https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 https://jira.whamcloud.com/browse/LU-3288 Lustre <p>Lustre's autoconf scripts require Kerberos to be installed when --enable-gss is specified. Currently, only the Kerberos GSSAPI mechanism supported by Lustre, but others are planned in the future, such as those being developed for shared key authentication (project SFS-DEV-001.2). GSSAPI is meant to allow calling code to be mechanism-agnostic, so requiring Kerberos defeats that purpose.</p> <p>The definition of the LC_CONFIG_GSS macro in lustre/autoconf/lustre-core.m4 unconditionally calls AC_KERBEROS_V5 from lustre/autoconf/kerberos.m4, which fails when Kerberos isn't found:</p> <p> dnl We didn't find a usable Kerberos environment<br/> if test "x$KRBDIR" = "x"; then<br/> if test "x$krb5_with" = "x"; then<br/> AC_MSG_ERROR(Kerberos v5 with GSS support not found: consider --disable-gss or --with-krb5=)<br/> else<br/> AC_MSG_ERROR(Kerberos v5 with GSS support not found at $krb5_with)<br/> fi<br/> fi<br/> AC_MSG_RESULT($KRBDIR)</p> <p>This macro ought to instead note the location of the Kerberos headers and libraries but not result in a fatal error if they don't exist. I don't know if this approach will result in link-time or runtime errors that would also need to be corrected.</p> <p>Ubuntu also needs GSS libraries:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>configure: error: libkeyutils is not found, which is required by gss keyring backend </pre> </div></div> any LU-3288

Enabling GSSAPI support requires Kerberos libraries to be installed

Technical task LU-3289 Major Resolved Fixed Minh Diep Andrew Korty SSK gssapi kerberos Tue, 7 May 2013 16:21:30 +0000 Thu, 14 Jun 2018 21:41:20 +0000 Wed, 2 Oct 2013 17:47:31 +0000 Lustre 2.3.0 Lustre 2.4.0 Lustre 2.5.0 Lustre 2.5.0 0 12 <p>Assigning to Chris for initial assessment of changes required.</p> <p>Also making this a major for now so it doesn't get lost in Chris's queue.</p> <p>So it sounds like first of all there should be two separate options:</p> <ul> <li>--enable-gss</li> <li>--enable-krb5<br/> where the latter also implies the former.</li> </ul> <p>Secondly Andreas suggested that these both should be enabled automatically, if the required packages are found in the build environment.</p> <p>Is there a specific list of GSS/Kerberos -devel RPMs that are needed for RHEL6 and SLES11SP2?</p> <p>Some more from Alex K:<br/> 1) "Configure" for kerberos flavor does not contain "kerberos" (or krb5) keyword explicitly, it is as follows (with/without --disable server) :</p> <p>./configure -<del>with-linux=/usr/src/kernels/`uname -r`</del>`arch` --disable-server --enable-dependency-tracking --enable-posix-osd \<br/> --enable-panic_dumplog --enable-health_write --enable-lru-resize \<br/> --enable-gss \<br/> --enable-quota --enable-ext4 --enable-mindf</p> <p>It is required in checklist to have gss libraries installed (libgssapi* / libgssglue* ) and krb* rpms .</p> <p>2) Here at FNAL the following was used to build lustre servers with kerberised flavor on Scientific Linux ( which is RHEL rebuild which includes kerberos) :</p> <p>./configure \<br/> --with-linux=/lib/modules/2.6.18-274.12.1.el5_FNAL.Lustre.2.1.1/build <br/> --with-krb5 \<br/> --enable-gss \<br/> --enable-ext4 --enable-quota</p> <p>Alex.</p> <blockquote><p>So it sounds like first of all there should be two separate options:<br/> --enable-gss<br/> --enable-krb5</p></blockquote> <p>Note the separation of the build options also implies a separation of #ifdef macros inside of Lustre.</p> <p>Also, the existing Lustre security tests eventually need to be separated &#8211; what follows is a wishlist: </p> <ul> <li>sanity-gss should become sanity-krb5 <ul> <li>sanity-krg5 should add tests for krb5 "plain" mechanism</li> </ul> </li> <li>sanity-gss should eventually use the gss-null mechanism that IU is developing</li> <li>sanity-sptlrpc should be written to test sptlrpc "null" in the absence of GSS.</li> </ul> <p>These are the packages that are needed to configure Lustre with --enable-gss on a basic RHEL6.4 x86_64 install:</p> <p>keyutils-libs-devel-1.4-4.el6.x86_64<br/> libgssglue-0.1-11.el6.x86_64.rpm<br/> libgssglue-devel-0.1-11.el6.x86_64.rpm<br/> krb5-devel-1.10.3-10.el6_4.3.x86_64.rpm<br/> these are requirements for krb5-devel:<br/> libcom_err-devel-1.41.12-14.el6.x86_64.rpm<br/> libselinux-2.0.94-5.3.el6_4.1.x86_64.rpm<br/> libselinux-devel-2.0.94-5.3.el6_4.1.x86_64.rpm<br/> libselinux-utils-2.0.94-5.3.el6_4.1.x86_64.rpm<br/> libsepol-devel-2.0.41-4.el6.x86_64.rpm</p> <p>Joshua, could you please check that the above list of RPM packages (or their SLES equivalent) is available on our build nodes.