case, then I do suspect that any further use of the request
> version of the service value is valid.
>
> Matt
>
> - Original Message -
> > From: "sriram patil" 
> > To: nfs-ganesha-devel@lists.sourceforge.net
> > Sent: Monday, December 19, 2016 2:23:36 AM
> > Subject: [Nfs-ganesha-devel] Kerberos: Not working because response
> uses  cached krb service from authgss_hash
> >
> >
> >
> > Hi,
> >
> > When handling kerberos requests ganesha fetches the cached
> svc_rpc_gss_data
> > from authgss_hash. If the kerberos service (authentication, integrity or
> > privacy) do not match with the one parsed from the request, ganesha
> changes
> > the service value in the cache. And continues to use the cached object
> for
> > all the further verification and when sending response to the client.
> Note
> > that there is no local copy of the gss data in the request, it uses the
> > cached object.
> >
> >
> >
> >
> > Code snippet which does the above mentioned lookup:
> >
> >
> > file: src/libntirpc/src/svc_auth_gss.c function: _svcauth_gss
> >
> > ` /* Context lookup. */
> >
> > if ((gc->gc_proc == RPCSEC_GSS_DATA)
> >
> > || (gc->gc_proc == RPCSEC_GSS_DESTROY)) {
> >
> > /* XXX fix prototype, toss junk args */
> >
> > gd = authgss_ctx_hash_get(gc);
> >
> > if (!gd)
> >
> > svcauth_gss_return(AUTH_REJECTEDCRED);
> >
> > gd_hashed = true;
> >
> > if (gc->gc_svc != gd->sec.svc)
> >
> > gd->sec.svc = gc->gc_svc;
> >
> > }`
> >
> >
> >
> >
> > Now let’s assume that the cached gss service is set to privacy (3).
> Before
> > the ongoing request can proceed, a new request comes in with OP_RENEW and
> > gss service set to integrity (2). As specified in the above snippet, this
> > will change the gss service value in the cache to integrity. This will
> > affect all the requests which are still being processed and may respond
> to
> > client with an incorrect gss service. Because of this the nfs client is
> > unable to interpret the response and fails with EIO. I am using linux nfs
> > client so it fails in method gss_unwrap_resp.
> >
> > I am continuously hitting this issue in case of server restarts when
> mounted
> > on the client with kerberos privacy. Is there any reason why we use the
> gss
> > service from the cache, though we have a local copy parsed from the
> actual
> > request stored in (rq_clntcred).
> >
> >
> > I have tried a fix to always use the gss service from the request
> > (rq_clntcred). This is working as expected and no errors on the client
> side.
> >
> >
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Sriram
> >
> > 
> --
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > ___
> > Nfs-ganesha-devel mailing list
> > Nfs-ganesha-devel@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel
> >
>
> --
> Matt Benjamin
> Red Hat, Inc.
> 315 West Huron Street, Suite 140A
> Ann Arbor, Michigan 48103
>
> http://www.redhat.com/en/technologies/storage
>
> tel.  734-821-5101
> fax.  734-769-8938
> cel.  734-216-5309
>
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel___
Nfs-ganesha-devel mailing list
Nfs-ganesha-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel

Re: [Nfs-ganesha-devel] Kerberos: Not working because response uses cached krb service from authgss_hash

2016-12-19 Thread Matt Benjamin 
Hi Sriram,

Please send your change as a pull request against 
https://github.com/nfs-ganesha/ntirpc.  We need to take some care to ensure 
that we properly enforce service and QOP guarantees.  My understanding would 
have been that any request "still being processed" has been validated and 
unwrapped.  If that's the case, then I do suspect that any further use of the 
request version of the service value is valid.

Matt

- Original Message -
> From: "sriram patil" 
> To: nfs-ganesha-devel@lists.sourceforge.net
> Sent: Monday, December 19, 2016 2:23:36 AM
> Subject: [Nfs-ganesha-devel] Kerberos: Not working because response uses  
> cached krb service from authgss_hash
> 
> 
> 
> Hi,
> 
> When handling kerberos requests ganesha fetches the cached svc_rpc_gss_data
> from authgss_hash. If the kerberos service (authentication, integrity or
> privacy) do not match with the one parsed from the request, ganesha changes
> the service value in the cache. And continues to use the cached object for
> all the further verification and when sending response to the client. Note
> that there is no local copy of the gss data in the request, it uses the
> cached object.
> 
> 
> 
> 
> Code snippet which does the above mentioned lookup:
> 
> 
> file: src/libntirpc/src/svc_auth_gss.c function: _svcauth_gss
> 
> ` /* Context lookup. */
> 
> if ((gc->gc_proc == RPCSEC_GSS_DATA)
> 
> || (gc->gc_proc == RPCSEC_GSS_DESTROY)) {
> 
> /* XXX fix prototype, toss junk args */
> 
> gd = authgss_ctx_hash_get(gc);
> 
> if (!gd)
> 
> svcauth_gss_return(AUTH_REJECTEDCRED);
> 
> gd_hashed = true;
> 
> if (gc->gc_svc != gd->sec.svc)
> 
> gd->sec.svc = gc->gc_svc;
> 
> }`
> 
> 
> 
> 
> Now let’s assume that the cached gss service is set to privacy (3). Before
> the ongoing request can proceed, a new request comes in with OP_RENEW and
> gss service set to integrity (2). As specified in the above snippet, this
> will change the gss service value in the cache to integrity. This will
> affect all the requests which are still being processed and may respond to
> client with an incorrect gss service. Because of this the nfs client is
> unable to interpret the response and fails with EIO. I am using linux nfs
> client so it fails in method gss_unwrap_resp.
> 
> I am continuously hitting this issue in case of server restarts when mounted
> on the client with kerberos privacy. Is there any reason why we use the gss
> service from the cache, though we have a local copy parsed from the actual
> request stored in (rq_clntcred).
> 
> 
> I have tried a fix to always use the gss service from the request
> (rq_clntcred). This is working as expected and no errors on the client side.
> 
> 
> 
> 
> 
> Thanks,
> 
> 
> 
> Sriram
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> Nfs-ganesha-devel mailing list
> Nfs-ganesha-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel
> 

