summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOlga Kornievskaia <kolga@netapp.com>2016-04-28 16:51:54 -0400
committerSteve Dickson <steved@redhat.com>2016-04-29 10:38:02 -0400
commit85c5c16d29d50c1f798d60e57641cd21cec2e905 (patch)
treede395b3960f083be45235a4db86e0adb4bc687b9
parent792c2a597c770738cf5c4433724504a5fc4ff7f5 (diff)
downloadnfs-utils-85c5c16d29d50c1f798d60e57641cd21cec2e905.tar.gz
nfs-utils-85c5c16d29d50c1f798d60e57641cd21cec2e905.tar.xz
nfs-utils-85c5c16d29d50c1f798d60e57641cd21cec2e905.zip
gssd: always call gss_krb5_ccache_name
Previously the location of the credential cache was passed in either using environment variable KRB5CCNAME or gss_krb5_ccache_name() if supported. For threaded-gssd, we can't use an environment variable as it's shared among all thread. Thus always use the api call. Reviewed-by: Steve Dickson <steved@redhat.com> Signed-off-by: Olga Kornievskaia <kolga@netapp.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Diffstat
-rw-r--r--aclocal/kerberos5.m411
-rw-r--r--utils/gssd/gssd_proc.c10
-rw-r--r--utils/gssd/krb5_util.c56
-rw-r--r--utils/gssd/krb5_util.h3
4 files changed, 19 insertions, 61 deletions
diff --git a/aclocal/kerberos5.m4 b/aclocal/kerberos5.m4
index 0bf35d3..8a0f3e4 100644
--- a/aclocal/kerberos5.m4
+++ b/aclocal/kerberos5.m4
@@ -43,15 +43,6 @@ AC_DEFUN([AC_KERBEROS_V5],[
-f $dir/lib/libgssapi_krb5.so \) ; then
AC_DEFINE(HAVE_KRB5, 1, [Define this if you have MIT Kerberos libraries])
KRBDIR="$dir"
- dnl If we are using MIT K5 1.3.1 and before, we *MUST* use the
- dnl private function (gss_krb5_ccache_name) to get correct
- dnl behavior of changing the ccache used by gssapi.
- dnl Starting in 1.3.2, we *DO NOT* want to use
- dnl gss_krb5_ccache_name, instead we want to set KRB5CCNAME
- dnl to get gssapi to use a different ccache
- if test $K5VERS -le 131; then
- AC_DEFINE(USE_GSS_KRB5_CCACHE_NAME, 1, [Define this if the private function, gss_krb5_cache_name, must be used to tell the Kerberos library which credentials cache to use. Otherwise, this is done by setting the KRB5CCNAME environment variable])
- fi
gssapi_lib=gssapi_krb5
break
dnl The following ugly hack brought on by the split installation
@@ -92,8 +83,6 @@ AC_DEFUN([AC_KERBEROS_V5],[
AC_DEFINE(HAVE_LUCID_CONTEXT_SUPPORT, 1, [Define this if the Kerberos GSS library supports gss_krb5_export_lucid_sec_context]), ,$KRBLIBS)
AC_CHECK_LIB($gssapi_lib, gss_krb5_set_allowable_enctypes,
AC_DEFINE(HAVE_SET_ALLOWABLE_ENCTYPES, 1, [Define this if the Kerberos GSS library supports gss_krb5_set_allowable_enctypes]), ,$KRBLIBS)
- AC_CHECK_LIB($gssapi_lib, gss_krb5_ccache_name,
- AC_DEFINE(HAVE_GSS_KRB5_CCACHE_NAME, 1, [Define this if the Kerberos GSS library supports gss_krb5_ccache_name]), ,$KRBLIBS)
AC_CHECK_LIB($gssapi_lib, gss_krb5_free_lucid_sec_context,
AC_DEFINE(HAVE_GSS_KRB5_FREE_LUCID_SEC_CONTEXT, 1, [Define this if the Kerberos GSS library supports gss_krb5_free_lucid_sec_context]), ,$KRBLIBS)
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index 66a9d11..b19c595 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -547,7 +547,15 @@ krb5_use_machine_creds(struct clnt_info *clp, uid_t uid, char *tgtname,
goto out;
}
for (ccname = credlist; ccname && *ccname; ccname++) {
- gssd_setup_krb5_machine_gss_ccache(*ccname);
+ u_int min_stat;
+
+ if (gss_krb5_ccache_name(&min_stat, *ccname, NULL) !=
+ GSS_S_COMPLETE) {
+ printerr(1, "WARNING: gss_krb5_ccache_name "
+ "with name '%s' failed (%s)\n",
+ *ccname, error_message(min_stat));
+ continue;
+ }
if ((create_auth_rpc_client(clp, tgtname, rpc_clnt,
&auth, uid,
AUTHTYPE_KRB5,
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index a690043..c1e4d2b 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -468,37 +468,6 @@ gssd_get_single_krb5_cred(krb5_context context,
}
/*
- * Depending on the version of Kerberos, we either need to use
- * a private function, or simply set the environment variable.
