[LU-3855] GSS code cannot handle large Kerberos tickets Created: 29/Aug/13 Updated: 18/Sep/23 Resolved: 11/Mar/22 |
|
| Status: | Closed |
| Project: | Lustre |
| Component/s: | None |
| Affects Version/s: | Lustre 2.4.0, Lustre 2.4.1, Lustre 2.5.0 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Minor |
| Reporter: | Daniel Kobras (Inactive) | Assignee: | John Hammond |
| Resolution: | Won't Fix | Votes: | 0 |
| Labels: | None | ||
| Issue Links: |
|
||||||||
| Severity: | 3 | ||||||||
| Rank (Obsolete): | 10005 | ||||||||
| Description |
|
Some Kerberos implementations like Active Directory ny default include a PAC with authorization data in each ticket. This extra field inflates ticket sizes from a few hundred bytes to several kB. The current code in gss_cli_upcall.c::gss_do_ctx_init_rpc() limits GSSAPI tokens to 976 bytes. It triggers an LASSERT(size >= (sizeof(__u32) + token_size)) if larger tokens are passed down, ie. kerberized Lustre clients usually crash when used in an Active Directory (or similar) environment. There is a workaround to reconfigure the Lustre service accounts in Active Directory not to include a PAC in tickets. (The PAC is not evaluated by Lustre.) If Lustre should be able to work in Active Directory environments without requiring special settings, it needs to be able to handle larger ticket sizes. At least, it should handle this error gracefully without triggering an LASSERT/LBUG. |
| Comments |
| Comment by Andreas Dilger [ 30/Aug/13 ] |
|
Daniel, are you planning to submit a patch for this? |
| Comment by Daniel Kobras (Inactive) [ 09/Sep/13 ] |
|
I'm trying to. The cleanest solution would try to allocate a sufficiently large buffer, but none of the various enlarge functions seem to work in this case. I hope I can come up with a sane patch. |
| Comment by Peter Jones [ 16/Sep/15 ] |
|
John Do you have any comment here? Peter |
| Comment by Jeremy Filizetti [ 17/Sep/15 ] |
|
Outside of the limits discussed in the bug there are some other issues with token size which I didn't see a quick fix for as part of the shared key work. Lustre makes use of the sunrpc_cache_* for all of the caching. In sunrpc_cache_pipe_upcall which calls rsi_request (cache_request function pointer), several of the values are converted from binary to a hex ascii representation for the upcall. sunrpc_cache_pipe_upcall has a limit of PAGE_SIZE for all of this to fit into and with the hex ascii conversion that means its less than PAGE_SIZE / 2 of space allowed without sunrpc_cache_pipe_upcall generating an error. I had previously saw some documentation that said using pipefs had a PAGE_SIZE limit per request but can't remember what the specifics were. In order to support much larger tokens that could handle a PAC Lustre would have to avoid sunrpc_cache_pipe_upcall. |
| Comment by John Hammond [ 11/Mar/22 ] |
|
Please reopen and reassign if needed. |