| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Remove functions that are no longer used when when obtaining
machine credentials.
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
|
|
|
| |
Clean up gssd_get_single_krb5_cred and its debugging messages
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the new functions added in the previous patch.
Obtain machine credentials in a pre-determined order
Look for appropriate machine credentials in the following order:
root/<fqdn>@REALM
nfs/<fqdn>@REALM
host/<fqdn>@REALM
root/<any-name>@REALM
nfs/<any-name>@REALM
host/<any-name>@REALM
The first matching credential will be used.
Also, the machine credentials to be used are now determined
"on-demand" rather than at gssd startup. This allows keytab
additions to be noticed and used without requiring a restart of gssd.
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add new functions that will be used in the next patch. The new behavior
is to search for particular keytab entries in a specified order:
root/<fqdn>@<REALM>
nfs/<fqdn>@<REALM>
host/<fqdn>@<REALM>
root/<any-name>@<REALM>
nfs/<any-name>@<REALM>
host/<any-name>@<REALM>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
|
|
|
|
|
| |
Clean up a lot of #ifdef'd code using macros, masking
the differences between MIT and Heimdal implementations.
The currently unused macros will be used in later patches.
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
|
|
|
| |
Return credential on error path of limit_krb5_enctypes()
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
|
|
|
| |
Add missing newlines to error messages.
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
|
| | |
|
| | |
|
| |
|
|
|
| |
This script is used by mount.nfs to run statd if needed.
It can be locally modified to change arguements if required.
|
| |
|
|
| |
It is a more standard name...
|
| |
|
|
|
|
|
|
|
|
| |
If system-installed rpcgen if such exists.
If none is found, build our own.
Override with
./configure --with-rpcgen=internal
for internal rpcgen or
./configure --with-rpcgen=/local/rpcgen
for a non-standard location.
|
| |
|
|
|
|
|
| |
When sending an SM_NOTIFY to multi-homed host, try all the addresses
in rotation. After 4 failures on one address, try the next.
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When lockd asks to monitor a host, we find the FQDN from the DNS
and remember that, both internally and in the /var/lib/nfs/sm/*
file.
When we receive an SM_NOTIFY request, we compare both the
mon_name and the source IP address against that DNS name to find
a match.
If a DNS name is not available, we fall back to the name provided by
lockd, which at least is known to map to an IP address via
gethostbyname.
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
|
|
|
|
| |
From the point of view of the client (lockd), the 'priv' blob is probably
the most important key, so make sure to not throw away requests with
new 'priv' information.
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
|
|
| |
The if contains a while with essentially the same condition.
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
|
|
|
|
|
|
| |
From: Steve Dickson <steved@redhat.com>
Adds the -o nordirplus mount option that will disable
NFS clients from using the READDIRPLUS RPC.
Signed-off-by: Steve Dickson <steved@redhat.com>
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
|
|
|
| |
Make it clear in manpage for mount.nfs that using nolock is
appropriate for /, /usr and /var.
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
|
|
|
|
|
| |
If we are mounting nfsv2 or nfsv3 and statd isn't running and we
cannot start statd, then fail the mount request.
Also use an RPC ping to check on statd.
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The for loop that restarts on SIGUSR or simu_reboot currently includes
several once-only things, that are probably best taken out of the loop.
We also take the unregister/register out of the loop as if statd does
drop privileges, then the second register won't use a privileged port
properly.
On the whole, cleaner code.
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
|
|
|
|
|
|
| |
If the kernel rejects an attempt to export a filesystem - e.g. because
it is not exportable, we shouldn't just ignore the error, but rather
should tell the kernel that the relevant filehandle or path cannot be supported.
We should really print out some error messages too.
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
|
|
| |
Make sure that sm-notify really runs only once per reboot.
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If statd dies and is restarted, it forgets what peers the kernel
is interested in monitoring, and so will not forward NOTIFY
requests properly.
With this patch the required information is recorded in the files
in /var/lib/nfs/sm/* so that a kill/restart does what you might
hope.
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
|
|
|
| |
We need to call statd_get_socket before dropping privileges so that we
have a privileged port. We use to do that when initialising
notification as the same socket was used for reboot notication as for
callbacks to the kernel. Now it is a different socket..
