diff options
| author | Kevin Coffman <kwc@citi.umich.edu> | 2007-03-30 18:32:14 -0400 |
|---|---|---|
| committer | Neil Brown <neilb@suse.de> | 2007-03-31 09:08:02 +1000 |
| commit | ffe1a9badb6f247b3314ef570573739d3f91f429 (patch) | |
| tree | 9d4730d2c17d91f40820892d6d9cd0d68a3bee05 /utils/gssd | |
| parent | 6904f7b7f4f91d52c4bd783e5588e870d32ff021 (diff) | |
| download | nfs-utils-ffe1a9badb6f247b3314ef570573739d3f91f429.tar.gz nfs-utils-ffe1a9badb6f247b3314ef570573739d3f91f429.tar.xz nfs-utils-ffe1a9badb6f247b3314ef570573739d3f91f429.zip | |
Use newly added keytab functions
Use the new functions added in the previous patch.
Obtain machine credentials in a pre-determined order
Look for appropriate machine credentials in the following order:
root/<fqdn>@REALM
nfs/<fqdn>@REALM
host/<fqdn>@REALM
root/<any-name>@REALM
nfs/<any-name>@REALM
host/<any-name>@REALM
The first matching credential will be used.
Also, the machine credentials to be used are now determined
"on-demand" rather than at gssd startup. This allows keytab
additions to be noticed and used without requiring a restart of gssd.
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
Diffstat (limited to 'utils/gssd')
| -rw-r--r-- | utils/gssd/gssd.c | 4 | ||||
| -rw-r--r-- | utils/gssd/gssd.man | 21 | ||||
| -rw-r--r-- | utils/gssd/gssd_proc.c | 8 | ||||
| -rw-r--r-- | utils/gssd/krb5_util.c | 15 | ||||
| -rw-r--r-- | utils/gssd/krb5_util.h | 3 |
5 files changed, 31 insertions, 20 deletions
diff --git a/utils/gssd/gssd.c b/utils/gssd/gssd.c index 747637c..b6c4ee4 100644 --- a/utils/gssd/gssd.c +++ b/utils/gssd/gssd.c @@ -165,10 +165,6 @@ main(int argc, char *argv[]) signal(SIGTERM, sig_die); signal(SIGHUP, sig_hup); - /* Process keytab file and get machine credentials */ - if (root_uses_machine_creds) - gssd_refresh_krb5_machine_creds(); - gssd_run(); printerr(0, "gssd_run returned!\n"); abort(); diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man index f2ecd69..8da10b2 100644 --- a/utils/gssd/gssd.man +++ b/utils/gssd/gssd.man @@ -45,14 +45,25 @@ to use the keys found in .I keytab to obtain "machine credentials". The default value is "/etc/krb5.keytab". +.IP Previous versions of .B rpc.gssd used only "nfs/*" keys found within the keytab. -Now, the first keytab entry for each distinct Kerberos realm -within the keytab is used. This means that an NFS client -no longer needs an "nfs/hostname" principal and keytab entry, -but can instead use a "host/hostname" (or any other) keytab -entry that is available. +To be more consistent with other implementations, we now look for +specific keytab entries. The search order for keytabs to be used +for "machine credentials" is now: +.br + root/<hostname>@<REALM> +.br + nfs/<hostname>@<REALM> +.br + host/<hostname>@<REALM> +.br + root/<anyname>@<REALM> +.br + nfs/<anyname>@<REALM> +.br + host/<anyname>@<REALM> .TP .B -p path Tells diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index eff740c..48880b6 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -700,14 +700,16 @@ handle_krb5_upcall(struct clnt_info *clp) if (uid == 0 && root_uses_machine_creds == 1) { int success = 0; + gssd_refresh_krb5_machine_credential(clp->servername, + NULL); /* * Get a list of credential cache names and try each * of them until one works or we've tried them all */ if (gssd_get_krb5_machine_cred_list(&credlist)) { - printerr(0, "WARNING: Failed to obtain machine " - "credentials for connection to " - "server %s\n", clp->servername); + printerr(0, "ERROR: No credentials found " + "for connection to server %s\n", + clp->servername); goto out_return_error; } for (ccname = credlist; ccname && *ccname; ccname++) { diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c index 20396e0..dee2639 100644 --- a/utils/gssd/krb5_util.c +++ b/utils/gssd/krb5_util.c @@ -358,8 +358,8 @@ gssd_get_single_krb5_cred(krb5_context context, printerr(0, "WARNING: Using (debug) short machine cred lifetime!\n"); krb5_get_init_creds_opt_set_tkt_life(&options, 5*60); #endif - if ((code = krb5_get_init_creds_keytab(context, &my_creds, ple->princ, - kt, 0, NULL, &options))) { + if ((code = krb5_get_init_creds_keytab(context, &my_creds, ple->princ, + kt, 0, NULL, &options))) { char *pname; if ((krb5_unparse_name(context, ple->princ, &pname))) { pname = NULL; @@ -1146,18 +1146,19 @@ gssd_get_krb5_machine_cred_list(char ***list) retval = -1; *list = (char **) NULL; - /* Refresh machine credentials */ - if ((retval = gssd_refresh_krb5_machine_creds())) { - goto out; - } - if ((l = (char **) malloc(listsize * sizeof(char *))) == NULL) { retval = ENOMEM; goto out; } + /* Need to serialize list if we ever become multi-threaded! */ + for (ple = gssd_k5_kt_princ_list; ple; ple = ple->next) { if (ple->ccname) { + /* Make sure cred is up-to-date before returning it */ + retval = gssd_refresh_krb5_machine_credential(NULL, ple); + if (retval) + continue; if (i + 1 > listsize) { listsize += listinc; l = (char **) diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h index 625d53c..ce7cb57 100644 --- a/utils/gssd/krb5_util.h +++ b/utils/gssd/krb5_util.h @@ -5,7 +5,8 @@ /* * List of principals from our keytab that we - * may try to get credentials for + * will try to use to obtain credentials + * (known as a principal list entry (ple)) */ struct gssd_k5_kt_princ { struct gssd_k5_kt_princ *next; |