Add option to set rpcsec_gss debugging level (if available)

Changes to allow gssd/svcgssd to build when using Hiemdal Kerberos libraries. Note that there are still run-time issues preventing this from working when shared libraries for libgssapi and librpcsecgss are used.
author: neilbrown <neilbrown> 2005-08-26 02:04:40 +0000
committer: neilbrown <neilbrown> 2005-08-26 02:04:40 +0000
commit: 651b5d3cf5428cbf1d2cd3ae572453af249bef1e (patch)
tree: 8c6c088b0d010db7aa5b8a4e4e5a96287e933f93 /utils/gssd
parent: a1b7c0da9e73a607f4bc70ffe3b44b00f5d39938 (diff)
download: nfs-utils-651b5d3cf5428cbf1d2cd3ae572453af249bef1e.tar.gz
nfs-utils-651b5d3cf5428cbf1d2cd3ae572453af249bef1e.tar.xz
nfs-utils-651b5d3cf5428cbf1d2cd3ae572453af249bef1e.zip
5 files changed, 82 insertions, 15 deletions
diff --git a/utils/gssd/context_heimdal.c b/utils/gssd/context_heimdal.c
index 27c44a3..edd4dfc 100644
--- a/utils/gssd/context_heimdal.c
+++ b/utils/gssd/context_heimdal.c
@@ -37,9 +37,11 @@
 #include <syslog.h>
 #include <string.h>
 #include <errno.h>
-#include <gssapi.h>
 #include <krb5.h>
+#include <gssapi.h>	/* Must use the heimdal copy! */
+#ifdef HAVE_COM_ERR_H
 #include <com_err.h>
+#endif
 #include "err_util.h"
 #include "gss_oids.h"
 #include "write_bytes.h"
@@ -83,9 +85,14 @@ int write_heimdal_enc_key(char **p, char *end, gss_ctx_id_t ctx)
 	}
 
 	memset(&enc_key, 0, sizeof(enc_key));
-	printerr(1, "WARN: write_heimdal_enc_key: "
-		    "overriding heimdal keytype\n");
-	enc_key.keytype = 4 /* XXX XXX XXX XXX key->keytype */;
+	enc_key.keytype = key->keytype;
+	/* XXX current kernel code only handles des-cbc-raw  (4) */
+	if (enc_key.keytype != 4) {
+		printerr(1, "WARN: write_heimdal_enc_key: "
+			    "overriding heimdal keytype (%d => %d)\n",
+			 enc_key.keytype, 4);
+		enc_key.keytype = 4;
+	}
 	enc_key.keyvalue.length = key->keyvalue.length;
 	if ((enc_key.keyvalue.data =
 				calloc(1, enc_key.keyvalue.length)) == NULL) {
@@ -135,9 +142,13 @@ int write_heimdal_seq_key(char **p, char *end, gss_ctx_id_t ctx)
 		goto out_err_free_context;
 	}
 
-	printerr(1, "WARN: write_heimdal_seq_key: "
-		    "overriding heimdal keytype\n");
-	key->keytype = 4;	/* XXX XXX XXX XXX XXX */
+	/* XXX current kernel code only handles des-cbc-raw  (4) */
+	if (key->keytype != 4) {
+		printerr(1, "WARN: write_heimdal_seq_key: "
+			    "overriding heimdal keytype (%d => %d)\n",
+			 key->keytype, 4);
+		key->keytype = 4;
+	}
 
 	if (write_heimdal_keyblock(p, end, key)) {
 		goto out_err_free_key;
diff --git a/utils/gssd/gss_oids.h b/utils/gssd/gss_oids.h
index 850c013..8b0a352 100644
--- a/utils/gssd/gss_oids.h
+++ b/utils/gssd/gss_oids.h
@@ -32,7 +32,6 @@
 #define _GSS_OIDS_H_
 
 #include <sys/types.h>
-#include <gssapi/gssapi.h>
 
 extern gss_OID_desc krb5oid;
 extern gss_OID_desc spkm3oid;
diff --git a/utils/gssd/gssd.c b/utils/gssd/gssd.c
index 7f28320..8031d48 100644
--- a/utils/gssd/gssd.c
+++ b/utils/gssd/gssd.c
@@ -36,6 +36,8 @@
 
