On Wed, Dec 18, 2019 at 2:34 PM Chuck Lever <chuck.lever@xxxxxxxxxx> wrote: > > > > > On Dec 18, 2019, at 2:31 PM, Olga Kornievskaia <aglo@xxxxxxxxx> wrote: > > > > On Wed, Dec 18, 2019 at 2:05 PM Trond Myklebust <trondmy@xxxxxxxxxxxxxxx> wrote: > >> > >> On Wed, 2019-12-18 at 12:47 -0500, Olga Kornievskaia wrote: > >>> Hi folks, > >>> > >>> Is this a well know but undocumented fact that you can't set large > >>> amount of acls (over 4096bytes, ~90acls) while mounted using > >>> krb5i/krb5p? That if you want to get/set large acls, it must be done > >>> over auth_sys/krb5? > >>> > >> > >> It's certainly not something that I was aware of. Do you see where that > >> limitation is coming from? > > > > I haven't figure it exactly but gss_unwrap_resp_integ() is failing in > > if (mic_offset > rcv_buf->len). I'm just not sure who sets up the > > buffer (or why rvc_buf->len is (4280) larger than a page can a > > page-limit might make sense to for me but it's not). So you think it > > should have been working. > > The buffer is set up in the XDR encoder. But pages can be added > by the transport... I guess rcv_buf->len isn't updated when that > happens. > Here's why the acl+krbi/krb5p is failing. acl tool first calls into the kernel to find out how large of a buffer it needs to supply and gets acl size then calls down again then code in __nfs4_get_acl_uncached() allocates a number of pages (this what set's the available buffer length later used by the sunrpc code). That works for non-integrity because in call_decode() the call rpc_unwrap_resp() doesn't try to calculate the checksum on the buffer that was just read. However, when its krb5i/krb5p we have truncated buffer and mic offset that's larger than the existing buffer. I think something needs to be marked to skip doing gss for the initial acl query? I first try providing more space in __nfs4_get_acl_uncached() for when authflavor=krb5i/krb5p and buflen=0 but no matter what the number is the received acl can be larger than that thus I don't think that's a good approach. > -- > Chuck Lever > > >
