| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SNAFU. This came to my attention minutes after 1.2.4 was
released...
Changes in commit d6c1b35c require that gss_acquire_cred()
is now called when the "-n" option is used. This requires an
updated libgssglue which properly handles name GSS_C_NO_NAME
as input to gss_import_name()/gss_acquire_cred().
Add a requirement for the newer version.
Without the newer libgssglue, when svcgssd is started with "-n"
you will see the error message, "ERROR: GSS-API: error in
gss_acquire_cred(): GSS_S_BAD_NAME (An invalid name was supplied)
- Unknown error"
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
| |
Only enable the compilation of nfsidmap when libnfsidmap support it.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the nfsidmap program to nfs-utils. This program is
called by the nfs idmapper through request-keys to map between
uid / user name and gid / group name.
Signed-off-by: Bryan Schumaker <bjschuma@netapp.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The new code using libcap is quite minor, so rather than always reqiure
libcap support, make it a normal --enable type flag. Current default
behavior is retained -- if libcap is found, it is enabled, else it is
disabled like every nfs-utils version in the past.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After glibc 2.3.3, getifaddrs(3) can return AF_INET6 addresses for
local network interfaces. Using the library call is easier than
trying to update the open code in from_local(), and means we have
less to maintain in nfs-utils going forward.
And, since from_local() can now support IPv6, change its synopsis to
take a "struct sockaddr *" .
Note that the original code discovers local addresses once. These
days, with wifi, DHCP, and NetworkManager, the local network
configuration can change dynamically over time. So, call getifaddrs()
more often to ensure from_local() has up-to-date network configuration
information.
This implementation refreshes the list if from_local() has not been
called in the last second. This is actually not terribly honerous.
check_default() invokes from_local() only when the remote host is not
in its access cache, or the access/deny files have changed.
So new hosts will cause a refresh, but previously seen hosts
(including localhost) should not.
On the other hand, it still may not be often enough. After the first
call, if only previously seen hosts attempt to access our daemons,
from_local() would never be called, and the local list would never be
updated. This might be possible during steady-state operation with
a small number of servers and clients.
It would also be nice if we could free the local interface address
list at shutdown time, but that would be a lot of trouble for little
gain.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I'm about to switch the order of listener creation and dropping root
privileges. rpc.statd will drop privileges first, then create its
listeners. The reason for the new ordering is explained in a
subsequent patch.
However, for non-TI-RPC builds, rpc_init() needs to use a privileged
port to do pmap registrations. For both TI-RPC and non-TI-RPC builds,
CAP_NET_BIND is required in case the admin requests a privileged
listener port on the statd command line.
So that these requirements are met, nsm_drop_privileges() will now
retain CAP_NET_BIND while dropping root.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
|
|
|
|
|
|
|
|
|
| |
specified, but TIRPC libs or headers aren't present then just throw a
warning and disable it. If it was explicitly specified, then throw an
error and exit if they aren't present.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The check that validates the version of librpcsecgss also needs to
have libgssglue installed. Without libgssglue, ./configure complains
that it can't find rpcsecgss, even though it's installed.
It also turns out that the error message generated by pkg-config is
more complete than the one we have in aclocal/rpcsec_vers.m4, so just
let those PKG_CHECK_MODULES m4 macros use the default error message.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
AC_CHECK_FUNC and AC_CHECK_FUNCS take 3 args. Any ones beyond that are
ignored. In several places, we're passing the "action-if-not-found" in
as the 4th arg so it's being ignored.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From: Jeff Layton <jlayton@redhat.com>
Make the pkgconfig check for libgssglue conditional on tirpc being
enabled. When it's disabled, the pkgconfig check for librpcsecgss will
pull in the gssglue lib and include dir automatically.
Also, make sure we include GSSGLUE_CFLAGS and the GSSGLUE_LIBS to the
appropriate places in utils/gssd/Makefile.am so that we pick up
the gssglue libs when tirpc is enabled.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Data type incompatibilities between the legacy RPC headers and the
TI-RPC headers mean we can't use libtirpc with code that was compiled
against the legacy RPC headers. The definition of rpcprog_t for
example is "unsigned long" in the legacy library, but it's "uint32_t"
for TI-RPC. On 32-bit systems, these types happen to have the same
width, but on 64-bit systems they don't, making more complex data
structures that use these types in fields ABI incompatible.
Adopt a new strategy to deal with this issue. When --enable-tirpc is
set, append "-I/usr/include/tirpc" to the compilation steps. This
should cause the compiler to grab the tirpc/ headers instead of the
legacy headers. Now, for TI-RPC builds, the TI-RPC legacy functions
and the TI-RPC headers will be used. On legacy systems, the legacy
headers and legacy glibc RPC implementation will be used.