-- 
Matt Benjamin
Red Hat, Inc.
315 West Huron Street, Suite 140A
Ann Arbor, Michigan 48103

http://www.redhat.com/en/technologies/storage

tel.  734-821-5101
fax.  734-769-8938
cel.  734-216-5309

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Nfs-ganesha-devel mailing list
Nfs-ganesha-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel

[Nfs-ganesha-devel] Change in ffilz/nfs-ganesha[next]: Fix revert of ntirpc pullup

2016-12-19 Thread GerritHub 
>From Daniel Gryniewicz :

Daniel Gryniewicz has uploaded a new change for review. ( 
https://review.gerrithub.io/306694


Change subject: Fix revert of ntirpc pullup
..

Fix revert of ntirpc pullup

Change-Id: I027ae565e8914f1efe2f8e8a3bf25db5b5dc35a0
Signed-off-by: Daniel Gryniewicz 
---
M src/libntirpc
1 file changed, 1 insertion(+), 1 deletion(-)



  git pull ssh://review.gerrithub.io:29419/ffilz/nfs-ganesha 
refs/changes/94/306694/1
-- 
To view, visit https://review.gerrithub.io/306694
To unsubscribe, visit https://review.gerrithub.io/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I027ae565e8914f1efe2f8e8a3bf25db5b5dc35a0
Gerrit-Change-Number: 306694
Gerrit-PatchSet: 1
Gerrit-Project: ffilz/nfs-ganesha
Gerrit-Branch: next
Gerrit-Owner: Daniel Gryniewicz 
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Nfs-ganesha-devel mailing list
Nfs-ganesha-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel

[Nfs-ganesha-devel] Change in ffilz/nfs-ganesha[next]: FSAL_GLUSTER : Correct the log message in glusterfs_create_e...

2016-12-19 Thread GerritHub 
>From Jiffin Tony Thottan :

Jiffin Tony Thottan has uploaded a new change for review. ( 
https://review.gerrithub.io/306658


Change subject: FSAL_GLUSTER : Correct the log message in 
glusterfs_create_export()
..

FSAL_GLUSTER : Correct the log message in glusterfs_create_export()

Change-Id: Ib1048b14a3fc72cc1f32bf33edae10c8e1a4d557
Signed-off-by: Jiffin Tony Thottan 
---
M src/FSAL/FSAL_GLUSTER/export.c
1 file changed, 4 insertions(+), 4 deletions(-)



  git pull ssh://review.gerrithub.io:29419/ffilz/nfs-ganesha 
refs/changes/58/306658/1
-- 
To view, visit https://review.gerrithub.io/306658
To unsubscribe, visit https://review.gerrithub.io/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ib1048b14a3fc72cc1f32bf33edae10c8e1a4d557
Gerrit-Change-Number: 306658
Gerrit-PatchSet: 1
Gerrit-Project: ffilz/nfs-ganesha
Gerrit-Branch: next
Gerrit-Owner: Jiffin Tony Thottan 
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Nfs-ganesha-devel mailing list
Nfs-ganesha-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel

[Nfs-ganesha-devel] Change in ffilz/nfs-ganesha[next]: Add psmisc dependency for killall

2016-12-19 Thread GerritHub 
>From Malahal :

Malahal has uploaded a new change for review. ( 
https://review.gerrithub.io/306671


Change subject: Add psmisc dependency for killall
..

Add psmisc dependency for killall

We use killall in rpm post install script.

Change-Id: I8306eb98ebeded9a5b883b13f95c6151b2aa17dc
Signed-off-by: Malahal Naineni 
---
M src/libntirpc
M src/nfs-ganesha.spec-in.cmake
2 files changed, 2 insertions(+), 1 deletion(-)



  git pull ssh://review.gerrithub.io:29419/ffilz/nfs-ganesha 
refs/changes/71/306671/1
-- 
To view, visit https://review.gerrithub.io/306671
To unsubscribe, visit https://review.gerrithub.io/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I8306eb98ebeded9a5b883b13f95c6151b2aa17dc
Gerrit-Change-Number: 306671
Gerrit-PatchSet: 1
Gerrit-Project: ffilz/nfs-ganesha
Gerrit-Branch: next
Gerrit-Owner: Malahal 
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Nfs-ganesha-devel mailing list
Nfs-ganesha-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel