| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
Don't restrict machine credentials to be "nfs/<machine.name>".
Use any usable credentials contained in the keytab file.
[We actually attempt to use the first entry found for each
realm, not every entry, in the keytab.]
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
|
|
|
| |
Free keytab entries while processing keytab file.
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
|
| |
As this is a file in /tmp, a symlink could take us anywhere...
If it was a NFS filesystem with a dead server, we could block for a long time..
|
| |
|
|
|
|
|
|
|
|
|
| |
Signed-off-by: Glenn Machin <gmachin@sandia.gov>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Some installations use different name formats for their credentials
caches. Instead of checking that the uid is part of the name, just
make sure that uid is the owner of the file.
This is a modification of the original patch from Glenn.
Signed-off-by: Neil Brown <neilb@suse.de>
|
| |
|
|
|
|
|
|
|
| |
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Add option to store gssd ccaches in a MEMORY: cache rather
than the default FILE: cache. In response to suggestion
from Steve Dickson <steved@redhat.com> and
Nalin Dahyabhai <nalin@redhat.com>.
|
| |
|
|
|
|
| |
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Clean up a few warning messages.
|
| |
|
|
|
|
|
| |
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Specify that the acquire_cred call should only be concerned with returning
Kerberos credentials since this is Kerberos-only functionality.
|
| |
|
|
|
|
|
|
|
| |
From: Vince Busam <vbusam@google.com>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Add command line option to specify which directory should be searched
to find credentials caches.
(really this time)
|
| | |
|
| |
|
|
|
|
|
| |
Changes to allow gssd/svcgssd to build when using Hiemdal Kerberos
libraries. Note that there are still run-time issues preventing
this from working when shared libraries for libgssapi and librpcsecgss
are used.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* utils/exportfs/exports.man: Document the "crossmnt" export export option
* utils/gssd/krb5_util.c:
Add better debugging and partially revert the function
check for gss_krb5_ccache_name.
For MIT Kerberos releases up to and including 1.3.1, we *must*
use the routine gss_krb5_ccache_name to get the K5 gssapi code
to use a different credentials cache.
For releases 1.3.2 and on, we want to use the KRB5CCNAME
environment variable to tell it what to use.
(A problem was reported where 1.3.5 was being used, our
code was using gss_krb5_ccache_name, but the underlying
code continued to use the first (or default?) credentials
cache. Switching to using the env variable fixed the problem.
I cannot recreate this problem.
*utils/gssd/krb5_util.c:
Andrew Mahone <andrew.mahone@gmail.com> reported that reiser4
always has DT_UNKNOWN. He supplied patch to move the check
for regular files after the stat() call to correctly find
ccache files in reiser4 filesystem.
Also change the name comparison so that the wrong file is
not selected when the substring comparison is done.
*utils/gssd/krb5_util.c:
Limit the set of encryption types that can be negotiated by
the Kerberos library to those that the kernel code currently
supports.
This should eventually query the kernel for the list of
supported enctypes.
*utils/gssd/gss_util.c, utils/svcgssd/svcgssd_main_loop.c:
Print more information in error messages to help debugging failures.
*utils/svcgssd/svcgssd_proc.c: Increase token buffer size and
update error handling so that a response is always sent.
*utils/svcgssd/svcgssd_proc.c: Add support to retrieve
supplementary groups.
|
| |
|
