nfs-utils/nfs-kernel-server (rpc.svcgssd) ignored /etc/nfs.conf settings
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nfs-utils (Ubuntu) |
Fix Released
|
Low
|
Andreas Hasenack | ||
Jammy |
Fix Released
|
Low
|
Andreas Hasenack | ||
Kinetic |
Fix Released
|
Low
|
Andreas Hasenack |
Bug Description
[Impact]
The "principal" option for svcgssd in /etc/nfs.conf is being ignored by the service. This breaks NFS setups that use kerberos and need a specific principal name.
Another issue is that some svcgssd options are missing from the nfs.conf(5) manpage, notably verbosity, rpc-verbosity and idmap-verbosity, that on its own probably wouldn't warrant an SRU, but can go together with this one. I don't think a new bug is needed, since they are about svcgssd too.
Finally, when using the "principal" option, it would be helpful if the error message actually used the given principal name, instead of a generic "nfs/<your.
The test case will cover all three issues.
[Test Plan]
Create a jammy vm. For example, with lxd:
$ lxc launch ubuntu:jammy j-nfs-1977745 --vm
Then login on the sytstem:
$ lxc shell j-nfs-1977745
Install a kerberos kdc, utilities, and nfs server packages:
# apt update && apt install -y krb5-kdc krb5-admin-server nfs-kernel-server
Above, when prompted for the realm and KDC/ADMIN servers, use SRU for the realm, and "localhost" for the kdc and admin servers.
Now create the realm. Choose whatever password you like, it won't be needed again:
# krb5_newrealm
Create a service principal for the nfs server. To test this bug, we will create a principal with a non-standard name:
# kadmin.local -q "addprinc -randkey someservice/
Extract it to the system keytab:
# kadmin.local -q "ktadd someservice/
Stop nfs services, just to be sure they are not running for the subsequent tests:
# systemctl stop nfs-utils.service nfs-server.service
Now the tests begin.
a) In the released version, the nfs.conf(5) manpage only lists the "principal" option under "svcgssd":
"""
svcgssd
Recognized values: principal.
See rpc.svcgssd(8) for details.
"""
The fixed version will add to that list verbosity, rpc-verbosity, and idmap-vervosity:
"""
svcgssd
Recognized values: principal, verbosity, rpc-verbosity, idmap-verbosity.
"""
b) Set the specific principal we created for svcgssd in /etc/nfs.conf:
# nfsconf --set svcgssd principal someservice/
Confirm it's there:
# grep principal /etc/nfs.conf -B 1
[svcgssd]
principal = someservice/
Run the svcgssd binary, and confirm it fails and complains about missing credentials:
# /usr/sbin/
ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_NO_CRED (No credentials were supplied, or the credentials were unavailable or inaccessible) - No key table entry found for @SRU
unable to obtain root (machine) credentials
do you have a keytab entry for nfs/<your.
In the fixed version, it will start normally:
# /usr/sbin/
(no further output)
c) In the error case from (b), note that it suggests to check for a generic principal name in the keytab, without mentioning the specific principal we set in nfs.conf.
For the fixed version, let's change the principal name to one we really don't have a keytab for, and see what the error message suggests this time:
# nfsconf --set svcgssd principal anotherservice/
This time the error specifically mentions anotherservice/
# /usr/sbin/
ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_NO_CRED (No credentials were supplied, or the credentials were unavailable or inaccessible) - No key table entry found for anotherservice/
unable to obtain root (machine) credentials
do you have a keytab entry for anotherservice/
[Where problems could occur]
An NFS server is actually comprised of multiple services, specially when kerberos is involved. Restarting them in the correct order is the goal of the packaging, but there are some cases where this doesn't yet work correctly, like bug #1971935 shows.
[Other Info]
Not at this time.
[Original Description]
Tested on:
Ubuntu 22.04 (x86_64)
Package: nfs-kernel-server 1:2.6.1-1ubuntu1
Set config options in /etc/nfs.conf are ignored by rpc.svcgssd (required for krb5 NFSv4).
I was trying to set the principal name like:
[svcgssd]
<email address hidden>
but rpc.svcgssd refused to start. When specified on command line (using the -p option) things started working.
After having a look at the code (nfs-utils-
/* We don't need the config anymore */
which is called too early. So at the point where gssd_acquire_cred() is called the variable "principal" does no longer contain the data read from the config file.
Moving conf_cleanup() to the end of the code helps.
I also tried to get into contact with the nfs-utils developer themselves - but I hope someone at Ubuntu has a better way to contact them.
