gss-proxy.git/proxy/examples, branch ntlmssp Work on gss-proxy before it lands upstream Add option to specify allowed usage. 2013-10-18T13:46:24+00:00 Simo Sorce simo@redhat.com 2013-10-14T20:41:13+00:00 3f587569f2fdd9ec4db05748c5ed5ebbfc1ab5c9 Credentials can often be used both to accept and to initiate contexts. With this option admins can allow a specific usage only. This is to avoid allowing an unprivileged process to fool a remote client by allowing it to impersonate a server, when we only want to allow this service to use credentials to initiate contexts. Reviewed-by: Günther Deschner <gdeschner@redhat.com 
Credentials can often be used both to accept and to initiate contexts.
With this option admins can allow a specific usage only.
This is to avoid allowing an unprivileged process to fool a remote
client by allowing it to impersonate a server, when we only want to
allow this service to use credentials to initiate contexts.

Reviewed-by: Günther Deschner <gdeschner@redhat.com
Allow arbitrary users to connect to a service 2013-10-18T13:46:24+00:00 Simo Sorce simo@redhat.com 2013-10-14T20:20:11+00:00 a324853818fd75d7ec11c68de9d499f37228b26a The rpc.gssd daemon is changing to fork and change uid to the unprivileged user it wants to authenticate, this means gssproxy needs to allow connection from any euid. When this is done though, the trusted flag needs to be dropped, if the connecting euid does not match the default trusted uid to prevent improper impersonation. Resolves: https://fedorahosted.org/gss-proxy/ticket/103 Reviewed-by: Günther Deschner <gdeschner@redhat.com 
The rpc.gssd daemon is changing to fork and change uid to the unprivileged
user it wants to authenticate, this means gssproxy needs to allow connection
from any euid. When this is done though, the trusted flag needs to be dropped,
if the connecting euid does not match the default trusted uid to prevent
improper impersonation.

Resolves: https://fedorahosted.org/gss-proxy/ticket/103
Reviewed-by: Günther Deschner <gdeschner@redhat.com
Split nfs server and client services 2013-06-21T14:26:38+00:00 Simo Sorce simo@redhat.com 2013-06-19T15:41:29+00:00 7201cabaf0c59b2f50c1a86a47465daaafff6cb4 The NFS server uses a special socket for the kernel communication. Split configuration in 2 distinct services so we can use specific options that may be different between server and client. The 3 main differences so far are: 1. socket: default for client, custom for server 2. kernel_nfd option only for server 3. ccache and client keytab options only for client Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com> 
The NFS server uses a special socket for the kernel communication.
Split configuration in 2 distinct services so we can use specific options that
may be different between server and client.

The 3 main differences so far are:
1. socket: default for client, custom for server
2. kernel_nfd option only for server
3. ccache and client keytab options only for client

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
Fix nfsd socket 2013-06-06T14:51:16+00:00 Simo Sorce simo@redhat.com 2013-06-05T15:58:13+00:00 b52f868b7fce0828409b55790c21bbf8ed228641 The Kernel expect the knfsd socket in a specific plce that is not where our standard socket is created. Add a knfsd specific socket in the default configuration. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com> Resolves: https://fedorahosted.org/gss-proxy/ticket/93 
The Kernel expect the knfsd socket in a specific plce that is not where
our standard socket is created.
Add a knfsd specific socket in the default configuration.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>

Resolves: https://fedorahosted.org/gss-proxy/ticket/93
Add --with-gpstate-path=PATH configure switch. 2013-05-06T13:00:10+00:00 Günther Deschner gdeschner@redhat.com 2013-04-29T15:42:21+00:00 918fb6db56b7ac9683f557cfdca553af730f2cca Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Improve default configuration. 2013-04-23T19:02:45+00:00 Simo Sorce simo@redhat.com 2013-04-12T16:03:26+00:00 7f8078e906b138dcd34f84e0260cba87b63ca62f Install by default working nfs configuration. For RPM also install by default file to configure interposer plugin. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com> 
Install by default working nfs configuration.
For RPM also install by default file to configure interposer plugin.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
Make socket path a configure option 2013-03-22T15:34:37+00:00 Simo Sorce simo@redhat.com 2013-03-21T16:28:02+00:00 e9623f5f05053f215c71dbf37d034ae98f1f1c36 The kernel uses the fixed path named /var/run/gssproxy.sock Make this default a configure time option and default to it. Also remove the option to change the socket at configure time, neither the kernel nor proxymech.so can cope with a change anyway. 
The kernel uses the fixed path named /var/run/gssproxy.sock
Make this default a configure time option and default to it.
Also remove the option to change the socket at configure time,
neither the kernel nor proxymech.so can cope with a change anyway.
Enable kernel support. 2013-03-22T15:34:32+00:00 Simo Sorce simo@redhat.com 2013-03-19T22:53:20+00:00 97102f1e7e19f3ea869335afbdbeba619042d694 The Linux kernel now requires the gss-proxy to signal when it is available. This is done by writing 1 to the file /proc/net/rpc/use-gss-proxy Once this happens the kernel will try to attach to the gss-proxy socket and use it instead of the classic rpc.svcgssd daemon. 
The Linux kernel now requires the gss-proxy to signal when it is available.
This is done by writing 1 to the file /proc/net/rpc/use-gss-proxy

Once this happens the kernel will try to attach to the gss-proxy socket
and use it instead of the classic rpc.svcgssd daemon.
Add example GSS-API mechanism plugins config file. 2013-01-15T15:02:34+00:00 Günther Deschner gdeschner@redhat.com 2013-01-11T14:42:02+00:00 d13fdf433c5f3c6c350e09cb4ea1009c720f2a10 The file is not installed automatically yet. 
The file is not installed automatically yet.
config: Rework configuration syntax 2012-04-05T15:20:33+00:00 Simo Sorce simo@redhat.com 2012-02-26T21:40:47+00:00 cfbd12afad3fb232cbc214e1c47c2bf202ec5003 Keeping 2 separate sections for credentials and services seem to just make things really confusing. The off chance of reusing a 'credential' section is dwarfed by the confusion cause by keeping them separate. Having to copy a full service section is not a big deal so KISS wins here. 
Keeping 2 separate sections for credentials and services seem to just make
things really confusing. The off chance of reusing a 'credential' section is
dwarfed by the confusion cause by keeping them separate. Having to copy a full
service section is not a big deal so KISS wins here.