On Fedora 15 I'm seeing odd krb5 behavior: the context initialization
appears to work fine, but then gssd sends a malformed RPCSEC_GSS_DESTROY
packet just before closing the connection. The client's first operation
to the server using the context is rejected because the server's mic
verification fails.
Has anyone else seen this?
I'll keep investigating.
--b.
On Thu, Jul 14, 2011 at 09:13:41AM +0200, Tigran Mkrtchyan wrote:
> On 07/14/2011 12:59 AM, J. Bruce Fields wrote:
> >On Fedora 15 I'm seeing odd krb5 behavior: the context initialization
> >appears to work fine, but then gssd sends a malformed RPCSEC_GSS_DESTROY
> >packet just before closing the connection. The client's first operation
> >to the server using the context is rejected because the server's mic
> >verification fails.
> >
> >Has anyone else seen this?
>
> I have reported the same issue couple of weeks ago
>
> http://www.spinics.net/lists/linux-nfs/msg22142.html
I thought it looked familiar....
> I use suse 11.4 x86_64 and can reproduce it with native kernel
> 2.6.37.xxx and 3.0.0-rc5.
>
> To me it looks like that in rpc packet missing verifier.
Yes.
> Nevertheless
> the message length is up to verifier. What I failed to find out it
> the message length did not take verifier in the account or verifier
> is missing in the first place. I was looking the the kernel code,
> but may be problem is in gssd. I don't know which part of gss
> handling in user space and which part is in the kernel.
It's gssd that handles the init_sec_context, and (what I didn't notice
before) you can see that the destroy rpc goes over the same tcp
connection as the init_sec_context exchange.
--b.
On 07/14/2011 12:59 AM, J. Bruce Fields wrote:
> On Fedora 15 I'm seeing odd krb5 behavior: the context initialization
> appears to work fine, but then gssd sends a malformed RPCSEC_GSS_DESTROY
> packet just before closing the connection. The client's first operation
> to the server using the context is rejected because the server's mic
> verification fails.
>
> Has anyone else seen this?
I have reported the same issue couple of weeks ago
http://www.spinics.net/lists/linux-nfs/msg22142.html
I use suse 11.4 x86_64 and can reproduce it with native kernel
2.6.37.xxx and 3.0.0-rc5.
To me it looks like that in rpc packet missing verifier. Nevertheless
the message length is up to verifier. What I failed to find out it the
message length did not take verifier in the account or verifier is
missing in the first place. I was looking the the kernel code, but may
be problem is in gssd. I don't know which part of gss handling in user
space and which part is in the kernel.
Tigran.
>
> I'll keep investigating.
>
> --b.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
I still face this issue in SuSe 11.3 x86_64.
Don't see any updates in the bug. Any help, tx