From 5d8fcfdd69a96e8e964d1867346dc6ab20e031c3 Mon Sep 17 00:00:00 2001 From: Scott Mayhew Date: Fri, 9 Jan 2026 10:44:53 -0500 Subject: [PATCH] gssd: protect kerberos ticket cache access Resolves: RHEL-138462 Signed-off-by: Scott Mayhew --- ...protect-kerberos-ticket-cache-access.patch | 52 +++++++++++++++++++ nfs-utils.spec | 6 ++- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 nfs-utils-2.5.4-gssd-protect-kerberos-ticket-cache-access.patch diff --git a/nfs-utils-2.5.4-gssd-protect-kerberos-ticket-cache-access.patch b/nfs-utils-2.5.4-gssd-protect-kerberos-ticket-cache-access.patch new file mode 100644 index 0000000..af805fe --- /dev/null +++ b/nfs-utils-2.5.4-gssd-protect-kerberos-ticket-cache-access.patch @@ -0,0 +1,52 @@ +From 8600bbb7727df779ba1104c9f0c574b06be116a3 Mon Sep 17 00:00:00 2001 +From: Olga Kornievskaia +Date: Tue, 18 Nov 2025 10:23:27 -0500 +Subject: [nfs-utils PATCH] gssd: protect kerberos ticket cache access + +gssd_get_single_krb5_cred() is a function that's will (for when needed) +send a TGT request to the KDC and then store it in a credential cache. +If multiple threads (eg., parallel mounts) are making an upcall at the +same time then getting creds and storing creds need to be serialized due +to do kerberos API not being concurrency safe. + +Fixes: https://issues.redhat.com/browse/RHEL-103627 +Signed-off-by: Olga Kornievskaia +Signed-off-by: Steve Dickson +--- + utils/gssd/krb5_util.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c +index 09625fb9..137cffda 100644 +--- a/utils/gssd/krb5_util.c ++++ b/utils/gssd/krb5_util.c +@@ -456,12 +456,14 @@ gssd_get_single_krb5_cred(krb5_context context, + krb5_get_init_creds_opt_set_tkt_life(opts, 5*60); + #endif + ++ pthread_mutex_lock(&ple_lock); + if ((code = krb5_get_init_creds_opt_set_out_ccache(context, opts, + ccache))) { + k5err = gssd_k5_err_msg(context, code); + printerr(1, "WARNING: %s while initializing ccache for " + "principal '%s' using keytab '%s'\n", k5err, + pname ? pname : "", kt_name); ++ pthread_mutex_unlock(&ple_lock); + goto out; + } + if ((code = krb5_get_init_creds_keytab(context, &my_creds, ple->princ, +@@ -470,10 +472,10 @@ gssd_get_single_krb5_cred(krb5_context context, + printerr(1, "WARNING: %s while getting initial ticket for " + "principal '%s' using keytab '%s'\n", k5err, + pname ? pname : "", kt_name); ++ pthread_mutex_unlock(&ple_lock); + goto out; + } + +- pthread_mutex_lock(&ple_lock); + ple->endtime = my_creds.times.endtime; + pthread_mutex_unlock(&ple_lock); + +-- +2.52.0 + diff --git a/nfs-utils.spec b/nfs-utils.spec index 8c934e5..1f0d72f 100644 --- a/nfs-utils.spec +++ b/nfs-utils.spec @@ -2,7 +2,7 @@ Summary: NFS utilities and supporting clients and daemons for the kernel NFS ser Name: nfs-utils URL: http://linux-nfs.org/ Version: 2.5.4 -Release: 40%{?dist} +Release: 41%{?dist} Epoch: 1 # group all 32bit related archs @@ -88,6 +88,7 @@ Patch037: nfs-utils-2.5.4-gssd-dup-cachecreds.patch # Patch038: nfs-utils-2.5.4-rpc-statd-service-dependency.patch Patch039: nfs-utils-2.5.4-nfsrahead-Modify-get_device_info-logic.patch +Patch040: nfs-utils-2.5.4-gssd-protect-kerberos-ticket-cache-access.patch Patch100: nfs-utils-1.2.1-statdpath-man.patch Patch101: nfs-utils-1.2.1-exp-subtree-warn-off.patch @@ -534,6 +535,9 @@ fi %{_mandir}/*/nfsiostat.8.gz %changelog +* Fri Jan 9 2026 Scott Mayhew 2.5.4-41 +- gssd: protect kerberos ticket cache access (RHEL-138462) + * Mon Dec 8 2025 Steve Dickson 2.5.4-40 - nfsrahead: modify get_device_info logic (RHEL-134397)