[Touch-packages] [Bug 1788459] Re: gssproxy crashes in libselinux.so.1 on Ubuntu 18.04 when called by rpc.gssd
Just tested the proposed gssproxy fix, and can confirm that it solved the issue Tested on Ubuntu Focal (20.04) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libselinux in Ubuntu. https://bugs.launchpad.net/bugs/1788459 Title: gssproxy crashes in libselinux.so.1 on Ubuntu 18.04 when called by rpc.gssd Status in gssproxy package in Ubuntu: In Progress Status in libselinux package in Ubuntu: Invalid Status in gssproxy source package in Focal: Fix Committed Status in libselinux source package in Focal: Invalid Status in gssproxy source package in Hirsute: Fix Committed Status in libselinux source package in Hirsute: Invalid Bug description: [ Impact ] gssproxy users on Focal and Hiruste who configure the package to handle NFS mountpoints using Kerberos authentication will experience a segmentation fault when invoking the service either through systemd or by hand. [ Test Case] Inside a Focal LXD container: $ lxc launch images:ubuntu/focal gssproxy-bug1788459-focal $ lxc shell gssproxy-bug1788459-focal # apt update # apt install -y gssproxy nfs-kernel-server # cat > /etc/gssproxy/gssproxy.conf << __EOF__ [gssproxy] debug = true debug_level = 3 __EOF__ # cat >> /etc/gssproxy/25-nfs-server.conf << __EOF__ [service/nfs-server] mechs = krb5 socket = /run/gssproxy.sock cred_store = keytab:/etc/krb5.keytab trusted = yes kernel_nfsd = yes euid = 0 __EOF__ # /usr/sbin/gssproxy --interactive --debug --debug-level=3 --socket=/run/gssproxy.sock [2021/06/30 14:34:14]: Debug Enabled (level: 3) [2021/06/30 14:34:14]: Keytab /etc/krb5.keytab has no content (-1765328203) [2021/06/30 14:34:14]: Service: nfs-server, Enckey: [ephemeral], Enctype: 18 [2021/06/30 14:34:14]: Client [2021/06/30 14:34:14]: (/usr/sbin/gssproxy) [2021/06/30 14:34:14]: connected (fd = 12)[2021/06/30 14:34:14]: (pid = 3428) (uid = 0) (gid = 0)Segmentation fau lt (core dumped) [ Where problems could occur ] * The backported patch is simple and it is very unlikely that it will introduce a regression. * As usual, it is always risky to rebuild a package that hasn't been touched for more than 1 year, albeit in this case the risk is very low because the package is not very complex. [ Original Description ] I have apache configured to perform a kerberized NFS4 mount using rpc.gssd and gssproxy. If I request a web page that requires NFS4 access, then gssproxy crashes, reporting a segfault in libselinux.so.1 and the web request generates a 403 error. gssproxy[6267]: segfault at 0 ip 7f2f5bb1951a sp 7ffe861da150 error 4 in libselinux.so.1[7f2f5bb0d000+25000] If I run gssproxy at debug level = 3, and then load a web page, I can see the uid/principal request for www-data come in from rpc.gssd: # gssproxy -d --debug-level=3 -i -C /etc/gssproxy [2018/08/22 17:51:40]: Debug Enabled (level: 3) [2018/08/22 17:52:06]: Client [2018/08/22 17:52:06]: (/usr/sbin/rpc.gssd) [2018/08/22 17:52:06]: connected (fd = 10)[2018/08/22 17:52:06]: (pid = 4548) (uid = 33) (gid = 33)Segmentation fault (core dumped) Since gssproxy is required to initiate kerberos principals for any local application services - Ubuntu 18.04 does not currently support running application services with NFS4 kerberos dependencies. This has a fairly significant impact on anyone attempting to implement kerberos on Ubuntu 18.04 Ubuntu 18.04.1 LTS gssproxy 0.8.0-1 libselinux1:amd64 2.7-2build2 libgssrpc4:amd64 1.16-2build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gssproxy/+bug/1788459/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1788459] Re: gssproxy crashes in libselinux.so.1 on Ubuntu 18.04 when called by rpc.gssd