- */
-static void
-gssd_set_krb5_ccache_name(char *ccname)
-{
-#ifdef USE_GSS_KRB5_CCACHE_NAME
- u_int maj_stat, min_stat;
-
- printerr(3, "using gss_krb5_ccache_name to select krb5 ccache %s\n",
- ccname);
- maj_stat = gss_krb5_ccache_name(&min_stat, ccname, NULL);
- if (maj_stat != GSS_S_COMPLETE) {
- printerr(0, "WARNING: gss_krb5_ccache_name with "
- "name '%s' failed (%s)\n",
- ccname, error_message(min_stat));
- }
-#else
- /*
- * Set the KRB5CCNAME environment variable to tell the krb5 code
- * which credentials cache to use. (Instead of using the private
- * function above for which there is no generic gssapi
- * equivalent.)
- */
- printerr(3, "using environment variable to select krb5 ccache %s\n",
- ccname);
- setenv("KRB5CCNAME", ccname, 1);
-#endif
-}
-
-/*
* Given a principal, find a matching ple structure
*/
static struct gssd_k5_kt_princ *
@@ -1094,6 +1063,7 @@ gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername, char *dirpattern)
const char *cctype;
struct dirent *d;
int err, i, j;
+ u_int maj_stat, min_stat;
printerr(3, "looking for client creds with uid %u for "
"server %s in %s\n", uid, servername, dirpattern);
@@ -1129,22 +1099,16 @@ gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername, char *dirpattern)
printerr(2, "using %s as credentials cache for client with "
"uid %u for server %s\n", buf, uid, servername);
- gssd_set_krb5_ccache_name(buf);
- return 0;
-}
-/*
- * Let the gss code know where to find the machine credentials ccache.
- *
- * Returns:
- * void
- */
-void
-gssd_setup_krb5_machine_gss_ccache(char *ccname)
-{
- printerr(2, "using %s as credentials cache for machine creds\n",
- ccname);
- gssd_set_krb5_ccache_name(ccname);
+ printerr(3, "using gss_krb5_ccache_name to select krb5 ccache %s\n",
+ buf);
+ maj_stat = gss_krb5_ccache_name(&min_stat, buf, NULL);
+ if (maj_stat != GSS_S_COMPLETE) {
+ printerr(0, "ERROR: unable to get user cred cache '%s' "
+ "failed (%s)\n", buf, error_message(min_stat));
+ return maj_stat;
+ }
+ return 0;
}
/*
diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h
index a319588..e3bbb07 100644
--- a/utils/gssd/krb5_util.h
+++ b/utils/gssd/krb5_util.h
@@ -27,7 +27,6 @@ int gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername,
char *dirname);
int gssd_get_krb5_machine_cred_list(char ***list);
void gssd_free_krb5_machine_cred_list(char **list);
-void gssd_setup_krb5_machine_gss_ccache(char *servername);
void gssd_destroy_krb5_machine_creds(void);
int gssd_refresh_krb5_machine_credential(char *hostname,
struct gssd_k5_kt_princ *ple,
@@ -55,8 +54,6 @@ int limit_krb5_enctypes(struct rpc_gss_sec *sec);
#define k5_free_unparsed_name(ctx, name) free(name)
#define k5_free_default_realm(ctx, realm) free(realm)
#define k5_free_kt_entry(ctx, kte) krb5_kt_free_entry((ctx),(kte))
-#undef USE_GSS_KRB5_CCACHE_NAME
-#define USE_GSS_KRB5_CCACHE_NAME 1
#endif
#endif /* KRB5_UTIL_H */
generated by cgit (git 2.34.1) at 2026-02-16 17:15:13 +0000