Your message dated Wed, 17 Jul 2019 14:40:54 +0000
with message-id <e1hnl70-0004hx...@fasolo.debian.org>
and subject line Bug#932000: fixed in krb5 1.17-5
has caused the Debian Bug report #932000,
regarding libgssapi-krb5-2: gss_krb5int_set_allowable_enctypes breaks NFSv4
after removal of deprecated DES enctypes in 1.17-4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
932000: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932000
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libgssapi-krb5-2
Version: 1.17-3
Severity: important
Dear Maintainer,
with the recent update of the krb5 Debian packages (1.17-4),
support for deprecated DES types was removed. However, the linux
kernel is using a hard-coded list of encryption types which still
contain DES. By this the current krb5/gss/nfs implementation
cause fails of NFSv4 mounts.
This is the sequence of failing calls according to my understanding:
Short version:
* Linux Kernel nfs/gss/krb5 functions use hard-coded list with
some (now) invalid enctypes: "18,17,16,23,3,1,2"
* krb5 machine context creation fails in
gss_krb5int_set_allowable_enctypes since it fails as soon as
a single enctype (namely types 1, 2, 3 received from the
kernel) is not valid instead of filtering out deprecated
ones.
Long version:
* Linux Kernel creates the gss rpc message with hard-coded list
of encryption types. Types 3,1,2 are not supported by krb5
debian packages any more.
./include/linux/sunrpc/gss_krb5_enctypes.h:#define
KRB5_SUPPORTED_ENCTYPES "18,17,16,23,3,1,2"
./net/sunrpc/auth_gss/gss_krb5_mech.c: .gm_upcall_enctypes =
KRB5_SUPPORTED_ENCTYPES
./net/sunrpc/auth_gss/auth_gss.c:
gss_encode_v1_msg(...) {
[...]
scnprintf(p, buflen, "enctypes=%s ",
mech->gm_upcall_enctypes)
* gss rpc receiver: (/usr/sbin/rpc.gssd , package nfs-common)
receives the enctype list and later fails when calling krb5 library
functions
Creation of machine context fails:
./utils/gssd/gssd_proc.c:
handle_gssd_upcall receives enctypes string from kernel:
Jan 01 00:00:00 hostname rpc.gssd[1234]: #012handle_gssd_upcall:
'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 ' (nfs/clnt45)
==> global list "krb5_enctypes" is initialized with
list received from kernel
./utils/gssd/gssd_proc.c:
Jan 01 00:00:00 hostname rpc.gssd[1234]: WARNING: Failed to
create machine krb5 context with ...
handle_krb5_upcall
--> process_krb5_upcall
--> krb5_use_machine_creds
--> create_auth_rpc_client
--> create_auth_rpc_client
--> limit_krb5_enctypes (fails)
./util/gssd/krb5_util.c:
limit_krb5_enctypes uses global list in krb5_enctypes received
from kernel (see above)
--> gss_set_allowable_enctypes
--> gss_krb5_set_allowable_enctypes (fails) in package krb5 (see
below)
Jan 01 00:00:00 hostname rpc.gssd[1234]: INFO:
limit_krb5_enctypes sees krb5_enctypes = 0x12345678, size 7,
limit_to_legacy_enctypes = 0
Jan 01 00:00:00 hostname rpc.gssd[1234]:
used_enctypes[0] = 18
Jan 01 00:00:00 hostname rpc.gssd[1234]:
used_enctypes[1] = 17
Jan 01 00:00:00 hostname rpc.gssd[1234]:
used_enctypes[2] = 16
Jan 01 00:00:00 hostname rpc.gssd[1234]:
used_enctypes[3] = 23
Jan 01 00:00:00 hostname rpc.gssd[1234]:
used_enctypes[4] = 3
Jan 01 00:00:00 hostname rpc.gssd[1234]:
used_enctypes[5] = 1
Jan 01 00:00:00 hostname rpc.gssd[1234]:
used_enctypes[6] = 2
krb5 package finally causes the actual fail:
gss_krb5_set_allowable_enctypes
--> ...
