diff options
| author | Jeff Layton <jlayton@redhat.com> | 2010-01-12 07:32:51 -0500 |
|---|---|---|
| committer | Steve Dickson <steved@redhat.com> | 2010-01-12 07:32:51 -0500 |
| commit | 289ad31e013029c924c2777b4d3c0875b87db042 (patch) | |
| tree | f8ab667337ba10ff2165f2fa1e24407348dfb26f /utils/gssd/gssd_proc.c | |
| parent | fb8077ebc31698893ad09620a4e5d32c1d71287d (diff) | |
| download | nfs-utils-289ad31e013029c924c2777b4d3c0875b87db042.tar.gz nfs-utils-289ad31e013029c924c2777b4d3c0875b87db042.tar.xz nfs-utils-289ad31e013029c924c2777b4d3c0875b87db042.zip | |
gssd: on krb5 upcall, have gssd send a more granular error code
Currently if a krb5 context expires, GSSAPI authenticated RPC calls
start returning error (-EACCES in particular). This is bad when someone
has a long running job that's doing filesystem ops on a krb5 authenticated
NFS mount and just happens to forget to redo a 'kinit' in time.
The existing gssd always does a downcall with a '-1' error code if there
are problems, and the kernel always ignores this error code. Begin to
fix this by having gssd distinguish between someone that has no
credcache at all, and someone who has an expired one. In the case where
there is an existing credcache, have gssd downcall with an error code of
-EKEYEXPIRED. If there's not a credcache, then downcall with an error of
-EACCES.
We can then have the kernel use this error code to handle these
situations differently.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
Diffstat (limited to 'utils/gssd/gssd_proc.c')
| -rw-r--r-- | utils/gssd/gssd_proc.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index 795e06c..be4fb11 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -904,6 +904,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, char **ccname; char **dirname; int create_resp = -1; + int err, downcall_err = -EACCES; printerr(1, "handling krb5 upcall (%s)\n", clp->dirname); @@ -944,7 +945,10 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, service == NULL)) { /* Tell krb5 gss which credentials cache to use */ for (dirname = ccachesearch; *dirname != NULL; dirname++) { - if (gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *dirname) == 0) + err = gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *dirname); + if (err == -EKEYEXPIRED) + downcall_err = -EKEYEXPIRED; + else if (!err) create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid, AUTHTYPE_KRB5); if (create_resp == 0) @@ -1034,7 +1038,7 @@ out: return; out_return_error: - do_error_downcall(fd, uid, -1); + do_error_downcall(fd, uid, downcall_err); goto out; } |