Ubuntu
nfs-utils package

rpc.gssd truncates 32-bit UIDs/GIDs to 16 bits, leading to "Key has expired" errors when using kerberos

  1. Bionic (18.04)
  2. Bug #1779962
Bug #1779962 reported by Sree
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
nfs-utils (Ubuntu)
Fix Released
Undecided
Adam Conrad
Bionic
Confirmed
Undecided
Unassigned

Bug Description

utils/gssd_proc.c uses SYS_setresuid and SYS_setresgid in change_identity when it should use SYS_setresuid32 and SYS_setresgid32 instead. This causes it to truncate UIDs/GIDs > 65536.

Symptoms: rpc.gssd is unable to read kerberos credentials files after changing identity, failing with a cryptic error message:

CC 'FILE:/tmp/krb5cc_100001_J5kIrv' is expired or corrupt

(note the UID 100001 here, rpc.gssd was actually using UID 34465 to access this file, and failing in krb5_util.c when calling krb5_cc_get_principal)

The attached patch fixes the bug.

I'm using Ubuntu 18.04 LTS on an Odroid XU4 (armhf). This bug does not exist in Ubuntu 16.04 LTS.

Revision history for this message
Sree (sree314) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Changes the syscalls to use the 32-bit variants." seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
James (drmhv) wrote :

Thanks for tracking this down Sree - I've been hitting this for quite some time but only on ARM for some reason. Your patch also works for me on nfs-utils 2.3.2.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nfs-utils (Ubuntu):
status: New → Confirmed
Revision history for this message
Sree (sree314) wrote :

Glad to know that helped. I was using the Odroid kernel (not the Ubuntu one), so I was not sure the problem manifests elsewhere. It doesn't on Debian (on the aarch64 kernel), for example.

I think it surfaces only on architectures that have the 16-bit UID syscalls enabled (or on multiarch).

Revision history for this message
Steve Dickson (steved-redhat) wrote :

Here is the patch I'm about to propose to upstream.

Sree, if possible, could please test this patch?

Also I would like to give you the "Author" credit
but I don't see a public email address.

Revision history for this message
Sree (sree314) wrote :

Steve, I tested that patch on 1.3.4 and it works for me. Thanks!

I'm <launchpad-username>@gmail.com, thank you!

Revision history for this message
Steve Dickson (steved-redhat) wrote :

Sree, Thank you!

Revision history for this message
Steve Dickson (steved-redhat) wrote :

The upstream patch

commit 2a6b8307fa4243a7921270aedf8ce6506e31569a (HEAD -> master, origin/master, origin/HEAD)
Author: Steve Dickson <email address hidden>
Date: Tue Jul 17 15:09:37 2018 -0400

    rpc.gssd: truncates 32-bit UIDs/GIDs to 16 bits architectures.

    utils/gssd_proc.c uses SYS_setresuid and SYS_setresgid in
    change_identity when it should use SYS_setresuid32 and
    SYS_setresgid32 instead. This causes it to truncate
    UIDs/GIDs > 65536.

    Fixes: https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1779962
    Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1595927

    Tested-by: James Ettle <email address hidden>
    Tested-by: Sree <email address hidden>
    Signed-off-by: Steve Dickson <email address hidden>

Francis Ginther (fginther)
tags: added: id-5bbd0cbaade2f22d9608ca95
Adam Conrad (adconrad)
Changed in nfs-utils (Ubuntu):
status: Confirmed → Fix Committed
assignee: nobody → Adam Conrad (adconrad)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nfs-utils - 1:1.3.4-2.2ubuntu3

---------------
nfs-utils (1:1.3.4-2.2ubuntu3) cosmic; urgency=medium

  * truncate_gid*.patch: Backports from upstream to prevent truncating
    UIDs and GIDs over 65536 on certain architectures (LP: #1779962)

 -- Adam Conrad <email address hidden> Tue, 16 Oct 2018 06:06:43 -0600

Changed in nfs-utils (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nfs-utils (Ubuntu Bionic):
status: New → Confirmed
Revision history for this message
Johannes Midgren (m-johannes-6) wrote :

I assume I spotted the exact same error as the reporter using Ubuntu 18.04 on Odroid XU4. For me it fails when using FreeIPA (with high UIDs/GIDs) and Kerberized NFS4. When applying the patch the problem goes away, but so far I have not give it more testing than that. Considering the nature of the patch the risk of side effects seem small though :-)

Does anyone know if there is a chance for this fix to be released in Bionic as well?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.