I can confirm that manual build and install of gssproxy 0.8.4 works on my ubuntu 20.04 server. (that version has the patch mentioned above) gssproxy solves my original issue of rpc-svcgssd hanging on large kerberos tickets https://bugs.launchpad.net/ubuntu/+source/nfs- utils/+bug/1466654 Hopefully this patch find its way fast through the official ubuntu release channel -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libselinux in Ubuntu. https://bugs.launchpad.net/bugs/1788459 Title: gssproxy crashes in libselinux.so.1 on Ubuntu 18.04 when called by rpc.gssd Status in gssproxy package in Ubuntu: In Progress Status in libselinux package in Ubuntu: Invalid Status in gssproxy source package in Focal: In Progress Status in libselinux source package in Focal: Invalid Status in gssproxy source package in Hirsute: In Progress Status in libselinux source package in Hirsute: Invalid Bug description: [ Impact ] gssproxy users on Focal and Hiruste who configure the package to handle NFS mountpoints using Kerberos authentication will experience a segmentation fault when invoking the service either through systemd or by hand. [ Test Case] Inside a Focal LXD container: $ lxc launch images:ubuntu/focal gssproxy-bug1788459-focal $ lxc shell gssproxy-bug1788459-focal # apt update # apt install -y gssproxy nfs-kernel-server # cat > /etc/gssproxy/gssproxy.conf << __EOF__ [gssproxy] debug = true debug_level = 3 __EOF__ # cat >> /etc/gssproxy/25-nfs-server.conf << __EOF__ [service/nfs-server] mechs = krb5 socket = /run/gssproxy.sock cred_store = keytab:/etc/krb5.keytab trusted = yes kernel_nfsd = yes euid = 0 __EOF__ # /usr/sbin/gssproxy --interactive --debug --debug-level=3 --socket=/run/gssproxy.sock [2021/06/30 14:34:14]: Debug Enabled (level: 3) [2021/06/30 14:34:14]: Keytab /etc/krb5.keytab has no content (-1765328203) [2021/06/30 14:34:14]: Service: nfs-server, Enckey: [ephemeral], Enctype: 18 [2021/06/30 14:34:14]: Client [2021/06/30 14:34:14]: (/usr/sbin/gssproxy) [2021/06/30 14:34:14]: connected (fd = 12)[2021/06/30 14:34:14]: (pid = 3428) (uid = 0) (gid = 0)Segmentation fau lt (core dumped) [ Where problems could occur ] * The backported patch is simple and it is very unlikely that it will introduce a regression. * As usual, it is always risky to rebuild a package that hasn't been touched for more than 1 year, albeit in this case the risk is very low because the package is not very complex. [ Original Description ] I have apache configured to perform a kerberized NFS4 mount using rpc.gssd and gssproxy. If I request a web page that requires NFS4 access, then gssproxy crashes, reporting a segfault in libselinux.so.1 and the web request generates a 403 error. gssproxy[6267]: segfault at 0 ip 7f2f5bb1951a sp 7ffe861da150 error 4 in libselinux.so.1[7f2f5bb0d000+25000] If I run gssproxy at debug level = 3, and then load a web page, I can see the uid/principal request for www-data come in from rpc.gssd: # gssproxy -d --debug-level=3 -i -C /etc/gssproxy [2018/08/22 17:51:40]: Debug Enabled (level: 3) [2018/08/22 17:52:06]: Client [2018/08/22 17:52:06]: (/usr/sbin/rpc.gssd) [2018/08/22 17:52:06]: connected (fd = 10)[2018/08/22 17:52:06]: (pid = 4548) (uid = 33) (gid = 33)Segmentation fault (core dumped) Since gssproxy is required to initiate kerberos principals for any local application services - Ubuntu 18.04 does not currently support running application services with NFS4 kerberos dependencies. This has a fairly significant impact on anyone attempting to implement kerberos on Ubuntu 18.04 Ubuntu 18.04.1 LTS gssproxy 0.8.0-1 libselinux1:amd64 2.7-2build2 libgssrpc4:amd64 1.16-2build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gssproxy/+bug/1788459/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1788459] Re: gssproxy crashes in libselinux.so.1 on Ubuntu 18.04 when called by rpc.gssd
