diff options
author | neilbrown <neilbrown> | 2005-08-26 01:27:17 +0000 |
---|---|---|
committer | neilbrown <neilbrown> | 2005-08-26 01:27:17 +0000 |
commit | a980156c122e975cc185a6c41ef705f166a5765f (patch) | |
tree | 8b30d51307c9abc8fa3b307f66423054d0f0d289 /utils/gssd/krb5_util.c | |
parent | c5ea2fbc9ab9d142aa867da594a66f4097df03d1 (diff) | |
download | nfs-utils-a980156c122e975cc185a6c41ef705f166a5765f.tar.gz nfs-utils-a980156c122e975cc185a6c41ef705f166a5765f.tar.xz nfs-utils-a980156c122e975cc185a6c41ef705f166a5765f.zip |
2005-08-26 Kevin Coffman <kwc@citi.umich.edu>
* utils/exportfs/exports.man: Document the "crossmnt" export export option
* utils/gssd/krb5_util.c:
Add better debugging and partially revert the function
check for gss_krb5_ccache_name.
For MIT Kerberos releases up to and including 1.3.1, we *must*
use the routine gss_krb5_ccache_name to get the K5 gssapi code
to use a different credentials cache.
For releases 1.3.2 and on, we want to use the KRB5CCNAME
environment variable to tell it what to use.
(A problem was reported where 1.3.5 was being used, our
code was using gss_krb5_ccache_name, but the underlying
code continued to use the first (or default?) credentials
cache. Switching to using the env variable fixed the problem.
I cannot recreate this problem.
*utils/gssd/krb5_util.c:
Andrew Mahone <andrew.mahone@gmail.com> reported that reiser4
always has DT_UNKNOWN. He supplied patch to move the check
for regular files after the stat() call to correctly find
ccache files in reiser4 filesystem.
Also change the name comparison so that the wrong file is
not selected when the substring comparison is done.
*utils/gssd/krb5_util.c:
Limit the set of encryption types that can be negotiated by
the Kerberos library to those that the kernel code currently
supports.
This should eventually query the kernel for the list of
supported enctypes.
*utils/gssd/gss_util.c, utils/svcgssd/svcgssd_main_loop.c:
Print more information in error messages to help debugging failures.
*utils/svcgssd/svcgssd_proc.c: Increase token buffer size and
update error handling so that a response is always sent.
*utils/svcgssd/svcgssd_proc.c: Add support to retrieve
supplementary groups.
Diffstat (limited to 'utils/gssd/krb5_util.c')
-rw-r--r-- | utils/gssd/krb5_util.c | 88 |
1 files changed, 49 insertions, 39 deletions
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c index 2dcc2ee..d29b839 100644 --- a/utils/gssd/krb5_util.c +++ b/utils/gssd/krb5_util.c @@ -146,10 +146,11 @@ static int gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt, static int select_krb5_ccache(const struct dirent *d) { - /* Don't consider anything but regular files. (No symlinks, etc.) */ - if (d->d_type != DT_REG) - return 0; - + /* + * Note: We used to check d->d_type for DT_REG here, + * but apparenlty reiser4 always has DT_UNKNOWN. + * Check for IS_REG after stat() call instead. + */ if (strstr(d->d_name, GSSD_DEFAULT_CRED_PREFIX)) return 1; else @@ -184,12 +185,15 @@ gssd_find_existing_krb5_ccache(uid_t uid, struct dirent **d) } else if (n > 0) { char substring[128]; + char fullstring[128]; char statname[1024]; - snprintf(substring, sizeof(substring), "_%d", uid); + snprintf(substring, sizeof(substring), "_%d_", uid); + snprintf(fullstring, sizeof(fullstring), "_%d", uid); for (i = 0; i < n; i++) { printerr(3, "CC file '%s' being considered\n", namelist[i]->d_name); - if (strstr(namelist[i]->d_name, substring)) { + if (strstr(namelist[i]->d_name, substring) || + !strcmp(namelist[i]->d_name, fullstring)) { snprintf(statname, sizeof(statname), "%s/%s", GSSD_DEFAULT_CRED_DIR, namelist[i]->d_name); @@ -199,6 +203,12 @@ gssd_find_existing_krb5_ccache(uid_t uid, struct dirent **d) statname); continue; } + if (!S_ISREG(tmp_stat.st_mode)) { + printerr(3, "File '%s' is not " + "a regular file\n", + statname); + continue; + } printerr(3, "CC file '%s' matches " "name check and has " "mtime of %u\n", @@ -270,11 +280,7 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid) { u_int maj_stat, min_stat; gss_cred_id_t credh; -/* krb5_enctype enctypes[] = {ENCTYPE_DES3_CBC_SHA1}; - ENCTYPE_ARCFOUR_HMAC, */ - krb5_enctype enctypes[] = {ENCTYPE_DES3_CBC_SHA1, - ENCTYPE_DES_CBC_MD5, - ENCTYPE_DES_CBC_CRC}; + krb5_enctype enctypes[] = { ENCTYPE_DES_CBC_CRC }; int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]); maj_stat = gss_acquire_cred(&min_stat, NULL, 0, @@ -528,6 +534,36 @@ gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt, char *kt_name) return retval; } +/* + * Depending on the version of Kerberos, we either need to use + * a private function, or simply set the environment variable. + */ +static void +gssd_set_krb5_ccache_name(char *ccname) +{ +#ifdef USE_GSS_KRB5_CCACHE_NAME + u_int maj_stat, min_stat; + + printerr(2, "using gss_krb5_ccache_name to select krb5 ccache %s\n", + ccname); + maj_stat = gss_krb5_ccache_name(&min_stat, ccname, NULL); + if (maj_stat != GSS_S_COMPLETE) { + printerr(0, "WARNING: gss_krb5_ccache_name with " + "name '%s' failed (%s)\n", + ccname, error_message(min_stat)); + } +#else + /* + * Set the KRB5CCNAME environment variable to tell the krb5 code + * which credentials cache to use. (Instead of using the private + * function above for which there is no generic gssapi + * equivalent.) + */ + printerr(2, "using environment variable to select krb5 ccache %s\n", + ccname); + setenv("KRB5CCNAME", ccname, 1); +#endif +} /*==========================*/ /*=== External routines ===*/ @@ -545,9 +581,6 @@ void gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername) { char buf[MAX_NETOBJ_SZ]; -#ifdef HAVE_GSS_KRB5_CCACHE_NAME - u_int min_stat; -#endif struct dirent *d; printerr(2, "getting credentials for client with uid %u for " @@ -564,17 +597,7 @@ gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername) GSSD_DEFAULT_CRED_PREFIX, uid); printerr(2, "using %s as credentials cache for client with " "uid %u for server %s\n", buf, uid, servername); -#ifdef HAVE_GSS_KRB5_CCACHE_NAME - gss_krb5_ccache_name(&min_stat, buf, NULL); -#else - /* - * Set the KRB5CCNAME environment variable to tell the krb5 code - * which credentials cache to use. (Instead of using the private - * function above for which there is no generic gssapi - * equivalent.) - */ - setenv("KRB5CCNAME", buf, 1); -#endif + gssd_set_krb5_ccache_name(buf); } /* @@ -586,22 +609,9 @@ gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername) void gssd_setup_krb5_machine_gss_ccache(char *ccname) { -#ifdef HAVE_GSS_KRB5_CCACHE_NAME - u_int min_stat; -#endif printerr(2, "using %s as credentials cache for machine creds\n", ccname); -#ifdef HAVE_GSS_KRB5_CCACHE_NAME - gss_krb5_ccache_name(&min_stat, ccname, NULL); -#else - /* - * Set the KRB5CCNAME environment variable to tell the krb5 code - * which credentials cache to use. (Instead of using the private - * function above for which there is no generic gssapi - * equivalent.) - */ - setenv("KRB5CCNAME", ccname, 1); -#endif + gssd_set_krb5_ccache_name(ccname); } /* |