A new ./configure option is introduced to allow system integrators to
use TI-RPC headers in some other location than /usr/include/tirpc.
/usr/include/tirpc remains the default setting for this new option.
The gssd implementation presents a few challenges, but it turns out
the gssglue library is similar to the auth_gss pieces of TI-RPC. To
avoid similar header incompatibility issues, gssd now uses libtirpc
instead of libgssglue if --enable-tirpc is specified. There may be
other issues to tackle with gssd, but for now, we just make sure it
builds with --enable-tirpc.
Note also: svc_getcaller() is a macro in both cases that points to
a sockaddr field in the svc_req structure. The legacy version points
to a sockaddr_in type field, but the TI-RPC version points to a
sockaddr_in6 type field.
rpc.mountd unconditionally casts the result of svc_getcaller() to a
sockaddr_in *. This should be OK for TI-RPC as well, since rpc.mountd
still uses legacy RPC calls (provided by glibc, or emulated by TI-RPC)
to set up its listeners, and therefore rpc.mountd callers will always
be from AF_INET addresses for now.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
| |
Clean up: for consistency with other local feature checks, move IPv6
feature checks into aclocal/
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
From: Jeff Layton <jlayton@redhat.com>
The conftest should work without these extra libs being included.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
| |
Clean up: Introduce two more aclocal scripts for handling rpcsecgss
dependency checking.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Clean up: Create an aclocal script for the nfsidmap library and
headers checks used for both --enable-gss and --enable-nfsv4.
Move libevent checks out too.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of switching in TI-RPC-specific logic with a function-specific
switch like HAVE_CLNT_VG_CREATE, let's use the more generic
HAVE_LIBTIRPC macro everywhere.
This simplifies ./configure (always a good thing), and makes it more
clear in the source code exactly what the extra conditionally compiled
code is for.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Define an aclocal test for TI-RPC headers and library, and move the
TI-RPC checks earlier in our configure script so other feature checks
can use the availability of TI-RPC to decide what to do.
Since bindresvport_sa is required just for IPv6 support, move that
check to the IPv6 feature tests.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Autoconf 2.63 (and maybe earlier releases) complains about the cache
variable name used in aclocal/libblkid.m4:
configure.ac:217: warning: AC_CACHE_VAL(libblkid_is_recent, ...):
suspicious cache-id, must contain _cv_ to be cached
../../lib/autoconf/general.m4:1974: AC_CACHE_VAL is expanded from...
aclocal/libblkid.m4:2: AC_BLKID_VERS is expanded from...
configure.ac:217: the top level
This addresses
https://bugzilla.redhat.com/attachment.cgi?bugid=481386 .
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
| |
libblkid earlier than 1.40 has a memory leak bug that make it unsuitable
for use in mountd.
So detect the version and default to not using it if too old. Give appropriate
warnings in various cases.
|
|
|
|
|
|
|
|
| |
Make sure we get addressless tickets so we can function behind a NAT.
(Must use a different function to accomplish this with Heimdal.)
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
|
|
|
|
|
|
|
|
|
|
| |
Use a common function that factors out differences between MIT
and Heimdal in getting the right error message printed.
Add an autoconf check to see if the newer error message function
is available.
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
|
|
|
|
|
|
| |
On distros that support 32 and 64bit userspace, we need to look
a bit more broadly for libraries
(taken from Redhat sources for RHEL5 - thanks).
|
|
|
|
|
|
| |
A stray '$'.
Signed-off-by: Neil Brown <neilb@suse.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
this patch touches up the autotool code a bit in nfs-utils:
- run autogen.sh with -e so if something fails, it'll abort properly
- set ACLOCAL_AMFLAGS so that when running autoreconf or when
autotools re-runs itself, the m4 files are found properly
- make sure we include bsdsignals.m4 in the final tarball
- add some cross-compiling fallback logic to bsdsignals.m4 so that
when cross-compiling nfs-utils, the configure is a bit more nice
than simply:
checking for BSD signal semantics... configure: error: cannot run test program while cross compiling
Signed-off-by: Neil Brown <neilb@suse.de>
|
|
|
|
| |
This used to be the default but we lost it at about 1.0.8
|
|
|
|
| |
Avoid usage of -rpath is generally safer, and is required by Debian policy.
|
|
|
|
|
| |
Update aclocal/tcp-wrappers.m4 to define HAVE_LIBWRAP and
HAVE_TCP_WRAPPERS as appropriate.
|
|
|
|
|
| |
SuSE 10.0 puts krb5-config in yet another obscure location.
Look for it there and use it if found.
|
|
|