rpc.gssd: ERROR: GSS-API: error in gss_free_lucid_sec_context(): GSS_S_NO_CONTEXT

The attachment "90-gss-free-lucid-sec-context.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Uploaded to both utopic and trusty.

Sergio - could you provide a test case which is part of the Stable Release Update process so that we can get this fixed in 14.04? Thanks for the patch!

https://wiki.ubuntu.com/StableReleaseUpdates#Procedure

* Brian Murray [2014-06-25 18:54:46 -0000]:
> Sergio - could you provide a test case which is part of the Stable
> Release Update process so that we can get this fixed in 14.04?

Let me try. The problem manifested itself spontaneously in my production
environment so I'm not sure exactly which ingredients are required
and which are optional. The following is probably overspecified.

Prerequisites:
-- a Kerberos realm (EXAMPLE.ORG); my KDC runs Heimdal (slightly modified
from Debian wheezy) but I see no reason why this should matter here.
-- an NFS server host (server.example.org) with /etc/krb5.keytab containing
valid keys for <email address hidden>, package nfs-kernel-server
installed, a filesystem at /export/nfs and an entry for it in /etc/exports:
/export/nfs client.example.org(sec=krb5p,rw,root_squash,sync,no_subtree_check)
This server can but need not be running Ubuntu 14.04 (in my tests it was
running Debian wheezy).
-- an NFS client host (client.example.org) with autofs configured to automount
server.example.org:/export/nfs somewhere (say, on /srv/nfs), running
the version of rpc.gssd that is to be tested. Remember to include sec=krb5p
in the mount options. It is recommended to run rpc.gssd with a short timeout
(e.g., rpc.gssd -t 60) at least for the purposes of this test: the bug
manifests itself when rpc.gssd prepares a new GSS context for the kernel,
so it helps to force this to happen often. In my environment the client
has machine credentials in /etc/krb5.keytab
(<email address hidden>, <email address hidden>
and <email address hidden>) though this is probably overkill
for the purposes of this test. The problem should be reproducible with a
static mount (no autofs) as well but I haven't actually tried that.

Testing procedure:
1. Log in to client.example.org as a non-root user with a corresponding
principal in EXAMPLE.ORG.
2. Obtain a Kerberos TGT for this user, either as part of the login process
(pam_krb5) or interactively by running kinit.
3. Try to access the mountpoint of the NFS share (/srv/nfs). A simple
 ls /srv/nfs
should be enough. This is expected to succeed even when the bug is present;
if it doesn't, the setup must be incorrect.
4. Look for warning messages from rpc.gssd (as in the subject of this bug
report) in the client's syslog (or, if running rpc.gssd -f, on standard
error) triggered by the NFS activity at step 3. These messages should no
longer appear once the patch is applied.

I've glossed over the configuration of /etc/idmapd.conf since I expect it
should all work with default settings there.

This bug was fixed in the package nfs-utils - 1:1.2.8-6ubuntu4

---------------
nfs-utils (1:1.2.8-6ubuntu4) utopic; urgency=medium

  * Add patch from Sergio Gelato to adjust for changes to the ctx
    argument of the serialize_krb5_ctx() function (LP: #1331201)
 -- Adam Conrad <email address hidden> Wed, 25 Jun 2014 12:23:09 -0600

Status changed to 'Confirmed' because the bug affects multiple users.

Hello Sergio, or anyone else affected,

Accepted nfs-utils into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/nfs-utils/1:1.2.8-6ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Version: 1:1.2.8-6ubuntu1.1 verified on trusty amd64.

This bug was fixed in the package nfs-utils - 1:1.2.8-6ubuntu1.1

---------------
nfs-utils (1:1.2.8-6ubuntu1.1) trusty; urgency=medium

  * Add patch from Sergio Gelato to adjust for changes to the ctx
    argument of the serialize_krb5_ctx() function (LP: #1331201)
 -- Adam Conrad <email address hidden> Wed, 25 Jun 2014 12:23:09 -0600

The verification of the Stable Release Update for nfs-utils has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.