Bug #51821
closedclient is using insecure global_id reclaim
0%
Description
Hi everyone.
We are running an Octopus cluster at work with more than 30 clients, and I'm currently reviewing pacific if we want to upgrade in the future at work. I have a small cluster with 4 hosts at home with one OSD, MON, MGR, MDS each. All hosts are running Debian with the latest Ceph packages 16.2.4
I have two clients I'm reviewing. One client is a Ubuntu client 16.2.5 built from the source as there are no Raspberry PI 3 packages.
The other client is a Windows 10 running ceph-dokan. I get these warnings in the monitor console:
AUTH_INSECURE_GLOBAL_ID_RECLAIM: client is using insecure global_id reclaim AUTH_INSECURE_GLOBAL_ID_RECLAIM_ALLOWED: mons are allowing insecure global_id reclaim
If I switch the configuration, so I don't allow insecure global id reclaim on the monitors, the clients can't connect. So how do I configure ceph-dokan and a Linux environment mounting a resource using the kernel module?
I guess there is a configuration option I need to add to the ceph.conf file, but I can't find any documentation around this topic.
Thank you for your response.
Best regards
Daniel
Updated by Daniel Persson over 2 years ago
Have updated to 16.2.5, the issue still remains.
Updated by Neha Ojha over 2 years ago
There are recommendations of dealing with this warning in https://docs.ceph.com/en/latest/security/CVE-2021-20288/. Have you looked at this already? You can also reach out on the ceph-users mailing list for more recommendations.
Updated by Daniel Persson over 2 years ago
Hi Neha
Thanks for the response.
Sadly it doesn't really give you any information about the clients and how to handle the issue. Currently when I turn it on I get the following error:
monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [2]
Could be that the client is not new enough. But I use the kernel module installed together with the installation of 16.2.5. I've also tried to run the command
ceph status
with the same error on the machine.
Independent of if I use the built from source arm module, windows ceph-dokan module or the installed debian module I get the same result.
Best regards
Daniel
Updated by Christian Rohmann over 2 years ago
Daniel Persson wrote:
Sadly it doesn't really give you any information about the clients and how to handle the issue.
Actually it does in https://docs.ceph.com/en/latest/security/CVE-2021-20288/#recommendations and quite certainly your client is not current enough.
Which version of Ubuntu are you using? Did you add https://download.ceph.com/ as apt repo to have Ceph 15 or 16 packages?
Please check which version of i.e. librados2 or since your are building the client yourself librados-dev you are using. Maybe doing ldd $PATH_TO_CLIENT
or apt policy librados2 might help you on your Ubuntu box.
Updated by Daniel Persson over 2 years ago
Hi Christian
Thank you for your response. The extra information to look for librados2 library helped me figure out my versions. And with the help of the command:
ceph health detail
I could get the IP of the failing clients. With that, I figured out that one of the clients had not gotten the correct packages from Debian's package store. I ran 12, which is a distro standard, but when updating to 16.2.5, it worked just fine.
Now the only client that won't connect is the windows client, which is ceph-dokan version 15.0.0, and I could understand that it would not work. A bit sad but not fatal. We are not running any windows clients in production yet because it's still in beta.
I think this issue could be changed to resolved and closed.
Best regards
Daniel
Updated by Christian Rohmann over 2 years ago
Daniel Persson wrote:
Now the only client that won't connect is the windows client, which is ceph-dokan version 15.0.0, and I could understand that it would not work. A bit sad but not fatal. We are not running any windows clients in production yet because it's still in beta.
I don't have any experience with ceph-dokan. Which build or installation source are you using? https://github.com/ceph/ceph-dokan seems archived and then there are
is https://github.com/dokan-dev/dokany as a fork and future project?
Updated by Daniel Persson over 2 years ago
Hi again.
I've now solved my problem and also got the Windows client to work. The process was a bit complicated so I created a short video to hopefully help anyone else that has the same problem.
I hope this helps, and again thank you for helping me.
Best regards
Daniel