 */
 
+#include "config.h"
+
 #include <sys/param.h>
 #include <sys/socket.h>
 #include <rpc/rpc.h>
@@ -74,7 +76,7 @@ sig_hup(int signal)
 static void
 usage(char *progname)
 {
-	fprintf(stderr, "usage: %s [-f] [-v] [-p pipefsdir] [-k keytab]\n",
+	fprintf(stderr, "usage: %s [-f] [-v] [-r] [-p pipefsdir] [-k keytab]\n",
 		progname);
 	exit(1);
 }
@@ -84,11 +86,12 @@ main(int argc, char *argv[])
 {
 	int fg = 0;
 	int verbosity = 0;
+	int rpc_verbosity = 0;
 	int opt;
 	extern char *optarg;
 	char *progname;
 
-	while ((opt = getopt(argc, argv, "fvmp:k:")) != -1) {
+	while ((opt = getopt(argc, argv, "fvrmp:k:")) != -1) {
 		switch (opt) {
 			case 'f':
 				fg = 1;
@@ -99,6 +102,9 @@ main(int argc, char *argv[])
 			case 'v':
 				verbosity++;
 				break;
+			case 'r':
+				rpc_verbosity++;
+				break;
 			case 'p':
 				strncpy(pipefsdir, optarg, sizeof(pipefsdir));
 				if (pipefsdir[sizeof(pipefsdir)-1] != '\0')
@@ -125,6 +131,13 @@ main(int argc, char *argv[])
 		progname = argv[0];
 
 	initerr(progname, verbosity, fg);
+#ifdef HAVE_AUTHGSS_SET_DEBUG_LEVEL
+	authgss_set_debug_level(rpc_verbosity);
+#else
+        if (rpc_verbosity > 0)
+		printerr(0, "Warning: rpcsec_gss library does not "
+			    "support setting debug level\n");
+#endif
 
 	if (!fg && daemon(0, 0) < 0)
 		errx(1, "fork");
diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man
index d8f9a0f..01404d1 100644
--- a/utils/gssd/gssd.man
+++ b/utils/gssd/gssd.man
@@ -6,7 +6,7 @@
 .SH NAME
 rpc.gssd \- rpcsec_gss daemon
 .SH SYNOPSIS
-.B "rpc.gssd [-f] [-k keytab] [-p pipefsdir] [-v]"
+.B "rpc.gssd [-f] [-k keytab] [-p pipefsdir] [-v] [-r]"
 .SH DESCRIPTION
 The rpcsec_gss protocol gives a means of using the gss-api generic security
 api to provide security for protocols using rpc (in particular, nfs).  Before
@@ -50,6 +50,10 @@ where to look for the rpc_pipefs filesystem.  The default value is
 .TP
 .B -v
 Increases the verbosity of the output (can be specified multiple times).
+.TP
+.B -r
+If the rpcsec_gss library supports setting debug level,
+increases the verbosity of the output (can be specified multiple times).
 .SH SEE ALSO
 .BR rpc.svcgssd(8)
 .SH AUTHORS
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index d29b839..353a93e 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -131,7 +131,7 @@ static int select_krb5_ccache(const struct dirent *d);
 static int gssd_find_existing_krb5_ccache(uid_t uid, struct dirent **d);
 static int gssd_get_single_krb5_cred(krb5_context context,
 		krb5_keytab kt, struct gssd_k5_kt_princ *ple);
-static int gssd_have_realm_ple(krb5_data *realm);
+static int gssd_have_realm_ple(void *realm);
 static int gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt,
 		char *kt_name);
 
@@ -355,7 +355,7 @@ gssd_get_single_krb5_cred(krb5_context context,
 	krb5_get_init_creds_opt_set_tkt_life(&options, 5*60);
 #endif
         if ((code = krb5_get_init_creds_keytab(context, &my_creds, ple->princ,
-	                                  kt, 0, 0, &options))) {
+	                                  kt, 0, NULL, &options))) {
 		char *pname;
 		if ((krb5_unparse_name(context, ple->princ, &pname))) {
 			pname = NULL;
@@ -364,7 +364,11 @@ gssd_get_single_krb5_cred(krb5_context context,
 			    "principal '%s' from keytab '%s'\n",
 			 error_message(code),
 			 pname ? pname : "<unparsable>", kt_name);
+#ifdef HAVE_KRB5
 		if (pname) krb5_free_unparsed_name(context, pname);
+#else
+		if (pname) free(pname);
+#endif
 		goto out;
 	}
 
