| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
Implement a new option -l to force gssd to ignore its kernel's crypto
capabilities and use just the Single DES legacy encryption types to be
compatible with old servers. This is only relevant if those servers have
strong keys in their keytab.
Signed-off-by: Steve Dickson <steved@redhat.com>
Tested-by: Michael Weiser <weiser@science-computing.de>
|
|
|
|
|
|
|
|
|
| |
The user credential cache currently is kept in /tmp.
In upcoming Kerberos release that will be moved to
/run/user/<username>/. This patch enables gssd to
look in both the old and new caches
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
| |
gssd.c: In function 'sig_hup':
gssd.c:78: warning: unused parameter 'signal'
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change the processing so that all subdirectories within the rpc_pipefs
directory are treated equally. Any "clnt" directories that show up
within any of them are processed. (As suggested by Bruce Fields.)
Note that the callback authentication will create a new "nfs4d_cb"
subdirectory. Only new kernels (2.6.29) will create this new directory.
(The need for this directory will go away with NFSv4.1 where the
callback can be done on the same connection as the fore-channel.)
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
| |
libnfsidmapd libraries when verbosity level is set
by the '-v' flag it on either daemon.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
| |
Clean up.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
environment this may not be the desired behaviour. Therefore a new
option, -R preferred realm, is presented so that the rpc.gssd prefers tickets
from this realm. By default, the default realm is preferred.
Signed-off-by: Lukas Hejtmanek <xhejtman@ics.muni.cz>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
of the Kerberos ticket used in its creation. (For contexts
created using the Kerberos mechanism.) Thus kdestroy has
no effect in nullifying the kernel context.
This patch adds -t <timeout> option to rpc.gssd so that the client's
administrator may specify a timeout for expiration of contexts in kernel.
After this timeout, rpc.gssd is consulted to create a new context.
By default, timeout is 0 (i.e., no timeout at all) which follows the
previous behavior.
Signed-off-by: Lukas Hejtmanek <xhejtman@ics.muni.cz>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
possible to search several directories for valid credentials when
making NFS requests.
Original patch from Vince Busam <vbusam@google.com>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
| |
Fix the usage message for gssd to reflect new -M option added in 1.1.0
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the new functions added in the previous patch.
Obtain machine credentials in a pre-determined order
Look for appropriate machine credentials in the following order:
root/<fqdn>@REALM
nfs/<fqdn>@REALM
host/<fqdn>@REALM
root/<any-name>@REALM
nfs/<any-name>@REALM
host/<any-name>@REALM
The first matching credential will be used.
Also, the machine credentials to be used are now determined
"on-demand" rather than at gssd startup. This allows keytab
additions to be noticed and used without requiring a restart of gssd.
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
|
|
|
|
|
|
|
|
|
| |
Future work needs access to the base pipefs directory rather than
the nfs subdirectory. Create two separate paths called
pipefs_dir and pipefs_nfsdir with the name of each.
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new option ("-n") to rpc.gssd to indicate that accesses as root
(uid 0) should not use machine credentials, but should instead use
"normal" Kerberos credentials obtained by root.
This change was prompted by a suggestion and patch from Daniel
Muntz <Dan.Muntz@netapp.com>. That patch suggested trying "normal"
credentials first and falling back to using machine creds for
uid 0 if normal creds failed.
This opens up the case where root may have credentials as "foo@REALM"
and begins accessing files. Then the context using those credentials
expires and must be renewed. If the credentials are now expired, then
root's new context would fall back and be created with the machine
credentials.
Instead, this patch insists that the administrator choose to use either
machine credentials for accesses by uid 0 (the default behavior, as
it was before) or "normal" credentials. In the latter case, arrangements
must be made to obtain credentials before attempting a mount. There
should be no doubts which credentials are used for uid 0.
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
|
|
|
|
| |
https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/76409
|
|
|
|
|
|
|
|
|
| |
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Add option to store gssd ccaches in a MEMORY: cache rather
than the default FILE: cache. In response to suggestion
from Steve Dickson <steved@redhat.com> and
Nalin Dahyabhai <nalin@redhat.com>.
|
|
|
|
|
|
|
|
|
| |
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Do a call to determine mechanisms supported by the gssapi library early.
This allows us to discover early in case the gssapi library is somehow
misconfigured. We can bail out early and give a meaningful message
rather than getting errors on each attempt at a context negotiation.
|
|
|
|
|
|
|
|
|
| |
From: Vince Busam <vbusam@google.com>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Add command line option to specify which directory should be searched
to find credentials caches.
(really this time)
|
|
|
|
|
|
|
| |
Changes to allow gssd/svcgssd to build when using Hiemdal Kerberos
libraries. Note that there are still run-time issues preventing
this from working when shared libraries for libgssapi and librpcsecgss
are used.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
*utils/mountd/mountd.c:
mountd currently always returns AUTH_NULL and AUTH_SYS as the
allowable flavors in mount replies. We want it to also return gss
flavors when appropriate. For now as a hack we just have it always
return the KRB5 flavors as well.
*utils/mountd/cache.c:
When attempting to mount an NFSv4 pseudofilesystem (fsid=0) and the
actual exported directory does not exist on the server, rpc.mountd
doesn't check the directory exists (when fsidtype=1, i.e. using fsid,
but does check for fsidtype=0, i.e. using dev/ino). The non-existent
exported directory path with fsid=0 is written to the kernel via
/proc/net/rpc/nfsd.export/channel, which leads to path_lookup() to
return ENOENT (seems appropriate). Unfortunately, the new_cache
approach ignores errors returned when writing via the channel file so
that particular error is lost and the mount request is silently ignored.
Assuming it doesn't make sense to revamp the new_cache/up-call method to
not ignore returned errors, it seems appropriate to fix the case where
rpc.mountd doesn't check for the existence of an exported directory with
fsid= semantics. The following patch does this by moving the stat() up
so it is done for both fsidtype's. I'm not certain whether the other
tests need to be executed for fsidtype=1, but it doesn't appear to hurt
[Not exactly true: the comparison of inode numbers caused problems so
now it's kept for fsidtype=0 only].
Would it be also desirable to log a warning for every error, if any,
returned by a write to any of the /proc/net/rpc/*/channel files which
would otherwise be ignored (maybe under a debug flag)?
* gssd/mountd/svcgssd: Changes gssd, svcgssd, and mountd to ignore a
SIGHUP rather than dying.
* many: Remove the gssapi code and rely on an external library instead.
|
|
|