Project

General

Profile

Actions
Copy link

action #159531

open

[security] test fails in krb5_crypt_nfs_client

Added by amanzini 12 days ago. Updated 4 days ago.

Status:
Blocked
Priority:
Normal
Assignee:
amanzini
Category:
Bugs in existing tests
Target version:
-
Start date:
2024-04-24
Due date:
% Done:

0%

Estimated time:
Difficulty:

Description

Observation

openQA test in scenario sle-15-SP5-Server-DVD-Updates-x86_64-fips_tests_crypt_krb5_client@64bit fails in
krb5_crypt_nfs_client

Test suite description

Testsuite maintained at https://gitlab.suse.de/qe-security/osd-sle15-security.

Reproducible

Fails since (at least) Build 20240419-1

Expected result

Last good: 20240418-1 (or more recent)

Further details

Always latest result in this scenario: latest

observation

NFS client is trying to connect to a server.example.com , but it's not ready ?

Files

Download all files
clipboard-202404290926-fre8f.png (157 KB) clipboard-202404290926-fre8f.png amanzini, 2024-04-29 07:26
clipboard-202404300924-og77o.png (63.8 KB) clipboard-202404300924-og77o.png amanzini, 2024-04-30 07:24
clipboard-202405011613-jdhwl.png (13.3 KB) clipboard-202405011613-jdhwl.png amanzini, 2024-05-01 14:13
Actions
Copy link
 #1

Updated by amanzini 12 days ago

  • Subject changed from test fails in krb5_crypt_nfs_client to [security] test fails in krb5_crypt_nfs_client
Actions
Copy link
 #2

Updated by amanzini 12 days ago

  • Description updated (diff)
Actions
Copy link
 #3

Updated by amanzini 12 days ago

  • Assignee set to amanzini
Actions
Copy link
 #4

Updated by amanzini 7 days ago · Edited

NFS mount with sec=sys is fine, with sec=krb5 gives access denied from server.

Actions
Copy link
 #5

Updated by amanzini 7 days ago

The system clock is not NTP syncronized among client, server and kdc; this can be a cause of issues when using kerberos. Is the 15SP5 image lacking of proper NTP setup ?

Actions
Copy link
 #6

Updated by amanzini 6 days ago

upon access denied, on the server:

Actions
Copy link
 #7

Updated by amanzini 6 days ago · Edited

some random considerations:

  • in the server configuration, /etc/sysconfig/nfs , the option NFS_SECURITY_GSS is not present
  • in the /etc/krb5.conf, the option fipslevel is not documented (see man krb5.conf)
Actions
Copy link
 #8

Updated by amanzini 5 days ago

on a successful mount, on 15SP4 we can observe a log entry from rpc.mountd , which is missing in 15SP5 :

Actions
Copy link
 #9

Updated by amanzini 4 days ago · Edited

PASS with

  • kernel-5.14.21-150400.24.116-default
  • krb5-1.19.2-150400.3.9.1
  • krb5-server-1.19.2-150400.3.9.1
  • krb5-client-1.19.2-150400.3.9.1
  • nfs-client-2.1.1-150100.10.37.1

FAIL with

  • kernel-5.14.21-150500-55.59-default
  • krb5-1.20.1-150500.3.6.1
  • krb5-server-1.20.1-150500.3.6.1
  • krb5-client-1.20.1-150500.3.6.1
  • nfs-client-2.1.1-150500.22.3.1
Actions
Copy link
 #10

Updated by amanzini 4 days ago

  • Status changed from In Progress to Blocked
Actions
Copy link

Also available in: Atom PDF