Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-44842

Gssproxy is unable to handle KRB5_AP_ERR_BAD_INTEGRITY on the nfs mount

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • CentOS Stream 9
    • gssproxy
    • None
    • None
    • None
    • rhel-sst-idm-ipa
    • ssg_idm
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      This affects all existing releases.

      In a Kerbersized mount, the client's mount fails after the server's credentials have been updated at the KDC and it signals that via sending KRB5_AP_ERR_BAD_INTEGRITY error during GSS context establishment.

       

      This problem has been fixed in nfsutils's gssd but when running with use-gss-proxy=1 it leads to failure.

      Please provide the package NVR for which bug is seen:

      How reproducible:

      Steps to reproduce

      1. mount -o sec=krb5 <server>:/<volume> <mount point>
      2. umount 
      3. update server's key tab at KDC. Upload new key tab to the server
      4. mount -o sec=krb5 <server>:/<volume> <mount point> this step leads to failure because gssproxy uses existing nfs ticket and the is unable to handle receiving BAD_INTEGRITY error to use the tgt again to get the new service ticket.

      Expected results

      mount shouldn't fail.

      Actual results

              jrische@redhat.com Julien Rische
              netappnfs Olga Kornievskaia (Inactive)
              NetApp Confidential Group
              Julien Rische Julien Rische
              Anuja More Anuja More
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: