nfs-utils.git/utils/gssd, branch gss-proxy-mods NFS utils related patches Allow GSSAPI to try to acquire credentials first. 2013-04-05T22:39:10+00:00 Simo Sorce simo@redhat.com 2013-03-29T03:48:52+00:00 91932e239e8759f921897f1ff536742290b79586 GSSAPI can be given a uid number as a special name, and then gss_acquire_cred() can use the name to try to find credentials for the user. Give GSSAPI a chance to do it on its own, then fallback to the classic method of trolling through the file system to find a credential cache. 
GSSAPI can be given a uid number as a special name, and then
gss_acquire_cred() can use the name to try to find credentials for
the user.

Give GSSAPI a chance to do it on its own, then fallback to the classic
method of trolling through the file system to find a credential cache.
Document new -z/-Z options 2013-04-05T22:39:10+00:00 Simo Sorce simo@redhat.com 2013-04-02T17:15:22+00:00 4a918dcd6715d2aefa33daa451e5ecd0c1923846 Options are not in alphabetical order but -z/-Z clearly always come last. Signed-off-by: Simo Sorce <simo@redhat.com> 
Options are not in alphabetical order but -z/-Z clearly always come last.

Signed-off-by: Simo Sorce <simo@redhat.com>
Avoid reverse resolution for server name 2013-04-05T22:39:10+00:00 Simo Sorce simo@redhat.com 2013-04-02T17:18:09+00:00 f18a1dadd4508e74c0aed37d8ac92046c30fbfe7 A NFS client should be able to work properly even if the DNS Reverse record for the server is not set. There is no excuse to forcefully prevent that from working when it can. This patch adds a new pair of options (-z/-Z) that allow to turn on/off DNS reverse resolution for determining the server name to use with GSSAPI. To avoid breaking current behavior the option defaults to off by default, ideally we will turn this on by default after a transition period. Signed-off-by: Simo Sorce <simo@redhat.com> 
A NFS client should be able to work properly even if the DNS Reverse record
for the server is not set. There is no excuse to forcefully prevent that
from working when it can.

This patch adds a new pair of options (-z/-Z) that allow to turn on/off
DNS reverse resolution for determining the server name to use with GSSAPI.

To avoid breaking current behavior the option defaults to off by default,
ideally we will turn this on by default after a transition period.

Signed-off-by: Simo Sorce <simo@redhat.com>
Fix double free when exporting lucid context 2013-04-05T22:39:10+00:00 Simo Sorce simo@redhat.com 2013-04-05T22:04:35+00:00 4dc4718becc20224b9da5657b8216af7d4da8ac5 When using GSSAPI's gss_krb5_export_lucid_context the context passed into the function is actually deleted during the export (to avoid reuse as the context contains state that depends on its usage). Change the code to pass in a pointer to the context so that it can be properly NULLed if we are using the GSSAPI context and following calls to gss_delete_sec_context will not cause double free errors and segfaults. Signed-off-by: Simo Sorce <simo@redhat.com> 
When using GSSAPI's gss_krb5_export_lucid_context the context passed into the
function is actually deleted during the export (to avoid reuse as the context
contains state that depends on its usage).
Change the code to pass in a pointer to the context so that it can be properly
NULLed if we are using the GSSAPI context and following calls to
gss_delete_sec_context will not cause double free errors and segfaults.

Signed-off-by: Simo Sorce <simo@redhat.com>
gssd: Fix segfault when using -R option 2013-04-02T19:08:17+00:00 Simo Sorce simo@redhat.com 2013-04-02T19:06:13+00:00 0ce973a59ab3393481ba7c434a7353b5007cba71 The getopt string did not add : after the R option resulting in a sefgault whenever -R was used as optarg is NULL and it is dereferenced. Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com> 
The getopt string did not add : after the R option resulting in a
sefgault whenever -R was used as optarg is NULL and it is dereferenced.

Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
gssd: Switch to use standard GSSAPI by default 2013-04-02T19:08:17+00:00 Simo Sorce simo@redhat.com 2013-04-02T19:04:37+00:00 0ac50211fefb0d398ecc958ebe725dc6b6285103 Make libgssglue configurable still but disabled by default. There is no reason to use libgssglue anymore, and modern gssapi supports all needed features for nfs-utils. Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com> 
Make libgssglue configurable still but disabled by default.
There is no reason to use libgssglue anymore, and modern gssapi
supports all needed features for nfs-utils.

Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
gssd: gethostname(3) returns zero or -1, not an errno 2013-03-25T14:09:11+00:00 Chuck Lever chuck.lever@oracle.com 2013-03-23T12:13:22+00:00 128bca853fc6df20a87d4d3dfe12c1b77204d673 According to "man gethostname," gssd is handling the return value of gethostname(3) incorrectly. It looks like other gethostname(3) call sites in nfs-utils are already correct. Acked-by: J. Bruce Fields <bfields@fieldses.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com> 
According to "man gethostname," gssd is handling the return value of
gethostname(3) incorrectly.  It looks like other gethostname(3) call
sites in nfs-utils are already correct.

Acked-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
gssd: Fix whitespace nits 2013-03-25T14:09:11+00:00 Chuck Lever chuck.lever@oracle.com 2013-03-23T12:12:16+00:00 8239ec6587ce103d7bcb4b37c680c0c10ef5b37c Acked-by: J. Bruce Fields <bfields@fieldses.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com> 
Acked-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
gssd: Clean up gssd_setup_krb5_user_gss_ccache() 2013-03-25T14:09:10+00:00 Chuck Lever chuck.lever@oracle.com 2013-03-23T12:11:28+00:00 f1e171dcbe6fa182ff6d8ccf0ab9aff620106889 Remove a contradictory portion of the block comment documenting gssd_find_existing_krb5_ccache(). This should have been removed by commit 289ad31e, which reversed the meaning of the function's return values. Note that, in user space, typically errno's are positive. But here we follow the kernel convention of using negative values to return error codes. Make the documenting comments explicit about the sign of an error return -- it will never be positive in the case of an error. And a nit: At the last return statement in gssd_setup_krb5_user_gss_ccache(), "err" always contains zero, as far as I can tell. Make it explicit (to human readers) that when execution reaches this point, gssd_setup_krb5_user_gss_ccache() is going to return "success." Reviewed-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com> 
Remove a contradictory portion of the block comment documenting
gssd_find_existing_krb5_ccache().  This should have been removed by
commit 289ad31e, which reversed the meaning of the function's return
values.

Note that, in user space, typically errno's are positive.  But here
we follow the kernel convention of using negative values to return
error codes.  Make the documenting comments explicit about the sign
of an error return -- it will never be positive in the case of an
error.

And a nit: At the last return statement in
gssd_setup_krb5_user_gss_ccache(), "err" always contains zero, as
far as I can tell.  Make it explicit (to human readers) that when
execution reaches this point, gssd_setup_krb5_user_gss_ccache() is
going to return "success."

Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
gssd: Update description of "-l" option 2013-03-25T14:09:10+00:00 Chuck Lever chuck.lever@oracle.com 2013-03-23T12:09:42+00:00 020fc9855c69f74361a416be357fb882e80dcdd8 Move most of the text in the description of the "-l" option up to the DESCRIPTION section, to match what was done for "-n" and "-k". The discussion is then less restricted by formatting, and we can take the space to introduce a few concepts before describing the behavior of rpc.gssd. Fix a few misspellings and grammar issues while here. Acked-by: J. Bruce Fields <bfields@fieldses.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com> 
Move most of the text in the description of the "-l" option up to
the DESCRIPTION section, to match what was done for "-n" and "-k".

The discussion is then less restricted by formatting, and we can
take the space to introduce a few concepts before describing the
behavior of rpc.gssd.

Fix a few misspellings and grammar issues while here.

Acked-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>