Related branches
- git-ubuntu import: Pending requested
-
Diff: 7868 lines (+3596/-520) (has conflicts)128 files modified.gitignore (+3/-0)
Makefile.in (+2/-1)
NEWS (+11/-11)
README (+8/-8)
configure (+277/-54)
configure.ac (+15/-16)
debian/changelog (+102/-0)
debian/control (+3/-2)
debian/copyright (+0/-1)
debian/nfs-common.bug-script (+6/-6)
debian/nfs-common.default (+0/-7)
debian/nfs-common.init (+4/-5)
debian/nfs-common.install (+0/-1)
debian/nfs-common.lintian-overrides (+3/-3)
debian/nfs-common.postinst (+0/-23)
debian/nfs-kernel-server.bug-script (+4/-4)
debian/nfs-kernel-server.default (+0/-13)
debian/nfs-kernel-server.init (+6/-8)
debian/nfs-kernel-server.install (+2/-0)
debian/nfs-kernel-server.lintian-overrides (+2/-2)
debian/nfs-kernel-server.postinst (+7/-6)
debian/patches/always-run-generator.patch (+5/-0)
debian/patches/fsidd-provide-better-default-socket-name.patch (+96/-0)
debian/patches/libnfsidmap-try-to-get-the-domain-directly-from-host.patch (+54/-0)
debian/patches/nfs-idmapd.service-add-network-online.target-to-Want.patch (+33/-0)
debian/patches/series (+10/-0)
debian/patches/start-statd-fix-shellcheck-warnings.patch (+41/-0)
debian/rules (+7/-1)
debian/salsa-ci.yml (+14/-0)
dev/null (+0/-16)
linux-nfs/Makefile.in (+2/-1)
support/Makefile.am (+1/-1)
support/Makefile.in (+4/-3)
support/export/Makefile.am (+2/-0)
support/export/Makefile.in (+209/-46)
support/export/auth.c (+1/-1)
support/export/cache.c (+95/-14)
support/export/client.c (+3/-0)
support/export/export.c (+20/-0)
support/export/v4clients.c (+1/-1)
support/export/v4root.c (+3/-1)
support/export/xtab.c (+1/-1)
support/include/Makefile.in (+2/-1)
support/include/nfs/Makefile.in (+2/-1)
support/include/nfs/export.h (+14/-0)
support/include/nfsd_path.h (+3/-3)
support/include/nfslib.h (+15/-0)
support/include/pseudoflavors.h (+1/-0)
support/include/rpcsvc/Makefile.in (+2/-1)
support/include/sys/Makefile.in (+2/-1)
support/include/sys/fs/Makefile.in (+2/-1)
support/junction/Makefile.in (+2/-1)
support/junction/junction.c (+5/-5)
support/misc/Makefile.in (+2/-1)
support/misc/nfsd_path.c (+12/-12)
support/nfs/Makefile.am (+1/-0)
support/nfs/Makefile.in (+213/-71)
support/nfs/exports.c (+161/-15)
support/nfs/xlog.c (+5/-2)
support/nfsidmap/Makefile.in (+2/-1)
support/nfsidmap/regex.c (+1/-1)
support/nsm/Makefile.in (+2/-1)
support/reexport/Makefile.am (+18/-0)
support/reexport/Makefile.in (+797/-0)
support/reexport/backend_sqlite.c (+267/-0)
support/reexport/fsidd.c (+198/-0)
support/reexport/reexport.c (+326/-0)
support/reexport/reexport.h (+18/-0)
support/reexport/reexport_backend.h (+47/-0)
systemd/60-nfs.rules (+21/-0)
systemd/Makefile.am (+10/-10)
systemd/Makefile.in (+14/-11)
systemd/auth-rpcgss-module.service (+2/-1)
systemd/fsidd.service (+10/-0)
systemd/nfs-server.service (+1/-1)
systemd/nfs.conf.man (+7/-0)
tests/Makefile.in (+2/-1)
tests/nsm_client/Makefile.in (+2/-1)
tools/Makefile.am (+5/-1)
tools/Makefile.in (+6/-4)
tools/locktest/Makefile.in (+2/-1)
tools/mountstats/Makefile.in (+2/-1)
tools/nfs-iostat/Makefile.in (+2/-1)
tools/nfs-iostat/nfs-iostat.py (+9/-6)
tools/nfsconf/Makefile.in (+2/-1)
tools/nfsdclddb/Makefile.in (+2/-1)
tools/nfsdclnts/Makefile.in (+2/-1)
tools/nfsrahead/Makefile.am (+1/-1)