gssproxy/focal,now 0.8.2-2 amd64 [installed] libselinux1/focal,now 3.0-1build2 amd64 [installed,automatic] -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1788459 Title: gssproxy crashes in libselinux.so.1 on Ubuntu 18.04 when called by rpc.gssd Status in gssproxy package in Ubuntu: Confirmed Status in krb5 package in Ubuntu: Confirmed Status in libselinux package in Ubuntu: Confirmed Bug description: I have apache configured to perform a kerberized NFS4 mount using rpc.gssd and gssproxy. If I request a web page that requires NFS4 access, then gssproxy crashes, reporting a segfault in libselinux.so.1 and the web request generates a 403 error. gssproxy[6267]: segfault at 0 ip 7f2f5bb1951a sp 7ffe861da150 error 4 in libselinux.so.1[7f2f5bb0d000+25000] If I run gssproxy at debug level = 3, and then load a web page, I can see the uid/principal request for www-data come in from rpc.gssd: # gssproxy -d --debug-level=3 -i -C /etc/gssproxy [2018/08/22 17:51:40]: Debug Enabled (level: 3) [2018/08/22 17:52:06]: Client [2018/08/22 17:52:06]: (/usr/sbin/rpc.gssd) [2018/08/22 17:52:06]: connected (fd = 10)[2018/08/22 17:52:06]: (pid = 4548) (uid = 33) (gid = 33)Segmentation fault (core dumped) Since gssproxy is required to initiate kerberos principals for any local application services - Ubuntu 18.04 does not currently support running application services with NFS4 kerberos dependencies. This has a fairly significant impact on anyone attempting to implement kerberos on Ubuntu 18.04 Ubuntu 18.04.1 LTS gssproxy 0.8.0-1 libselinux1:amd64 2.7-2build2 libgssrpc4:amd64 1.16-2build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gssproxy/+bug/1788459/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1788459] Re: gssproxy crashes in libselinux.so.1 on Ubuntu 18.04 when called by rpc.gssd
I couldn't get it to generate a coredump. But I ran it with valgrind Hope this helps valgrind -v /usr/sbin/gssproxy --interactive --debug --debug-level=3 --socket=/run/gssproxy.sock ==29249== Memcheck, a memory error detector ==29249== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==29249== Using Valgrind-3.15.0-608cb11914-20190413 and LibVEX; rerun with -h for copyright info ==29249== Command: /usr/sbin/gssproxy --interactive --debug --debug-level=3 --socket=/run/gssproxy.sock ==29249== --29249-- Valgrind options: --29249---v --29249-- Contents of /proc/version: --29249-- Linux version 5.4.0-74-generic (buildd@lgw01-amd64-038) (gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)) #83-Ubuntu SMP Sat May 8 02:35:39 UTC 2021 --29249-- --29249-- Arch and hwcaps: AMD64, LittleEndian, amd64-cx16-lzcnt-rdtscp-sse3-ssse3-avx-avx2-rdrand --29249-- Page sizes: currently 4096, max supported 4096 --29249-- Valgrind library directory: /usr/lib/x86_64-linux-gnu/valgrind --29249-- Reading syms from /usr/sbin/gssproxy --29249--object doesn't have a symbol table --29249-- Reading syms from /usr/lib/x86_64-linux-gnu/ld-2.31.so --29249-- Considering /usr/lib/x86_64-linux-gnu/ld-2.31.so .. --29249-- .. CRC mismatch (computed 975d0390 wanted 30bd717f) --29249-- Considering /lib/x86_64-linux-gnu/ld-2.31.so .. --29249-- .. CRC mismatch (computed 975d0390 wanted 30bd717f) --29249-- Considering /usr/lib/debug/lib/x86_64-linux-gnu/ld-2.31.so .. --29249-- .. CRC is valid --29249-- Reading syms