lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 4 Jan 2017 14:48:44 -0500
From:   "J. Bruce Fields" <bfields@...hat.com>
To:     Dave Jones <davej@...emonkey.org.uk>,
        Steve Dickson <SteveD@...hat.com>, jlayton@...chiereds.net,
        Linux Kernel <linux-kernel@...r.kernel.org>,
        linux-nfs@...r.kernel.org, chuck.lever@...cle.com
Subject: Re: NFS: SECINFO: security flavor 390003 is not supported

On Wed, Jan 04, 2017 at 02:29:01PM -0500, Dave Jones wrote:
> On Wed, Jan 04, 2017 at 02:23:58PM -0500, Steve Dickson wrote:
>  > 
>  > 
>  > On 01/04/2017 02:03 PM, Dave Jones wrote:
>  > > Since upgrading to 4.10-rc2, my nfs server has started printing these..
>  > > 
>  > > [  161.668635] NFS: SECINFO: security flavor 390003 is not supported
>  > > [  161.668655] NFS: SECINFO: security flavor 390004 is not supported
>  > > [  161.668670] NFS: SECINFO: security flavor 390005 is not supported
>  > > 
>  > > Client is debian's 4.8 kernel with default mount options, so sec=sys
>  > > 
>  > > What should I be doing to suppress these ? What causes them ?
>  > The auth_rpcgss or rpcsec_gss_krb5 kernel modules not being loaded??
> 
> I don't use kerberos, and CONFIG_SUNRPC_GSS=y

Hm, looks like that warning's from 676e4ebd5f2c "NFSD: SECINFO doesn't
handle unsupported pseudoflavors correctly", which went into 3.10-rc1.

So mountd is probably telling us that krb5/krb5i/krb5p are permitted on
some exports, though your kernel doesn't think it supports those for
some reason.

The exports are probably the v4 pseudoroot exports (I don't think normal
exports get the krb5 flavors unless you explicitly ask for them).  So
this is partly also the fault of nfs-utils 4a1ad4aa3028 "mountd: Enable
all auth flavors on pseudofs exports".

I don't know why your kernel doesn't think it supports those....  Is it
possible to have have CONFIG_SUNRPC_GSS set and not
CONFIG_RPCSEC_GSS_KRB5?

Maybe simplest is just demote that printk to a debugging thing.  It was
intended to help debug the case when somebody tries to, say, add
sec=krb5 exports but doesn't get the kernel configuration right, but
with mountd passing everything down in some cases it's not so helpful.

--b.

> 
> 	Dave
>

Powered by blists - more mailing lists