Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-3855

GSS code cannot handle large Kerberos tickets

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Fix
    • Minor
    • None
    • Lustre 2.4.0, Lustre 2.4.1, Lustre 2.5.0
    • None
    • 3
    • 10005

    Description

      Some Kerberos implementations like Active Directory ny default include a PAC with authorization data in each ticket. This extra field inflates ticket sizes from a few hundred bytes to several kB. The current code in gss_cli_upcall.c::gss_do_ctx_init_rpc() limits GSSAPI tokens to 976 bytes. It triggers an LASSERT(size >= (sizeof(__u32) + token_size)) if larger tokens are passed down, ie. kerberized Lustre clients usually crash when used in an Active Directory (or similar) environment.

      There is a workaround to reconfigure the Lustre service accounts in Active Directory not to include a PAC in tickets. (The PAC is not evaluated by Lustre.) If Lustre should be able to work in Active Directory environments without requiring special settings, it needs to be able to handle larger ticket sizes. At least, it should handle this error gracefully without triggering an LASSERT/LBUG.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. LU-17015 Support large Kerberos tokens

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Activity

            People

              jhammond John Hammond
              kobras Daniel Kobras (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: