FS#39217 - [nfs-util] 0.2.4-1 causes segfault in rpc.gssd/libgssapi_krb5.so when mounting kerberized NFS4 share

Attached to Project: Arch Linux
Opened by Mike Sager (g4c) - Friday, 07 March 2014, 18:38 GMT
Last edited by Tobias Powalowski (tpowa) - Tuesday, 09 September 2014, 13:17 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Tobias Powalowski (tpowa)
Architecture x86_64
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 7
Private No

Details

Description:

After upgrading from libtirpc-0.2.3-2 package to 0.2.4-1, rpc.gssd segfaults in libgssapi_krb5.so.2.2 when trying to mount a kerberized NFS4 share. Mount hangs & fails as a result. Downgrading to 0.2.3-2 fixes the problem.

Additional info:
* libtirpc-0.2.4-1
* krb-1.12.1-1 (libgssapi_krb5.so.2.2)
* nfs-utils 1.2.9-5 (rpc.gssd)


Steps to reproduce:

Upgrade to libtirpc-0.2.4-1
This task depends upon

Closed by  Tobias Powalowski (tpowa)
Tuesday, 09 September 2014, 13:17 GMT
Reason for closing:  Fixed
Additional comments about closing:  nfs-utils-1.3.0-4
Comment by Daniel Albers (al) - Saturday, 08 March 2014, 16:31 GMT
Happens here, too. Stack trace attached.
   rpc.gssd.bt.txt (5.3 KiB)
Comment by Marcel Naziri (zwobbl) - Sunday, 09 March 2014, 04:33 GMT
Same here. Downgrading to 0.2.3-2 helps.
Comment by Iacopo Isimbaldi (isiachi) - Monday, 10 March 2014, 23:13 GMT
Same. Downgrade works.
libtirpc (0.2.4-1 -> 0.2.3-2) on x86_64
Comment by Tarqi Kazan (Tarqi) - Tuesday, 11 March 2014, 02:58 GMT
Can confirm for 0.2.4-1, success on 0.2.3-2 (tested with client on i686).

However, rpc.gssd & rpc.svgssd, regardless which version, throw more errors:

rpc.svcgssd[22905]: ERROR: GSS-API: error in gss_free_lucid_sec_context(): GSS_S_NO_CONTEXT (No context has been established) - Unknown error
rpc.svcgssd[22905]: WARN: failed to free lucid sec context

Own Bug?
Comment by Tarqi Kazan (Tarqi) - Thursday, 03 April 2014, 21:46 GMT
After updating the system and staying on libtirpc 0.2.3-2, I can't reproduce that it is still working.

rpc.gssd[1273]: WARNING: forked child was killed with signal 97

happens every time now when trying to mount a krb share.
Comment by Daniel Albers (al) - Friday, 04 April 2014, 16:27 GMT
0.2.3 still works for me. In fact, I quickly uploaded the old PKGBUILD to aur as libtirpc-023: https://aur.archlinux.org/packages/libtirpc-023/
Comment by Tarqi Kazan (Tarqi) - Friday, 04 April 2014, 17:13 GMT
More info:

1) start rpc-gssd on the client
2) try to mount a *none kerberized* share: rpc.gssd[1109]: segfault at b71a4148 ip b7507c20 sp bfba84b4 error 4 in libc-2.19.so[b748b000+1a7000]
3) try again without restarting rpc-gssd: rpc.gssd[1156]: segfault at 3e ip b741205f sp bf9a1110 error 4 in libgssapi_krb5.so.2.2[b7401000+46000]
4) stopping rpc-gssd will allow to mount the *none kerberized* share

Versions (client (i686) & server (x64)):
core/nfs-utils 1.2.9-5
core/krb5 1.12.1-1
core/libtirpc 0.2.4-1
core/librpcsecgss 0.19-8
core/libgssglue 0.4-2
core/rpcbind 0.2.1-2
core/glibc 2.19-3
core/linux 3.13.8-1