@@ -416,13 +420,22 @@ gssd_get_single_krb5_cred(krb5_context context,
  *	1 => found ple for given realm
  */
 static int
-gssd_have_realm_ple(krb5_data *realm)
+gssd_have_realm_ple(void *r)
 {
 	struct gssd_k5_kt_princ *ple;
+#ifdef HAVE_KRB5
+	krb5_data *realm = (krb5_data *)r;
+#else
+	char *realm = (char *)r;
+#endif
 
 	for (ple = gssd_k5_kt_princ_list; ple; ple = ple->next) {
+#ifdef HAVE_KRB5
 		if ((realm->length == strlen(ple->realm)) &&
 		    (strncmp(realm->data, ple->realm, realm->length) == 0)) {
+#else
+		if (strcmp(realm, ple->realm) == 0) {
+#endif
 		    return 1;
 		}
 	}
@@ -472,16 +485,27 @@ gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt, char *kt_name)
 		}
 		printerr(2, "Processing keytab entry for principal '%s'\n",
 			 pname);
+#ifdef HAVE_KRB5
 		if ( (kte.principal->data[0].length == GSSD_SERVICE_NAME_LEN) &&
 		     (strncmp(kte.principal->data[0].data, GSSD_SERVICE_NAME,
 			      GSSD_SERVICE_NAME_LEN) == 0) &&
-		     (!gssd_have_realm_ple(&kte.principal->realm)) ) {
+#else
+		if ( (strlen(kte.principal->name.name_string.val[0]) == GSSD_SERVICE_NAME_LEN) &&
+		     (strncmp(kte.principal->name.name_string.val[0], GSSD_SERVICE_NAME,
+			      GSSD_SERVICE_NAME_LEN) == 0) &&
+			      
+#endif
+		     (!gssd_have_realm_ple((void *)&kte.principal->realm)) ) {
 			printerr(2, "We will use this entry (%s)\n", pname);
 			ple = malloc(sizeof(struct gssd_k5_kt_princ));
 			if (ple == NULL) {
 				printerr(0, "ERROR: could not allocate storage "
 					    "for principal list entry\n");
+#ifdef HAVE_KRB5
 				krb5_free_unparsed_name(context, pname);
+#else
+				free(pname);
+#endif
 				retval = ENOMEM;
 				goto out;
 			}
@@ -490,13 +514,21 @@ gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt, char *kt_name)
 			ple->ccname = NULL;
 			ple->endtime = 0;
 			if ((ple->realm =
+#ifdef HAVE_KRB5
 				strndup(kte.principal->realm.data,
 					kte.principal->realm.length))
+#else
+				strdup(kte.principal->realm))
+#endif
 					== NULL) {
 				printerr(0, "ERROR: %s while copying realm to "
 					    "principal list entry\n",
 					 "not enough memory");
+#ifdef HAVE_KRB5
 				krb5_free_unparsed_name(context, pname);
+#else
+				free(pname);
+#endif
 				retval = ENOMEM;
 				goto out;
 			}
@@ -505,7 +537,11 @@ gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt, char *kt_name)
 				printerr(0, "ERROR: %s while copying principal "
 					    "to principal list entry\n",
 					error_message(code));
+#ifdef HAVE_KRB5
 				krb5_free_unparsed_name(context, pname);
+#else
+				free(pname);
+#endif
 				retval = code;
 				goto out;
 			}
@@ -520,7 +556,11 @@ gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt, char *kt_name)
 			printerr(2, "We will NOT use this entry (%s)\n",
 				pname);
 		}
+#ifdef HAVE_KRB5
 		krb5_free_unparsed_name(context, pname);
+#else
+		free(pname);
+#endif
 	}
 
 	if ((code = krb5_kt_end_seq_get(context, kt, &cursor))) {
author	neilbrown <neilbrown>	2005-08-26 02:04:40 +0000
committer	neilbrown <neilbrown>	2005-08-26 02:04:40 +0000
commit	651b5d3cf5428cbf1d2cd3ae572453af249bef1e (patch)
tree	8c6c088b0d010db7aa5b8a4e4e5a96287e933f93 /utils/gssd
parent	a1b7c0da9e73a607f4bc70ffe3b44b00f5d39938 (diff)
download	nfs-utils-651b5d3cf5428cbf1d2cd3ae572453af249bef1e.tar.gz nfs-utils-651b5d3cf5428cbf1d2cd3ae572453af249bef1e.tar.xz nfs-utils-651b5d3cf5428cbf1d2cd3ae572453af249bef1e.zip