| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using rpc.gssd to secure NFSv3 FS using krb5, the following errors
can happen as a result of network congestion.
"rpc.gssd WARNING: can't create tcp rpc_clnt to server ... : RPC: Remote
system error - Connection timed out"
we had a successful reproducer of the problem which we tested using this
patch by starting rpc.gssd with "-T 60" as the option which solved the
problem. reproducer steps were to throttle the network using tc command
and then in a never ending loop mount the share, then write some data in
the file on the share and unmount it. keep a delay of 5 sec between the
iteration of each loop.
CC: Christian Horn <chorn@redhat.com>
Signed-off-by: Rinku Kothiya <rkothiya@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The final version for this fix that was committed inverted the test
so makes no change in the important cases.
The documentation didn't really help a naive user know when the new -D
flag should be used.
And the code (once fixed) avoided DNS resolution on non-qualified names too,
which probably isn't a good idea.
This patch fixes all three issues.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
A NFS client should be able to work properly even if the DNS Reverse
record for the server is not set. This means a DNS lookup should not be
done on server names at are passed to GSSAPI. This patch changes the default
behavior to no longer do those types of lookups
This change default behavior could negatively impact some current
environments, so the -D option is also being added that will re-enable
the DNS reverse looks on server names, which are passed to GSSAPI.
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move most of the text in the description of the "-l" option up to
the DESCRIPTION section, to match what was done for "-n" and "-k".
The discussion is then less restricted by formatting, and we can
take the space to introduce a few concepts before describing the
behavior of rpc.gssd.
Fix a few misspellings and grammar issues while here.
Acked-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Our NFSv4 implementation uses machine credentials for operations
that manage state on behalf of the whole client (for example,
SETCLIENTID or RENEW). The rpc.gssd man page is missing a
description of this usage, especially in the discussion of the "-n"
option.
The issue is that rpc.gssd's "-n" option requires root to acquire a
user credential. In the absense of a system keytab (for instance,
if the system is diskless) root's credential is not to be used as
the machine credential that manages NFSv4 state.
Group the discussion of machine credentials and UID 0 in one place
to help clarify the discussion and simplify the description of
several of these options.
Acked-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It's good practice in user documentation to define terms before they
are used. Add an INTRODUCTION section that defines important terms
that are used in the DESCRIPTION and OPTIONS sections. The key
concepts are GSS context, user credential, machine credential, and
keytab.
The RFCs I looked at capitalize both "gss" and "rpcsec_gss". For
consistency I changed this throughout the man page.
Acked-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
| |
Acked-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Clean up: The usual convention for the values of command line
options and for pathnames is for them to appear italicized,
rather than emboldened or in double quotes.
Acked-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Newer versions of systemd create a /run/user/${UID} directory
instead of the /run/user/${USER} directory, so switch to
scanning for that. To make the per-user directory bit a little
less magical, change the default to incorporate a "%U", which
gets dynamically expanded to the user's UID when needed.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Implement a new option -l to force gssd to ignore its kernel's crypto
capabilities and use just the Single DES legacy encryption types to be
compatible with old servers. This is only relevant if those servers have
strong keys in their keytab.
Signed-off-by: Steve Dickson <steved@redhat.com>
Tested-by: Michael Weiser <weiser@science-computing.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
An Active Directory KDC will only grant a TGT for UPNs, getting
a TGT for SPNs is not possible:
$ kinit -k host/ib5@ADS.ORCORP.CA
kinit: Client not found in Kerberos database while getting initial
credentials
The correct thing to do for machine credentials is to get a TGT
for the computer UPN <HOSTNAME>$@REALM:
$ kinit -k IB5\$
$ klist
12/22/10 11:43:47 12/22/10 21:43:47 krbtgt/ADS.ORCORP.CA@ADS.ORCORP.CA
Samba automatically creates /etc/krb5.keytab entry for the computer UPN,
this patch makes gssd_refresh_krb5_machine_credential prefer it above
the SPNs if it is present.
The net result is that nfs client works automatically out of the box
if samba has been used to setup kerberos via 'net ads join' 'net ads
keytab create'
Tested using Windows Server 2003 R2 as the AD server.
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
environment this may not be the desired behaviour. Therefore a new
option, -R preferred realm, is presented so that the rpc.gssd prefers tickets
from this realm. By default, the default realm is preferred.
Signed-off-by: Lukas Hejtmanek <xhejtman@ics.muni.cz>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
of the Kerberos ticket used in its creation. (For contexts
created using the Kerberos mechanism.) Thus kdestroy has
no effect in nullifying the kernel context.
This patch adds -t <timeout> option to rpc.gssd so that the client's
administrator may specify a timeout for expiration of contexts in kernel.
After this timeout, rpc.gssd is consulted to create a new context.
By default, timeout is 0 (i.e., no timeout at all) which follows the
previous behavior.
Signed-off-by: Lukas Hejtmanek <xhejtman@ics.muni.cz>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
possible to search several directories for valid credentials when
making NFS requests.
Original patch from Vince Busam <vbusam@google.com>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Steinar H. Gunderson <sgunderson@bigfoot.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the new functions added in the previous patch.
Obtain machine credentials in a pre-determined order
Look for appropriate machine credentials in the following order:
root/<fqdn>@REALM
nfs/<fqdn>@REALM
host/<fqdn>@REALM
root/<any-name>@REALM
nfs/<any-name>@REALM
host/<any-name>@REALM
The first matching credential will be used.
Also, the machine credentials to be used are now determined
"on-demand" rather than at gssd startup. This allows keytab
additions to be noticed and used without requiring a restart of gssd.
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
|
|
|
|
|
|
| |
Don't restrict machine credentials to be "nfs/<machine.name>".
Use any usable credentials contained in the keytab file.
[We actually attempt to use the first entry found for each
realm, not every entry, in the keytab.]
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new option ("-n") to rpc.gssd to indicate that accesses as root
(uid 0) should not use machine credentials, but should instead use
"normal" Kerberos credentials obtained by root.
This change was prompted by a suggestion and patch from Daniel
Muntz <Dan.Muntz@netapp.com>. That patch suggested trying "normal"
credentials first and falling back to using machine creds for
uid 0 if normal creds failed.
This opens up the case where root may have credentials as "foo@REALM"
and begins accessing files. Then the context using those credentials
expires and must be renewed. If the credentials are now expired, then
root's new context would fall back and be created with the machine
credentials.
Instead, this patch insists that the administrator choose to use either
machine credentials for accesses by uid 0 (the default behavior, as
it was before) or "normal" credentials. In the latter case, arrangements
must be made to obtain credentials before attempting a mount. There
should be no doubts which credentials are used for uid 0.
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
|
|
|
|
|
| |
From: Vince Busam <vbusam@google.com>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Add command line option to specify which directory should be searched
to find credentials caches.
(really this time)
|
| |
|
|
|
|
|
| |
Changes to allow gssd/svcgssd to build when using Hiemdal Kerberos
libraries. Note that there are still run-time issues preventing
this from working when shared libraries for libgssapi and librpcsecgss
are used.
|
| |
|