So it looks like nfsv4 is broken if rpc-gssd is running, regardless of kerberized shares.
Comment by Daniel Albers (al) - Friday, 04 April 2014, 18:13 GMT
Probably just needs a rebuild of e2fsprogs, krb5.
Comment by Marcel Naziri (zwobbl) - Friday, 04 April 2014, 18:24 GMT
0.2.3 also still works for me. Server-side is Debian with nfs/krb5 from wheezy.
Comment by Tarqi Kazan (Tarqi) - Thursday, 17 April 2014, 13:48 GMT
After poking around, I got it to work again with 0.2.3. However, it's very fragile, a bad entry in exports or the mount command or out-of-sync knos/wrong principial etc. make it crash. And the errors mentioned in one of my previous posts are still annoying. Since the underlying libs of rpc.gssd are build without debug mode (rpc.gssd -vvvrrr) I can't track it down further.
Comment by Bill Gardner (Cassino) - Friday, 04 July 2014, 22:14 GMT
As of June 26 when nfs-utils 1.3.0-2 and rpcbind 0.2.1-5 were released, those upgrades now break the workaround of relying on old libtirpc 0.2.3-2.

To keep mounting Kerberized NFS I need:
- libtirpc 0.2.3-2
- nfs-utils 1.2.9-5
- rpcbind 0.2.1-2

With those 3 downgrades, I'm back in business (for now).
Comment by Jed Liu (jed) - Friday, 04 July 2014, 22:34 GMT
Odd, I am running nfs-utils 1.3.0-2, rpcbind 0.2.1-5, and libtirpc 0.2.3-2 on my NFS client, and I can mount kerberized NFS just fine. The server is still running nfs-utils 1.2.9-5, rpcbind 0.2.1-2, and libtirpc 0.2.4-1, however, because I haven't updated it yet.

Edit: I can confirm that updating the server to nfs-utils 1.3.0-2 and rpcbind 0.2.1-5 causes issues for kerberized NFS clients with nfs-utils 1.3.0-2, rpcbind 0.2.1-5, and libtirpc 0.2.3-2.
Comment by Jed Liu (jed) - Monday, 18 August 2014, 05:02 GMT
This Debian bug seems related: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755703
They fixed their segfault by building nfs-utils and libtirpc without --with-gssglue.

Hopefully, this will spurn some progress on this dusty old bug. :)
Comment by Iacopo Isimbaldi (isiachi) - Monday, 18 August 2014, 11:56 GMT
I confirm, it works.

Thanks
Comment by Daniel Albers (al) - Monday, 18 August 2014, 20:55 GMT
Rebuilding nfs-utils without --with-gssglue seems to be sufficient indeed.

--- a/PKGBUILD
+++ b/PKGBUILD
@@ -16 +16 @@ backup=(etc/{exports,idmapd.conf,nfsmount.conf} etc/conf.d/{nfs-common.conf,nfs-
-depends=('glibc' 'e2fsprogs' 'rpcbind' 'libtirpc>=0.2.1' 'librpcsecgss>=0.19-2' 'nfsidmap' 'libevent>=2.0.10' 'libgssglue' 'device-mapper')
+depends=('glibc' 'e2fsprogs' 'rpcbind' 'libtirpc>=0.2.1' 'librpcsecgss>=0.19-2' 'nfsidmap' 'libevent>=2.0.10' 'device-mapper')
@@ -54 +53,0 @@ build() {
- --with-gssglue \
Comment by Jed Liu (jed) - Friday, 22 August 2014, 07:34 GMT
This bug doesn't appear to have gotten any attention from the libtirpc maintainer since it was submitted in March, and its fix involves modifying a different package with a different maintainer, so I have submitted a separate bug (#41654) that asks for the appropriate changes to nfs-utils. With any luck, this will soon be fixed in the official repos.
Comment by Daniel Noland (daniel.noland) - Monday, 01 September 2014, 22:04 GMT
I can confirm that building nfs-utils without the --with-gssglue flag and upgrading libtirpc to 0.2.5-1 will allow connections to kerberized nfs shares. Hopefully this issue is fixed soon, as I hate to go too far off the beaten track for my server install.
Comment by Daniel Noland (daniel.noland) - Tuesday, 02 September 2014, 06:02 GMT
I can confirm that building nfs-utils without the --with-gssglue flag and upgrading libtirpc to 0.2.5-1 will allow connections to kerberized nfs shares. Hopefully this issue is fixed soon, as I hate to go too far off the beaten track for my server install.

Loading...