Trying to get gssproxy working with NFS (rpc-gssd and rpc-svcgssd) on Ubuntu
20.04
Following https://github.com/gssapi/gssproxy/blob/main/docs/NFS.md
/etc/gssproxy/gssproxy.conf
[gssproxy]
debug = true
debug_level = 3
/etc/gssproxy/25-nfs-server.conf
[service/nfs-server]
mechs = krb5
socket = /run/gssproxy.sock
cred_store = keytab:/etc/krb5.keytab
trusted = yes
kernel_nfsd = yes
euid = 0
When I start the gssproxy service, either through systemd
or manually with: /usr/sbin/gssproxy --interactive --debug --debug-level=3
--socket=/run/gssproxy.sock
I get this result:
[2021/06/28 14:49:19]: Debug Enabled (level: 3)
[2021/06/28 14:49:19]: Service: nfs-client, Keytab: /etc/krb5.keytab, Enctype:
23
[2021/06/28 14:49:19]: Service: nfs-server, Keytab: /etc/krb5.keytab, Enctype:
23
[2021/06/28 14:49:19]: Client [2021/06/28 14:49:19]: (/usr/sbin/gssproxy)
[2021/06/28 14:49:19]: connected (fd = 13)[2021/06/28 14:49:19]: (pid = 7821)
(uid = 0) (gid = 0)Segmentation fault (core dumped)
It is the kernel_nfsd = yes config part that causes the segfault
What it does (from the docs linked above)
...
The gssproxy client registers to the kernel by performing 2 actions in the
following order:
* creates a unix socket for kernel communication in /var/run/gssproxy.sock
(this path is hardcoded in the kernel and cannot be changed at this time)
* writes 1 byte in the proc file /proc/net/rpc/use-gss-proxy (the client must
be ready to accept a connection from the kernel when this is done, as the
kernel we check that the socket is available)
...
It enables the kernel extensions to the protocol (the context is exported as
a lucid context for example, and a list of resolved credentials is returned if
authentication succeeds)
The proc files seems ok (it was -1 before)
cat /proc/net/rpc/use-gss-proxy
1
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1788459
Title:
gssproxy crashes in libselinux.so.1 on Ubuntu 18.04 when called by
rpc.gssd
Status in gssproxy package in Ubuntu:
Confirmed
Status in krb5 package in Ubuntu:
Confirmed
Status in libselinux package in Ubuntu:
Confirmed
Bug description:
I have apache configured to perform a kerberized NFS4 mount using rpc.gssd
and gssproxy.
If I request a web page that requires NFS4 access, then gssproxy
crashes, reporting a segfault in libselinux.so.1 and the web request
generates a 403 error.
gssproxy[6267]: segfault at 0 ip 00007f2f5bb1951a sp 00007ffe861da150
error 4 in libselinux.so.1[7f2f5bb0d000+25000]
If I run gssproxy at debug level = 3, and then load a web page, I can
see the uid/principal request for www-data come in from rpc.gssd:
# gssproxy -d --debug-level=3 -i -C /etc/gssproxy
[2018/08/22 17:51:40]: Debug Enabled (level: 3)
[2018/08/22 17:52:06]: Client [2018/08/22 17:52:06]: (/usr/sbin/rpc.gssd)
[2018/08/22 17:52:06]: connected (fd = 10)[2018/08/22 17:52:06]: (pid = 4548)
(uid = 33) (gid = 33)Segmentation fault (core dumped)
Since gssproxy is required to initiate kerberos principals for any
local application services - Ubuntu 18.04 does not currently support
running application services with NFS4 kerberos dependencies. This
has a fairly significant impact on anyone attempting to implement
kerberos on Ubuntu 18.04
Ubuntu 18.04.1 LTS
gssproxy 0.8.0-1
libselinux1:amd64 2.7-2build2
libgssrpc4:amd64 1.16-2build1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gssproxy/+bug/1788459/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