</p> <p>Ubuntu<br/> libkeyutils-dev <br/> libgssglue-dev<br/> libkrb5-dev</p> <p>SUSE<br/> keyutils-devel<br/> libgssglue-devel<br/> krb5-devel</p> <p>The other packages will get pulled since they are dependencies.</p> <p>Looks like EL5 needs:</p> <p>keyutils-libs-devel<br/> libgssapi-devel<br/> krb5-devel</p> <p>I have installed the packages referenced. I have retriggered <a href="http://review.whamcloud.com/#/c/6740/" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/#/c/6740/</a></p> <p><a href="http://review.whamcloud.com/#/c/6740/" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/#/c/6740/</a> passed its build. Can someone verify that it contains the proper build products, and make sure it has linked against the proper libraries? <a href="https://jira.whamcloud.com/secure/ViewProfile.jspa?name=ajk" class="user-hover" rel="ajk">ajk</a> ? <img class="emoticon" src="https://jira.whamcloud.com/images/icons/emoticons/smile.png" height="16" width="16" align="absmiddle" alt="" border="0"/></p> <p>I'm presuming that Andrew doesn't have privileges to view the build node. Is that presumption correct or is there a way he could do what you've asked?</p> <p><a href="https://jira.whamcloud.com/secure/ViewProfile.jspa?name=ssimms" class="user-hover" rel="ssimms">ssimms</a>: The above link gives a link to the build products which can be found here:</p> <p><a href="http://build.whamcloud.com/job/lustre-reviews/17615/" class="external-link" target="_blank" rel="nofollow noopener">http://build.whamcloud.com/job/lustre-reviews/17615/</a></p> <p>That is a public link, no special permissions required.</p> <p>Thanks, I'll look through these.</p> <p>From the meeting today, it at least looks like the packages are running configure and completing the build.</p> <p>At this point, we aren't yet sure if the gssd is actually being built, or if it is missing from the lustre.spec file, but it looks like that needs to be tested locally by Andrew (using "<tt>make rpms</tt>" on a system with <a href="http://review.whamcloud.com/6740/" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/6740/</a> applied is probably the easiest). Any issues with what gets built will probably be addressed by a patch to the Lustre code.</p> <p>FYI, we caught a problem with GSSAPI prerequisites checking from change #6740 and updated <a href="https://jira.whamcloud.com/browse/LU-3490" title="GSSAPI support not tested by Gerritt" class="issue-link" data-issue-key="LU-3490"><del>LU-3490</del></a>.</p> <p>seems like we need krb5-libs for suse. </p> <p>build on suse failed due to<br/> checking for Kerberos v5... /usr<br/> The current KRBDIR is /usr<br/> checking for gss_krb5_export_lucid_sec_context in -lgssapi_krb5... yes<br/> checking for gss_krb5_set_allowable_enctypes in -lgssapi_krb5... yes<br/> checking for gss_krb5_ccache_name in -lgssapi_krb5... yes<br/> checking for krb5_get_error_message in -lgssapi_krb5... yes<br/> checking for krb5_get_init_creds_opt_set_addressless in -lgssapi_krb5... no<br/> checking for krb5int_derive_key in -lgssapi_krb5... no</p> <p><a href="http://build.whamcloud.com/job/lustre-reviews/18238/arch=x86_64,build_type=client,distro=sles11,ib_stack=inkernel/consoleFull" class="external-link" target="_blank" rel="nofollow noopener">http://build.whamcloud.com/job/lustre-reviews/18238/arch=x86_64,build_type=client,distro=sles11,ib_stack=inkernel/consoleFull</a></p> <p>we also need gssapi for ubuntu</p> <p><a href="http://build.whamcloud.com/job/lustre-reviews/18264/arch=x86_64,build_type=client,distro=ubuntu1004,ib_stack=inkernel/consoleFull" class="external-link" target="_blank" rel="nofollow noopener">http://build.whamcloud.com/job/lustre-reviews/18264/arch=x86_64,build_type=client,distro=ubuntu1004,ib_stack=inkernel/consoleFull</a></p> <p>Assign-ing to Minh, as I believe he is working on the Ubuntu libs issue.</p> <p>afaik, <a href="https://jira.whamcloud.com/browse/LU-3490" title="GSSAPI support not tested by Gerritt" class="issue-link" data-issue-key="LU-3490"><del>LU-3490</del></a> has landed and all issues have been resolved. I am not sure what else needs to be done for this ticket. As for the Ubuntu, similar to sles11, it needs more works to include the proper functions</p> <p>Sounds good. Probably a good idea, then, to close this ticket and open one specifically for Ubuntu.</p> <p>Andrew,</p> <p>Let me know if there's anything else or I can close this ticket. I will close if I don't hear from you by the end of this week.</p> <p>Yes, I believe this ticket has been resolved. Thanks!</p> Duplicate LU-3681 Related LU-3490 Development Rank 1|hzvqbz: Rank (Obsolete) 8142 Severity