https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 https://jira.whamcloud.com/browse/LU-3855 Lustre <p>Some Kerberos implementations like Active Directory ny default include a PAC with authorization data in each ticket. This extra field inflates ticket sizes from a few hundred bytes to several kB. The current code in gss_cli_upcall.c::gss_do_ctx_init_rpc() limits GSSAPI tokens to 976 bytes. It triggers an LASSERT(size &gt;= (sizeof(__u32) + token_size)) if larger tokens are passed down, ie. kerberized Lustre clients usually crash when used in an Active Directory (or similar) environment.</p> <p>There is a workaround to reconfigure the Lustre service accounts in Active Directory not to include a PAC in tickets. (The PAC is not evaluated by Lustre.) If Lustre should be able to work in Active Directory environments without requiring special settings, it needs to be able to handle larger ticket sizes. At least, it should handle this error gracefully without triggering an LASSERT/LBUG.</p> LU-3855

GSS code cannot handle large Kerberos tickets

Bug Minor Closed Won't Fix John Hammond Daniel Kobras Thu, 29 Aug 2013 09:14:32 +0000 Mon, 18 Sep 2023 13:16:27 +0000 Fri, 11 Mar 2022 15:28:57 +0000 Lustre 2.4.0 Lustre 2.4.1 Lustre 2.5.0 0 6 <p>Daniel, are you planning to submit a patch for this?</p> <p>I'm trying to. The cleanest solution would try to allocate a sufficiently large buffer, but none of the various <em>enlarge</em> functions seem to work in this case. I hope I can come up with a sane patch.<br/> Otherwise, there's also the easy way, of course: Just spit out an error message hinting to disable the PAC.</p> <p>John</p> <p>Do you have any comment here?</p> <p>Peter</p> <p>Outside of the limits discussed in the bug there are some other issues with token size which I didn't see a quick fix for as part of the shared key work. Lustre makes use of the sunrpc_cache_* for all of the caching. In sunrpc_cache_pipe_upcall which calls rsi_request (cache_request function pointer), several of the values are converted from binary to a hex ascii representation for the upcall. sunrpc_cache_pipe_upcall has a limit of PAGE_SIZE for all of this to fit into and with the hex ascii conversion that means its less than PAGE_SIZE / 2 of space allowed without sunrpc_cache_pipe_upcall generating an error. I had previously saw some documentation that said using pipefs had a PAGE_SIZE limit per request but can't remember what the specifics were. In order to support much larger tokens that could handle a PAC Lustre would have to avoid sunrpc_cache_pipe_upcall.</p> <p>Please reopen and reassign if needed.</p> Related LU-17015 Development End date Thu, 17 Sep 2015 09:14:32 +0000 Rank 1|hzvzmn: Rank (Obsolete) 10005 Severity Start date Thu, 29 Aug 2013 09:14:32 +0000