Package: nfs-kernel-server Version: 1:1.2.2-4squeeze2 Severity: important After upgrading a HA cluster from Lenny to Squeeze, the nfs service stopped working.
The problem was specifying the '-n' option in RPCSVCGSSDOPTS. This option allows the server to accept requests for any key in its keytab. Without '-n' nodes will only accept mounts from clients using their node name (i.e. nodeX.example.com) instead of the cluster's name (as in nfsserver.example.com). I applied the attached patch in order to be able to pass '-p nfsserver.example.com' to svcgssd. This solves the problem partially since it won't allow clients to mount an exported directory using the node's name, which was possible previously. The patch was posted by Eberhard Kuemmerle at the linux-nfs list and applied upstream in 1.2.3. The error from rpc.svcgssd in 1.2.2 using '-n' is: May 30 12:23:51 rasca rpc.svcgssd[1991]: leaving poll May 30 12:23:51 rasca rpc.svcgssd[1991]: handling null request May 30 12:23:51 rasca rpc.svcgssd[1991]: WARNING: gss_set_allowable_enctypes failed May 30 12:23:51 rasca rpc.svcgssd[1991]: ERROR: GSS-API: error in svcgssd_limit_krb5_enctypes: gss_set_allowable_enctypes(): No credentials were supplied, or the credentials were unavailable or inaccessible - (0x08142008) May 30 12:23:51 rasca rpc.svcgssd[1991]: sending null reply May 30 12:23:51 rasca rpc.svcgssd[1991]: writing message: \x [snip] May 30 12:23:51 rasca rpc.svcgssd[1991]: finished handling null request May 30 12:23:51 rasca rpc.svcgssd[1991]: entering poll This bug is still present (and worse) in 1:1.2.5-4~bpo60 which is probably menacing Wheeze :-( Trying to use this option on 1:1.2.5-4~bpo60 makes rpc.svcgssd fail to start with the following error: May 30 13:06:12 rasca rpc.svcgssd[2761]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_BAD_NAME (An invalid name was supplied) - Unknown error May 30 13:06:12 rasca rpc.svcgssd[2761]: unable to obtain nameless credentials Thanks, Alberto -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3
Index: nfs-utils-1.2.2/utils/gssd/gss_util.c =================================================================== --- nfs-utils-1.2.2.orig/utils/gssd/gss_util.c 2012-05-29 16:27:59.100011446 +0200 +++ nfs-utils-1.2.2/utils/gssd/gss_util.c 2012-05-29 16:28:27.312001093 +0200 @@ -191,7 +191,7 @@ } int -gssd_acquire_cred(char *server_name) +gssd_acquire_cred(char *server_name, const gss_OID oid) { gss_buffer_desc name; gss_name_t target_name; @@ -207,7 +207,7 @@ name.length = strlen(server_name); maj_stat = gss_import_name(&min_stat, &name, - (const gss_OID) GSS_C_NT_HOSTBASED_SERVICE, + oid, &target_name); if (maj_stat != GSS_S_COMPLETE) { Index: nfs-utils-1.2.2/utils/gssd/gss_util.h =================================================================== --- nfs-utils-1.2.2.orig/utils/gssd/gss_util.h 2012-05-29 16:28:02.879999946 +0200 +++ nfs-utils-1.2.2/utils/gssd/gss_util.h 2012-05-29 16:28:27.312001093 +0200 @@ -37,7 +37,7 @@ extern gss_cred_id_t gssd_creds; -int gssd_acquire_cred(char *server_name); +int gssd_acquire_cred(char *server_name, const gss_OID oid); void pgsserr(char *msg, u_int32_t maj_stat, u_int32_t min_stat, const gss_OID mech); int gssd_check_mechs(void); Index: nfs-utils-1.2.2/utils/gssd/gssd.h =================================================================== --- nfs-utils-1.2.2.orig/utils/gssd/gssd.h 2012-05-29 16:28:06.220000902 +0200 +++ nfs-utils-1.2.2/utils/gssd/gssd.h 2012-05-29 16:28:27.312001093 +0200 @@ -100,7 +100,6 @@ void handle_krb5_upcall(struct clnt_info *clp); void handle_spkm3_upcall(struct clnt_info *clp); void handle_gssd_upcall(struct clnt_info *clp); -int gssd_acquire_cred(char *server_name); void gssd_run(void); Index: nfs-utils-1.2.2/utils/gssd/svcgssd.c =================================================================== --- nfs-utils-1.2.2.orig/utils/gssd/svcgssd.c 2012-05-29 16:28:09.660002070 +0200 +++ nfs-utils-1.2.2/utils/gssd/svcgssd.c 2012-05-29 16:29:04.516001466 +0200 @@ -173,7 +173,7 @@ static void usage(char *progname) { - fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r] [-i]\n", + fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r] [-i] [-p principal]\n", progname); exit(1); } @@ -186,9 +186,10 @@ int verbosity = 0; int rpc_verbosity = 0; int idmap_verbosity = 0; - int opt; + int opt, status; extern char *optarg; char *progname; + char *principal = NULL; while ((opt = getopt(argc, argv, "fivrnp:")) != -1) { switch (opt) { @@ -207,6 +208,9 @@ case 'r': rpc_verbosity++; break; + case 'p': + principal = optarg; + break; default: usage(argv[0]); break; @@ -250,12 +254,20 @@ signal(SIGTERM, sig_die); signal(SIGHUP, sig_hup); - if (get_creds && !gssd_acquire_cred(GSSD_SERVICE_NAME)) { - printerr(0, "unable to obtain root (machine) credentials\n"); - printerr(0, "do you have a keytab entry for " - "nfs/<your.host>@<YOUR.REALM> in " - "/etc/krb5.keytab?\n"); - exit(1); + if (get_creds) { + if (principal) + status = gssd_acquire_cred(principal, + ((const gss_OID)GSS_C_NT_USER_NAME)); + else + status = gssd_acquire_cred(GSSD_SERVICE_NAME, + (const gss_OID)GSS_C_NT_HOSTBASED_SERVICE); + if (status == FALSE) { + printerr(0, "unable to obtain root (machine) credentials\n"); + printerr(0, "do you have a keytab entry for " + "nfs/<your.host>@<YOUR.REALM> in " + "/etc/krb5.keytab?\n"); + exit(1); + } } if (!fg)