Hello,
I completely missed this so please excuse the delay.
> On 11/23/20 1:17 PM, Jacob Shivers wrote:
> > Commit 2f682f25c642fcfe7c511d04bc9d67e732282348 changed existing
> > behavior to avoid a deadlock for users using Kerberized NFS home dirs.
> >
> > However, this also prevents users leveraging their own k5identity
> > files under their home directory and instead rpc.gssd uses a
> > system-wide /.k5identity file. For users expecting to use their own
> > k5identity file this is certainly unexpected.
> So how is the deadlock not happening when ~/.k5identity is on a NFS
> home directory? What am I missing?
They are not using NFS for home directories. They are accessing
systems with a local fs backing the /home
> > Below is some pseudo code that was proposed and would just add a flag
> > allowing for the behavior prior to
> > 2f682f25c642fcfe7c511d04bc9d67e732282348:
> >
> > /* psudo code snippet starts here */
> > /*
> > * Some krb5 routines try to scrape info out of files in the user's
> > * home directory. This can easily deadlock when that homedir is on a
> > - * kerberized NFS mount. By setting $HOME unconditionally to "/", we
> > + * kerberized NFS mount. Some users may not have $HOME on NFS.
> > + * By default setting $HOME unconditionally to "/", we
> > * prevent this behavior in routines that use $HOME in preference to
> > * the results of getpw*.
> > + * Users who have $HOME on krb5-NFS should set
> > `--home-not-kerberized` in argv
> > + * Users who have $HOME on krb5-NFS but want to use their
> > $HOME anyway should set NFS_HOME_ACCESSIBLE=TRUE
> > */
> > + if (argv == '--home-not-kerberized') ||
> > (getenv("NFS_HOME_ACCESSIBLE") == 'TRUE') {
> > + log.debug('Not masking $HOME, this breaks on Kerberized $HOME');
> > + }
> > + else {
> > + log.debug('Assuming $HOME requires Kerberos, use
> > `--home-not-kerberized` to change this behavior');
> > if (setenv("HOME", "/", 1)) {
> > printerr(1, "Unable to set $HOME: %s\n", strerror(errn));
> > exit(1);
> > }
> > + }
> > /* psudo code snippet ends here */
> In general I'm pretty reluctant to add flags but what is needed
> to do so is a company single letter flag '-H' and a man page
> entry describing the flag.
Ok.
> >
> > While acknowledging the use of this flag for Kerberized NFS home dirs
> > is undesirable and would cause a deadlock, there should be no issue
> > for users not using Kerberized NFS home dirs.
> What apps are you using that is seeing this problem?
It is just when accessing the Kerberized NFS share. Other Kerberos
aware services/applications check for the existence of ~/.k5identify
before reading /var/kerberos/krb5/user/${EUID}/client.keytab. rpc.gssd
no longer does this and the intent of the patch would be to add
granularity to choose the behavior or rpc.gssd with respect to
scanning for a k5identity file.
If any additional information is required, please inform me.
Thanks,
Jacob Shivers