from /usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux --29249--object doesn't have a symbol table --29249--object doesn't have a dynamic symbol table --29249-- Scheduler: using generic scheduler lock implementation. --29249-- Reading suppressions file: /usr/lib/x86_64-linux-gnu/valgrind/default.supp ==29249== embedded gdbserver: reading from /tmp/vgdb-pipe-from-vgdb-to-29249-by-root-on-??? ==29249== embedded gdbserver: writing to /tmp/vgdb-pipe-to-vgdb-from-29249-by-root-on-??? ==29249== embedded gdbserver: shared mem /tmp/vgdb-pipe-shared-mem-vgdb-29249-by-root-on-??? ==29249== ==29249== TO CONTROL THIS PROCESS USING vgdb (which you probably ==29249== don't want to do, unless you know exactly what you're doing, ==29249== or are doing some strange experiment): ==29249== /usr/lib/x86_64-linux-gnu/valgrind/../../bin/vgdb --pid=29249 ...command... ==29249== ==29249== TO DEBUG THIS PROCESS USING GDB: start GDB like this ==29249== /path/to/gdb /usr/sbin/gssproxy ==29249== and then give GDB the following command ==29249== target remote | /usr/lib/x86_64-linux-gnu/valgrind/../../bin/vgdb --pid=29249 ==29249== --pid is optional if only one valgrind process is running ==29249== --29249-- REDIR: 0x4022e10 (ld-linux-x86-64.so.2:strlen) redirected to 0x580c9ce2 (???) --29249-- REDIR: 0x4022be0 (ld-linux-x86-64.so.2:index) redirected to 0x580c9cfc (???) --29249-- Reading syms from /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_core-amd64-linux.so --29249--object doesn't have a symbol table --29249-- Reading syms from /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so --29249--object doesn't have a symbol table ==29249== WARNING: new redirection conflicts with existing -- ignoring it --29249-- old: 0x04022e10 (strlen ) R-> (.0) 0x580c9ce2 ??? --29249-- new: 0x04022e10 (strlen ) R-> (2007.0) 0x0483f060 strlen --29249-- REDIR: 0x401f5f0 (ld-linux-x86-64.so.2:strcmp) redirected to 0x483ffd0 (strcmp) --29249-- REDIR: 0x4023370 (ld-linux-x86-64.so.2:mempcpy) redirected to 0x4843a20 (mempcpy) --29249-- Reading syms from /usr/lib/x86_64-linux-gnu/libpopt.so.0.0.0 --29249--object doesn't have a symbol table --29249-- Reading syms from /usr/lib/x86_64-linux-gnu/libkrb5.so.3.3 --29249--object doesn't have a symbol table --29249-- Reading syms from /usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1 --29249--object doesn't have a symbol table --29249-- Reading syms from /usr/lib/x86_64-linux-gnu/libverto.so.1.0.0 --29249--object doesn't have a symbol table --29249-- Reading syms from /usr/lib/x86_64-linux-gnu/libini_config.so.5.2.1 --29249--object doesn't have a symbol table --29249-- Reading syms from /usr/lib/x86_64-linux-gnu/libref_array.so.1.2.1 --29249--object doesn't have a symbol table --29249-- Reading syms from /usr/lib/x86_64-linux-gnu/libselinux.so.1 --29249--object doesn't have a symbol table --29249-- Reading syms from /usr/lib/x86_64-linux-gnu/libgssrpc.so.4.2 --29249--object doesn't have a symbol table --29249-- Reading syms from /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2.2 --29249--object doesn't have a symbol table --29249-- Reading syms from /usr/lib/x86_64-linux-gnu/libpthread-2.31.so --29249-- Considering /usr/lib/debug/.build-id/e5/4761f7b554d0fcc1562959665d93dffbebdaf0.debug .. --29249-- .. build-id is valid --29249-- Reading syms from
[Touch-packages] [Bug 1788459] Re: gssproxy crashes in libselinux.so.1 on Ubuntu 18.04 when called by rpc.gssd
