Use newly added keytab functions

Use the new functions added in the previous patch.

Obtain machine credentials in a pre-determined order

Look for appropriate machine credentials in the following order:
     root/<fqdn>@REALM
     nfs/<fqdn>@REALM
     host/<fqdn>@REALM
     root/<any-name>@REALM
     nfs/<any-name>@REALM
     host/<any-name>@REALM

The first matching credential will be used.

Also, the machine credentials to be used are now determined
"on-demand" rather than at gssd startup.  This allows keytab
additions to be noticed and used without requiring a restart of gssd.

Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>

1 files changed, 5 insertions, 3 deletions

diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index eff740c..48880b6 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -700,14 +700,16 @@ handle_krb5_upcall(struct clnt_info *clp)
 		if (uid == 0 && root_uses_machine_creds == 1) {
 			int success = 0;
 
+			gssd_refresh_krb5_machine_credential(clp->servername,
+							     NULL);
 			/*
 			 * Get a list of credential cache names and try each
 			 * of them until one works or we've tried them all
 			 */
 			if (gssd_get_krb5_machine_cred_list(&credlist)) {
-				printerr(0, "WARNING: Failed to obtain machine "
-					 "credentials for connection to "
-					 "server %s\n", clp->servername);
+				printerr(0, "ERROR: No credentials found "
+					 "for connection to server %s\n",
+					 clp->servername);
 					goto out_return_error;
 			}
 			for (ccname = credlist; ccname && *ccname; ccname++) {