[LU-3490] GSSAPI support not tested by Gerritt - Whamcloud Community JIRA

Details

Type: Technical task
Resolution: Fixed
Priority: Blocker
Fix Version/s: Lustre 2.5.0
Affects Version/s: Lustre 2.4.1
Labels:
- SSK
- patch
Environment:
All

Rank (Obsolete):
8774

Attachments

Issue Links

is related to

LU-3288 Enabling GSSAPI support requires Kerberos libraries to be installed

Resolved

Activity

[LU-3490] GSSAPI support not tested by Gerritt

Andreas Dilger made changes - 01/Jun/16 10:40 PM

Labels

Original: patch

New: SSK patch

Peter Jones made changes - 24/Sep/13 5:24 AM

Resolution		New: Fixed [ 1 ]
Status	Original: Reopened [ 4 ]	New: Resolved [ 5 ]

Peter Jones added a comment - 24/Sep/13 5:24 AM

Landed for 2.5.0

Peter Jones added a comment - 24/Sep/13 5:24 AM Landed for 2.5.0

Peter Jones made changes - 24/Sep/13 5:23 AM

Fix Version/s

Original: Lustre 2.6.0 [ 10595 ]

Peter Jones made changes - 22/Sep/13 1:26 PM

Assignee

Original: Andreas Dilger [ adilger ]

New: Minh Diep [ mdiep ]

Andreas Dilger added a comment - 19/Sep/13 4:42 PM

Making this a blocker for 2.5.0 until the configure/build problem is fixed for systems that do not have the gss libraries installed.

Andreas Dilger added a comment - 19/Sep/13 4:42 PM Making this a blocker for 2.5.0 until the configure/build problem is fixed for systems that do not have the gss libraries installed.

Andreas Dilger made changes - 19/Sep/13 4:42 PM

Fix Version/s

New: Lustre 2.5.0 [ 10295 ]

Patrick Farrell (Inactive) added a comment - 19/Sep/13 2:55 PM

Thomas,

Definitely, that patch would give that error. If you look in Gerrit, that commit is patch set 4, and we're on to patch set 6.

It actually appears that function is no longer being used, because we removed rc entirely and patch set 6 built successfully on all platforms. ('rc' was put there in patch set 4 to avoid a warning about ignoring a return value on write, but then hits the error you noted.)

Patrick Farrell (Inactive) added a comment - 19/Sep/13 2:55 PM Thomas, Definitely, that patch would give that error. If you look in Gerrit, that commit is patch set 4, and we're on to patch set 6. It actually appears that function is no longer being used, because we removed rc entirely and patch set 6 built successfully on all platforms. ('rc' was put there in patch set 4 to avoid a warning about ignoring a return value on write, but then hits the error you noted.)

Thomas Stibor added a comment - 19/Sep/13 8:31 AM

Hello,

I just discovered a problem with the commit 67b73336d5b3d631e6d9eb3809914b8b80825a24:

diff --git a/lustre/utils/gss/svcgssd.c b/lustre/utils/gss/svcgssd.c
index cebd852..bd6a4de 100644
--- a/lustre/utils/gss/svcgssd.c
+++ b/lustre/utils/gss/svcgssd.c
@@ -148,10 +148,10 @@ mydaemon(int nochdir, int noclose)
 static void
 release_parent()
 {
-       int status;
+       int status, rc;
 
        if (pipefds[1] > 0) {
-               write(pipefds[1], &status, 1);
+               rc = write(pipefds[1], &status, 1);
                close(pipefds[1]);
                pipefds[1] = -1;
        }

Since the code is compiled with gcc -Werror ... it results in:

svcgssd.c: In function ‘release_parent’:
svcgssd.c:151:14: error: variable ‘rc’ set but not used [-Werror=unused-but-set-variable]
cc1: all warnings being treated as errors
make[1]: *** [lsvcgssd-svcgssd.o] Error 1

Thomas Stibor added a comment - 19/Sep/13 8:31 AM Hello, I just discovered a problem with the commit 67b73336d5b3d631e6d9eb3809914b8b80825a24: diff --git a/lustre/utils/gss/svcgssd.c b/lustre/utils/gss/svcgssd.c index cebd852..bd6a4de 100644 --- a/lustre/utils/gss/svcgssd.c +++ b/lustre/utils/gss/svcgssd.c @@ -148,10 +148,10 @@ mydaemon(int nochdir, int noclose) static void release_parent() { - int status; + int status, rc; if (pipefds[1] > 0) { - write(pipefds[1], &status, 1); + rc = write(pipefds[1], &status, 1); close(pipefds[1]); pipefds[1] = -1; } Since the code is compiled with gcc -Werror ... it results in: svcgssd.c: In function ‘release_parent’: svcgssd.c:151:14: error: variable ‘rc’ set but not used [-Werror=unused-but-set-variable] cc1: all warnings being treated as errors make[1]: *** [lsvcgssd-svcgssd.o] Error 1

Thomas Stibor added a comment - 19/Sep/13 7:10 AM

The function name krb5_derive_key was renamed in MIT-Kerberos >= 1.8.X.