** Attachment added: "/var/crash/_usr_sbin_gssproxy.0.crash" https://bugs.launchpad.net/ubuntu/+source/gssproxy/+bug/1788459/+attachment/5507903/+files/_usr_sbin_gssproxy.0.crash -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1788459 Title: gssproxy crashes in libselinux.so.1 on Ubuntu 18.04 when called by rpc.gssd Status in gssproxy package in Ubuntu: Confirmed Status in krb5 package in Ubuntu: Confirmed Status in libselinux package in Ubuntu: Confirmed Bug description: I have apache configured to perform a kerberized NFS4 mount using rpc.gssd and gssproxy. If I request a web page that requires NFS4 access, then gssproxy crashes, reporting a segfault in libselinux.so.1 and the web request generates a 403 error. gssproxy[6267]: segfault at 0 ip 7f2f5bb1951a sp 7ffe861da150 error 4 in libselinux.so.1[7f2f5bb0d000+25000] If I run gssproxy at debug level = 3, and then load a web page, I can see the uid/principal request for www-data come in from rpc.gssd: # gssproxy -d --debug-level=3 -i -C /etc/gssproxy [2018/08/22 17:51:40]: Debug Enabled (level: 3) [2018/08/22 17:52:06]: Client [2018/08/22 17:52:06]: (/usr/sbin/rpc.gssd) [2018/08/22 17:52:06]: connected (fd = 10)[2018/08/22 17:52:06]: (pid = 4548) (uid = 33) (gid = 33)Segmentation fault (core dumped) Since gssproxy is required to initiate kerberos principals for any local application services - Ubuntu 18.04 does not currently support running application services with NFS4 kerberos dependencies. This has a fairly significant impact on anyone attempting to implement kerberos on Ubuntu 18.04 Ubuntu 18.04.1 LTS gssproxy 0.8.0-1 libselinux1:amd64 2.7-2build2 libgssrpc4:amd64 1.16-2build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gssproxy/+bug/1788459/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1788459] Re: gssproxy crashes in libselinux.so.1 on Ubuntu 18.04 when called by rpc.gssd
The reason we want gssproxy, and not the default rpc-gssd and rpc- svcgssd services is that we are using active directory, and most of our accounts are members of many groups, causing gssd to fail. This is a known issue and is one of the things that gssproxy solves. >>The reason we did this was to allow the kernel NFS server to handle big tickets like those containing a MS-PAC payload that may be received by a Microsoft client. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1788459 Title: gssproxy crashes in libselinux.so.1 on Ubuntu 18.04 when called by rpc.gssd Status in gssproxy package in Ubuntu: Confirmed Status in krb5 package in Ubuntu: Confirmed Status in libselinux package in Ubuntu: Confirmed Bug description: I have apache configured to perform a kerberized NFS4 mount using rpc.gssd and gssproxy. If I request a web page that requires NFS4 access, then gssproxy crashes, reporting a segfault in libselinux.so.1 and the web request generates a 403 error. gssproxy[6267]: segfault at 0 ip 7f2f5bb1951a sp 7ffe861da150 error 4 in libselinux.so.1[7f2f5bb0d000+25000] If I run gssproxy at debug level = 3, and then load a web page, I can see the uid/principal request for www-data come in from rpc.gssd: # gssproxy -d --debug-level=3 -i -C /etc/gssproxy [2018/08/22 17:51:40]: Debug Enabled (level: 3) [2018/08/22 17:52:06]: Client [2018/08/22 17:52:06]: (/usr/sbin/rpc.gssd) [2018/08/22 17:52:06]: connected (fd = 10)[2018/08/22 17:52:06]: (pid = 4548) (uid = 33) (gid = 33)Segmentation fault (core dumped) Since gssproxy is required to initiate kerberos principals for any local application services - Ubuntu 18.04 does not currently support running application services with NFS4 kerberos dependencies. This has a fairly significant impact on anyone attempting to implement kerberos on Ubuntu 18.04 Ubuntu 18.04.1 LTS gssproxy 0.8.0-1 libselinux1:amd64 2.7-2build2 libgssrpc4:amd64 1.16-2build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gssproxy/+bug/1788459/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1788459] Re: gssproxy crashes in libselinux.so.1 on Ubuntu 18.04 when called by rpc.gssd