--> gss_krb5int_set_allowable_enctypes (fails,
./src/lib/gssapi/krb5/set_allowable_enctypes.c)
* checks if every enctype is valid
* fully fails if any enctype is invalid
* does NOT filter for valid types and silently
discards invalid ones
Though I'm not an expert in krb5/gss/nfs and how which of the
three involved packages should act, I'd guess that rather than
changing the linux kernel one of the two following options might
be reasonable:
* The nfs packages could filter out invalid enctypes before
calling gss_krb5_set_allowable_enctypes
* The krb5 package could modify
gss_krb5int_set_allowable_enctypes in order to ignore / filter
out deprecated enctypes.
Would any further option possible be possible? I could not find a
related change in upstream git of krb5.
For now, I'm forced to downgrade all krb5 related packages from
1.17-4 to 1.17-3 to make NFSv4 working again.
With best regards and many thx for your support!
Martin
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-5-amd64 (SMP w/6 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:de (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libgssapi-krb5-2 depends on:
ii libc6 2.28-10
ii libcom-err2 1.45.2-1
ii libk5crypto3 1.17-3
ii libkeyutils1 1.6-6
ii libkrb5-3 1.17-3
ii libkrb5support0 1.17-3
libgssapi-krb5-2 recommends no packages.
Versions of packages libgssapi-krb5-2 suggests:
pn krb5-doc <none>
ii krb5-user 1.17-3
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: krb5
Source-Version: 1.17-5
We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 932...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sam Hartman <hartm...@debian.org> (supplier of updated krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 17 Jul 2019 09:20:27 -0400
Source: krb5
Architecture: source
Version: 1.17-5
Distribution: unstable
Urgency: high
Maintainer: Sam Hartman <hartm...@debian.org>
Changed-By: Sam Hartman <hartm...@debian.org>
Closes: 932000 932132
Changes:
krb5 (1.17-5) unstable; urgency=high
.
* Upstream patch to filter invalid enctypes when nfs calls to indicate
which enctypes it supports, Closes: #932000
* Do not error out if a keytab includes a single-des enctype, Closes:
#932132
Checksums-Sha1:
620593d37800656b4bec5b8b4cca6ea4a05ccb21 3196 krb5_1.17-5.dsc
23ece1986655088fe6ee77be80a097981ea42668 143256 krb5_1.17-5.debian.tar.xz
83db3110543b10b1712378de93b36ac1865a6f4b 5418 krb5_1.17-5_source.buildinfo
Checksums-Sha256:
c4f38247797bf3f0f876c097c66bd365708e21ab598a6a07d78945bb3627438b 3196
krb5_1.17-5.dsc
06b6e4d89b5e6c5dd06c9192ad96bf460f17063c27d09313db4c4a9c011c0f05 143256
krb5_1.17-5.debian.tar.xz
432a202702f68c0426955ec9d0226952c21015cd6d809fb41eaad7e649bded23 5418
krb5_1.17-5_source.buildinfo
Files:
69c38d5796a688d3706708cfbc3a62d8 3196 net optional krb5_1.17-5.dsc
07e688927533d3a556d9b47690e86ce9 143256 net optional krb5_1.17-5.debian.tar.xz
7ef6c9f9018fa10db3ff27ecadc83591 5418 net optional krb5_1.17-5_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE9Li3nMNy++OFgPTCQe7SUh/WssoFAl0vJjYACgkQQe7SUh/W
ssquAAf7BvMMdixyWsC3atuUy+ykExyACTKMnbSkCItBN4cdBjUVLr+l2M58BvBH
ByUOMS54lcKoIvsrMLiT0qAeiIBW/SGz1ZYoqEJ4TWjcjM934te7qaF753vHdteD
Y/9T27k9fQ6drcyuz6Nj4HbT4DnvgPEIb1/QwvXPGbydZbHiix5kHaGQ8DDthLgh
twj1d4a3TBpFp4VE/HtiVcAAhBoRR5r4qjtDY46ZrLCKa8AUkoACikJ6+BBauC2Q
YirShL4fRdx/k+EqFinP8T/TZv+BhMIPpuCDVWs4YWVSjr/rdHDt6jArxS/MgfJZ
3DwcSvNKyCZBm/EH+M/23tJo9XdDEQ==
=+o1G
-----END PGP SIGNATURE-----
--- End Message ---