tools/nfsrahead/Makefile.in (+3/-2)
tools/nfsrahead/main.c (+1/-1)
tools/nlmtest/Makefile.in (+2/-1)
tools/rpcctl/Makefile.in (+2/-1)
tools/rpcdebug/Makefile.in (+2/-1)
tools/rpcdebug/rpcdebug.c (+1/-1)
tools/rpcgen/Makefile.in (+2/-1)
utils/Makefile.in (+2/-1)
utils/blkmapd/Makefile.in (+2/-1)
utils/blkmapd/device-discovery.c (+36/-29)
utils/blkmapd/device-discovery.h (+2/-0)
utils/blkmapd/device-inq.c (+2/-2)
utils/exportd/Makefile.am (+3/-1)
utils/exportd/Makefile.in (+7/-4)
utils/exportfs/Makefile.am (+3/-0)
utils/exportfs/Makefile.in (+25/-8)
utils/exportfs/exportfs.c (+16/-4)
utils/exportfs/exports.man (+81/-1)
utils/gssd/Makefile.in (+2/-1)
utils/idmapd/Makefile.in (+2/-1)
utils/idmapd/idmapd.c (+1/-1)
utils/mount/Makefile.am (+2/-1)
utils/mount/Makefile.in (+9/-4)
utils/mount/error.c (+16/-15)
utils/mount/network.c (+1/-1)
utils/mount/nfs.man (+33/-1)
utils/mount/nfsmount.conf (+3/-3)
utils/mount/parse_dev.c (+2/-1)
utils/mountd/Makefile.am (+2/-0)
utils/mountd/Makefile.in (+5/-3)
utils/nfsd/Makefile.in (+2/-1)
utils/nfsd/nfsd.c (+16/-1)
utils/nfsd/nfsd.man (+15/-2)
utils/nfsdcld/Makefile.in (+2/-1)
utils/nfsdcltrack/Makefile.in (+2/-1)
utils/nfsidmap/Makefile.in (+2/-1)
utils/nfsref/Makefile.in (+2/-1)
utils/nfsstat/Makefile.in (+2/-1)
utils/showmount/Makefile.in (+2/-1)
utils/statd/Makefile.in (+2/-1)
- git-ubuntu bot: Approve
- Bryce Harrington (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 203 lines (+163/-0)6 files modifieddebian/changelog (+14/-0)
debian/patches/nfs-conf-manpage-missing-svcgssd-options.patch (+19/-0)
debian/patches/series (+4/-0)
debian/patches/svcgssd-display-principal-if-set.patch (+37/-0)
debian/patches/svcgssd-document-missing-options.patch (+44/-0)
debian/patches/svcgssd-fix-use-after-free.patch (+45/-0)
- git-ubuntu bot: Approve
- Christian Ehrhardt (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 2013 lines (+1660/-8)22 files modifieddebian/README.Ubuntu (+30/-0)
debian/changelog (+1229/-0)
debian/control (+17/-6)
debian/libnfsidmap-regex.install (+1/-0)
debian/libnfsidmap1.docs (+1/-0)
debian/libnfsidmap1.install (+3/-1)
debian/nfs-common.dirs (+1/-0)
debian/nfs-common.docs (+1/-0)
debian/nfs-common.postrm (+1/-0)
debian/not-installed (+3/-0)
debian/patches/nfs-conf-manpage-missing-svcgssd-options.patch (+19/-0)
debian/patches/series (+5/-0)
debian/patches/svcgssd-display-principal-if-set.patch (+37/-0)
debian/patches/svcgssd-document-missing-options.patch (+44/-0)
debian/patches/svcgssd-fix-use-after-free.patch (+45/-0)
debian/patches/ubuntu-idmapd-manpage-update-regex-other-package.patch (+12/-0)
debian/rules (+7/-1)
debian/source.apport (+32/-0)
debian/tests/control (+11/-0)
debian/tests/kerberos-mount (+38/-0)
debian/tests/util (+89/-0)
debian/tests/v3-mount (+34/-0)
Changed in nfs-utils (Ubuntu): | |
status: | New → Incomplete |
status: | Incomplete → In Progress |
assignee: | nobody → Andreas Hasenack (ahasenack) |
tags: | added: server-todo |
Changed in nfs-utils (Ubuntu Jammy): | |
status: | Triaged → In Progress |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
tags: | removed: server-todo |
Was your upstream contact attempt via the mailing list? Do you happen to have a link, or the subject of the message?