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It would seem to make sense for mount.nfs to impose the
"-o user" => "-o noexec,nodev,nosuid"
rule. However if you give "user,exec" to /sbin/mount,
it will pass down
nodev,nosuid,user
with the 'exec' flag :-(
So we have to leave that handling of that particular rule to
/sbin/mount.
|
| |
|
|
|
|
| |
The option for set-source-address is '-v', not '-N'.
And only warn about -N if -N was actually used.
|
| |
|
|
|
|
|
|
| |
The effect is quite different from TCP sockets.
For TCP, it allows you to listen for new connections even if there
are outstanding old connections with the same local address.
For UDP, it allows other people to steal your packets by
binding to the same address.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Commit 6facb22402a0bd8cd49be2ed1a0856b24fef42f4 changed the allocation
of len to no longer get 20 extra bytes. It needs to get at least one
extra byte for a null character, otherwise a single extra option such
as "sec=krb5" is never copied in parse_opt() and is dropped.
Commit 44a3727a3243e674a1f1fdad5cbbc639aa25d01c added a typo when
checking the program name.
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
|
|
| |
try_to_resolve is used to resolve a hostname when sending a notification.
But we now only send notifications to localhost, so name resolution is not
needed.
|
| |
|
|
|
|
| |
Failure to tell mountd about the unmount should not be classes
and an error and DEFINTELY should not stop the filesystem
from being unmounted.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The patch avoid the collision between commas in security contexts and the
delimiter between mount options.
Try:
mount.nfs foo://mnt/bar /mnt/bar -o context=\"aaa,bbb,ccc\",ro
Signed-off-by: Cory Olmo <colmo@TrustedCS.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
| |
Also fix a few bugs that came up in initial testing.
|
| |
|
|
|
|
| |
getopt_long uses argv[0] in error messages. So it it is given
argv+2 for example, we need to make sure that argv[2] has the
correct program name.
|
| |
|
|
|
| |
Reject if there are non-flag args,
Reject if the filesystem is not an NFS filesystem.
|
| |
|
|
|
| |
Make sure all possible invalid arguments are discovered and reported.
Make sure nothing gets by for uid!=0 that doesn't perfectly match fstab.
|
| | |
|
| |
|
|
|
|
|
| |
Some versions of libblkid have a terrible memory leak which makes
mounted grow toooo big. So support
--disable-uuid
to remove the uuid functionality and liblkid with it.
|
| |
|
|
|
|
|
| |
Ultimately it makes sense to remove remove rpcgen from the nfs-utils
release as it is already in the glibc release. With this patch
you can use the system rpcgen to make sure it works.
It is not default yet, but it might be in a future release.
|
| |
|
|
|
|
|
|
| |
On -o remount, we need to update the entry in mtab rather than
add a new one. update_mtab does this so use that.
However it might free some strings that shouldn't be freed, so
stop it from calling free - the program will exit soon anyway
so no exit is needed.
|
| |
|
|
|
| |
Registering sockets with portmap might require root privs,
so don't drop privs until that has been done.
|
| |
|
|
|
| |
With -L (for Listen-only) or --no-notify, statd will not run
sm-notify.
|
| |
|
|
|
| |
statd now execs sm-notify to notify peers and only listens to
monitor requests and remote notifications itself.
|
| |
|
|
|
| |
Add sm-notify to the compile/install scripts,
(and fix a compile warning).
|
| |
|
|
|
| |
If /var/lib/nfs/sm is owned by non-root, setuid to that uid
after opening sockets but before receiving answers.
|
| |
|
|
|
|
|
|
|
| |
As "mount.nfs" can start statd, and as statd can start sm-notify,
the risk of sm-notify being run multiple times increases.
As this is not normally appropriate, sm-notify now creates a
file in /var/run which will stop future instances from being
run (though ofcourse this behaviour can be controlled by a
new command line option).
|
| | |
|
| |
|
|
|
| |
This functionality is alreday present in getaddrinfo so it isn't
needed explicitly.
|
| |
|
|
| |
for compat with statd.
|
| |
|
|
| |
Not included in build yet.
|
