gssproxy crashes in on Ubuntu 18.04 when called by rpc.gssd

Bug #1788459 reported by Robert Taylor on 2018-08-22
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gssproxy (Ubuntu)
krb5 (Ubuntu)
libselinux (Ubuntu)

Bug Description

I have apache configured to perform a kerberized NFS4 mount using rpc.gssd and gssproxy.

If I request a web page that requires NFS4 access, then gssproxy crashes, reporting a segfault in and the web request generates a 403 error.

gssproxy[6267]: segfault at 0 ip 00007f2f5bb1951a sp 00007ffe861da150 error 4 in[7f2f5bb0d000+25000]

If I run gssproxy at debug level = 3, and then load a web page, I can see the uid/principal request for www-data come in from rpc.gssd:

# gssproxy -d --debug-level=3 -i -C /etc/gssproxy

[2018/08/22 17:51:40]: Debug Enabled (level: 3)
[2018/08/22 17:52:06]: Client [2018/08/22 17:52:06]: (/usr/sbin/rpc.gssd) [2018/08/22 17:52:06]: connected (fd = 10)[2018/08/22 17:52:06]: (pid = 4548) (uid = 33) (gid = 33)Segmentation fault (core dumped)

Since gssproxy is required to initiate kerberos principals for any local application services - Ubuntu 18.04 does not currently support running application services with NFS4 kerberos dependencies. This has a fairly significant impact on anyone attempting to implement kerberos on Ubuntu 18.04

Ubuntu 18.04.1 LTS
gssproxy 0.8.0-1
libselinux1:amd64 2.7-2build2
libgssrpc4:amd64 1.16-2build1

Robert Taylor (rgtaylor) on 2018-08-22
summary: - gssproxy in on Ubuntu 18.04 when called by rpc.gssd
+ gssproxy crashes in on Ubuntu 18.04 when called by
+ rpc.gssd
Andreas Hasenack (ahasenack) wrote :

Can you simplify the configuration needed to reproduce this bug? For example, does it happen when using gssapi authentication with apache, without the NFSv4 bit?

Andreas Hasenack (ahasenack) wrote :

Or can you elaborate a bit more how you have this setup?

And, before I forget, do you have a crash file somewhere in /var/crash?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers