Project

General

Profile

Actions

Bug #15022

open

rpcsec_gss always calls global-zone GSSD for gss_accept_sec_context

Added by Matt Barden 2 months ago. Updated 2 months ago.

Status:
In Progress
Priority:
Normal
Assignee:
Category:
nfs - NFS server and client
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:
External Bug:

Description

In order to support GSSAPI authentication for RPC services, rpcsec_gss uses KGSSAPI to establish and use security contexts. That interface contacts GSSD in the zone in which the current thread is operating.

When first establishing a security context, rpcsec_gss dispatches gss_accept_sec_context operations to a separate taskq, as they may take awhile, and we don't want to prevent progress on other work while we're waiting. However, that taskq is attached to the global zone; this means that only the global zone's GSSD is contacted for this operation, even for services (such as NFSv4) that are only operating in a non-global-zone. That can result in an inaccurate configuration being used, and means that GSSD and its dependent services (e.g. kerberos) must be enabled and configured in the global zone in a similar manner as the non-global zone.

This is part of the issue in #13329, but it's not clear if it's a complete fix for that. This particular bug only attempts to address rpcsec_gss's use of a global taskq for gss_accept_sec_context, as it's necessary for another fix.

Tested by the following:

  1. Create an NFSv4 non-global-zone that's configured to use kerberos authentication.
  2. Disable gssd in the global zone (svcadm disable network/rpc/gss).
  3. Try to mount an NFS4 share in the non-global-zone with krb5 authentication.

The included utility at cmd/fs.d/nfs/tests/rpcsec_gss_conn can be used to establish an RPCSEC_GSS connection and call NFS4_SETCLIENTID.


Related issues

Related to illumos gate - Bug #13329: rpcsec & friends need to be zone-awareNew

Actions
Related to illumos gate - Bug #15023: __rpc_gss_seccreate() doesn't set options_ret->major/minor_status on failureIn ProgressMatt Barden

Actions
Actions #1

Updated by Electric Monk 2 months ago

  • Gerrit CR set to 2400
Actions #2

Updated by Marcel Telka 2 months ago

  • Related to Bug #13329: rpcsec & friends need to be zone-aware added
Actions #3

Updated by Marcel Telka 2 months ago

  • Related to Bug #15023: __rpc_gss_seccreate() doesn't set options_ret->major/minor_status on failure added
Actions

Also available in: Atom PDF