Before it was (<= 1.7.X):

thomas@lxdv65:~/tmp/krb/krb5-1.7.2>grep -r "krb5int_derive_key"
thomas@lxdv65:~/tmp/krb/krb5-1.7.2>grep -r "krb5_derive_key"   
src/lib/crypto/vectors.c:    r = krb5_derive_key (enc, in, out, usage);
src/lib/crypto/combine_keys.c: * DK is defined as the key derivation function (krb5_derive_key())
src/lib/crypto/combine_keys.c:    if ((ret = krb5_derive_key(enc, &tkey, outkey, &input))) {
src/lib/crypto/aes/aes_s2k.c:    err = krb5_derive_key (enc, key, key, &usage);
src/lib/crypto/libk5crypto.exports:krb5_derive_key
src/lib/crypto/dk/dk_encrypt.c:    if ((ret = krb5_derive_key(enc, key, &ke, &d1)))
...

With version >= 1.8.X it changed to:

thomas@lxdv65:~/tmp/krb/krb5-1.8.6>grep -r "krb5_derive_key"
doc/CHANGES:Rename some lingering krb5_derive_key references.
thomas@lxdv65:~/tmp/krb/krb5-1.8.6>grep -r "krb5int_derive_key"
README:6629    krb5int_derive_key results in cache with uninitialized values
doc/CHANGES: subject: krb5int_derive_key results in cache with uninitialized values
doc/CHANGES: krb5int_derive_key creates a temporary keyblock to add to the derived cache.
src/lib/crypto/crypto_tests/vectors.c:    r = krb5int_derive_key (enc, in, out, usage);
src/lib/crypto/krb/combine_keys.c: * DK is defined as the key derivation function (krb5int_derive_key())
src/lib/crypto/krb/combine_keys.c:    ret = krb5int_derive_keyblock(enc, tkey, outkey, &input);
...

The newer distributions usually ship MIT-Kerberos => 1.8.X, however I haven't looked into Heimdal. There it is probably different.

Thomas Stibor added a comment - 19/Sep/13 7:10 AM The function name krb5_derive_key was renamed in MIT-Kerberos >= 1.8.X. Before it was (<= 1.7.X): thomas@lxdv65:~/tmp/krb/krb5-1.7.2>grep -r "krb5int_derive_key" thomas@lxdv65:~/tmp/krb/krb5-1.7.2>grep -r "krb5_derive_key" src/lib/crypto/vectors.c: r = krb5_derive_key (enc, in, out, usage); src/lib/crypto/combine_keys.c: * DK is defined as the key derivation function (krb5_derive_key()) src/lib/crypto/combine_keys.c: if ((ret = krb5_derive_key(enc, &tkey, outkey, &input))) { src/lib/crypto/aes/aes_s2k.c: err = krb5_derive_key (enc, key, key, &usage); src/lib/crypto/libk5crypto.exports:krb5_derive_key src/lib/crypto/dk/dk_encrypt.c: if ((ret = krb5_derive_key(enc, key, &ke, &d1))) ... With version >= 1.8.X it changed to: thomas@lxdv65:~/tmp/krb/krb5-1.8.6>grep -r "krb5_derive_key" doc/CHANGES:Rename some lingering krb5_derive_key references. thomas@lxdv65:~/tmp/krb/krb5-1.8.6>grep -r "krb5int_derive_key" README:6629 krb5int_derive_key results in cache with uninitialized values doc/CHANGES: subject: krb5int_derive_key results in cache with uninitialized values doc/CHANGES: krb5int_derive_key creates a temporary keyblock to add to the derived cache. src/lib/crypto/crypto_tests/vectors.c: r = krb5int_derive_key (enc, in, out, usage); src/lib/crypto/krb/combine_keys.c: * DK is defined as the key derivation function (krb5int_derive_key()) src/lib/crypto/krb/combine_keys.c: ret = krb5int_derive_keyblock(enc, tkey, outkey, &input); ... The newer distributions usually ship MIT-Kerberos => 1.8.X, however I haven't looked into Heimdal. There it is probably different.

People

Assignee:: Minh Diep

Reporter:: Andrew Korty (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 13 Start watching this issue

Dates

Created:: 20/Jun/13 11:55 PM

Updated:: 01/Jun/16 10:40 PM

Resolved:: 24/Sep/13 5:24 AM