Trying to get gssproxy working with NFS (rpc-gssd and rpc-svcgssd) on Ubuntu 20.04 Following https://github.com/gssapi/gssproxy/blob/main/docs/NFS.md /etc/gssproxy/gssproxy.conf [gssproxy] debug = true debug_level = 3 /etc/gssproxy/25-nfs-server.conf [service/nfs-server] mechs = krb5 socket = /run/gssproxy.sock cred_store = keytab:/etc/krb5.keytab trusted = yes kernel_nfsd = yes euid = 0 When I start the gssproxy service, either through systemd or manually with: /usr/sbin/gssproxy --interactive --debug --debug-level=3 --socket=/run/gssproxy.sock I get this result: [2021/06/28 14:49:19]: Debug Enabled (level: 3) [2021/06/28 14:49:19]: Service: nfs-client, Keytab: /etc/krb5.keytab, Enctype: 23 [2021/06/28 14:49:19]: Service: nfs-server, Keytab: /etc/krb5.keytab, Enctype: 23 [2021/06/28 14:49:19]: Client [2021/06/28 14:49:19]: (/usr/sbin/gssproxy) [2021/06/28 14:49:19]: connected (fd = 13)[2021/06/28 14:49:19]: (pid = 7821) (uid = 0) (gid = 0)Segmentation fault (core dumped) It is the kernel_nfsd = yes config part that causes the segfault What it does (from the docs linked above) ... The gssproxy client registers to the kernel by performing 2 actions in the following order: * creates a unix socket for kernel communication in /var/run/gssproxy.sock (this path is hardcoded in the kernel and cannot be changed at this time) * writes 1 byte in the proc file /proc/net/rpc/use-gss-proxy (the client must be ready to accept a connection from the kernel when this is done, as the kernel we check that the socket is available) ... It enables the kernel extensions to the protocol (the context is exported as a lucid context for example, and a list of resolved credentials is returned if authentication succeeds) The proc files seems ok (it was -1 before) cat /proc/net/rpc/use-gss-proxy 1 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1788459 Title: gssproxy crashes in libselinux.so.1 on Ubuntu 18.04 when called by rpc.gssd Status in gssproxy package in Ubuntu: Confirmed Status in krb5 package in Ubuntu: Confirmed Status in libselinux package in Ubuntu: Confirmed Bug description: I have apache configured to perform a kerberized NFS4 mount using rpc.gssd and gssproxy. If I request a web page that requires NFS4 access, then gssproxy crashes, reporting a segfault in libselinux.so.1 and the web request generates a 403 error. gssproxy[6267]: segfault at 0 ip 7f2f5bb1951a sp 7ffe861da150 error 4 in libselinux.so.1[7f2f5bb0d000+25000] If I run gssproxy at debug level = 3, and then load a web page, I can see the uid/principal request for www-data come in from rpc.gssd: # gssproxy -d --debug-level=3 -i -C /etc/gssproxy [2018/08/22 17:51:40]: Debug Enabled (level: 3) [2018/08/22 17:52:06]: Client [2018/08/22 17:52:06]: (/usr/sbin/rpc.gssd) [2018/08/22 17:52:06]: connected (fd = 10)[2018/08/22 17:52:06]: (pid = 4548) (uid = 33) (gid = 33)Segmentation fault (core dumped) Since gssproxy is required to initiate kerberos principals for any local application services - Ubuntu 18.04 does not currently support running application services with NFS4 kerberos dependencies. This has a fairly significant impact on anyone attempting to implement kerberos on Ubuntu 18.04 Ubuntu 18.04.1 LTS gssproxy 0.8.0-1 libselinux1:amd64 2.7-2build2 libgssrpc4:amd64 1.16-2build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gssproxy/+bug/1788459/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp