| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
This makes sure openlog() is called before any syslog() call.
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
|
|
|
|
|
|
| |
This makes it more likely configuration parsing failures are detected.
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
|
|
|
|
|
|
| |
This make it easier to identify issues when run interactively.
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
|
|
|
|
|
|
|
| |
Instead of recompiling, one can set the "GSSI_DEBUG" environment variable at
runtime.
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The Kernel expect the knfsd socket in a specific plce that is not where
our standard socket is created.
Add a knfsd specific socket in the default configuration.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
Resolves: https://fedorahosted.org/gss-proxy/ticket/93
|
|
|
|
|
|
|
|
|
|
| |
Otherwise we would allow to be installed with an outdated and non-working
libiniconfig version.
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Resolves: https://fedorahosted.org/gss-proxy/ticket/92
|
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
This assures the right startup and checking order for gssproxy and kernel nfs
gssproxy client interface.
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
They might want to use gssproxy so we need to run in advance.
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
This fixes a segfault when no client_keytab is passed in via cred_store api.
See https://fedorahosted.org/gss-proxy/ticket/85 for details.
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
This is required to make sure we never recurse into ourselves.
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Grab the socket lock for the whole conversation.
We need to keep the lock until the whole conversation is over.
Otherwise we may have concurrency issues where communication gets intermixed
and errors in one thread can cause a thread to hang.
Here is what we observed:
thread 1: grabs lock and send a request.
thread 2: grabs lock and sends a request
server: thread 2 request causes a fatal error and the server close the
connection
thread 2: grabs the lock and waits for a reply.
thread 2: gets the error and returns to caller with it (connection is closed).
thread 1: grabs the lock (which reopens the closed channel) and reads ...
... forever as the server has already killed all the previous state.
2. Fail immediately on short reads for the initial 4 byte length header.
If the first 4 bytes do not come at once don't bother retrying. In 99.9% of the
cases what we are witnessing here is a fatal error from the proxy that closed
the socket. Reopening the scket cannot accomplish anything as the request sent
down the channel is tied to the specific socket, so once the socket is closed
there is no hope to ever get back a reply.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
|
|
|
|
|
|
|
| |
We were failing to find the right service as the test was reversed.
It works with the default socket as it is not stored per service.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
We first need to fix our tests and implementation.
Temporary workaround for:
https://fedorahosted.org/gss-proxy/ticket/81
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
We do not want to generate an exported name buffer.
Let's the mechglue code in MIT generate it for use from the display name.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
|
|
|
|
|
|
|
| |
Vendors can call "make test_proxymech" from their specfile to make sure
proxymech.so can be properly loaded by the GSSAPI.
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
At the same time, rename gp_common.c to gp_util.c to make it more visible
there is no relation to gp_common.h.
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
Only LOCAL_ONLY,LOCAL_FIRST and REMOTE_FIRST allowed.
REMOTE_ONLY is recognized but configure aborts as long as it is not supported.
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Actually one feature requires the upstream master branch to be fully
functional. In fedora this patch [1] has been backported to 1.11.2
to have the full functionality available. Once upstream will release
1.12 that will become the minimum reuirement.
[1] https://github.com/krb5/krb5/commit/38cc076579888695a5820ceb44fe43020f5b61e1
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
Document options, sections, substitutions and default values.
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
|
|
|
|
|
|
| |
ENOENT is returned if no value is available.
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
This way different processes running as the same user can be configured as
different servervices
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
|
|
|
|
|
|
|
| |
Install by default working nfs configuration.
For RPM also install by default file to configure interposer plugin.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The credential store design goal is to allow administrators to set arbitrary
strings without additional applications knowledge. This allows extending the
number of crdential types GSSAPI can be made to support without having to
recompile applications to add explicit support.
Only explicitly check for cred store values that ned special treatment and let
admins decide what to put in cred_store.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The krb5_{ccache,keytab,client_keytab} parameters are replaced with a
multivalued "cred_store" parameter instead.
krb5_keytab = /etc/krb5.keytab
becomes:
cred_store = keytab:/etc/krb5.keytab
Likewise for the "krb5_ccache" and "krb5_client_keytab" parameters.
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
|