summaryrefslogtreecommitdiffstats
path: root/utils/gssd/svcgssd_proc.c
Commit message (Collapse)AuthorAgeFilesLines
* This patch adds the krb5 hostbased principal, name which theOlga Kornievskaia2009-11-161-7/+87
| | | | | | | | | | | | | | nfs client used to authenticate, to the svcgssd downcall information. This information is needed for the callback authentication. When estabishing the callback, nfsd will pass the principal name in the upcall to the gssd. gssd will acquire a service ticket for the specified principal name. Signed-off-by: Olga Kornievskaia <aglo@citi.umich.edu> Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Signed-off-by: Steve Dickson <steved@redhat.com>
* svcgssd: check the return code from qword_eol() and log failuresKevin Coffman2009-04-031-0/+4
| | | | | | | | | | | | | | | | | | If qword_eol() fails while writing the context information, log an indication of the failure. This addresses at least one cause of the intermittent, and previously undiagnosed, problem of the server returning GSS_S_NO_CONTEXT when a context was seemingly successfully created and sent down to the kernel. In my case there was a mis-match between kernel and user-land configuration resulting in the proper kernel module not being loaded. Therefore the write of the context failed, but was not logged by svcgssd. When the kernel goes to find the resulting context, it was really not there and correctly returned GSS_S_NO_CONTEXT to the client. Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Signed-off-by: Steve Dickson <steved@redhat.com>
* gssd: Use same style for including config.h that rest of nfs-utils usesChuck Lever2009-03-051-0/+4
| | | | | | | Clean up. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
* gssd: By default, don't spam syslog when users' credentials expireKevin Coffman2009-01-051-3/+3
| | | | | | | | | | | | | | | | | | Change the priority of "common" log messages so that syslog doesn't get slammed/spammed when users' credentials expire, or there is another common problem which would cause error messages for all context creation requests. Note that this will now require that gssd or svcgssd option "-v" is used to debug these common cases. Original patch from Andrew Pollock <apollock@google.com>. Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Signed-off-by: Steve Dickson <steved@redhat.com> CC: Andrew Pollock <apollock@google.com>
* svcgssd: use the actual context expiration for cacheKevin Coffman2008-12-111-7/+13
| | | | | | | | | | | | | | | Instead of sending down an infinite expiration value for the rsi(init) and rsc(context) cache entries, use a reasonable value for the rsi cache, and the actual context expiration value for the rsc cache. Prompted by a proposal from Neil Brown as a result of a complaint of a server running out of kernel memory when under heavy load of rpcsec_gss traffic. Neil's original patch used one minute for the init cache and one hour for the context cache. Using the actual expiration time prevents unnecessary context re-negotiation. Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Signed-off-by: Steve Dickson <steved@redhat.com>
* gssd/svcgssd: add support to retrieve actual context expirationKevin Coffman2008-12-111-1/+1
| | | | | | | | | Add some plumbing so that the context expiration can be returned while serializing the information. Later patch(es) will actually get the expiration and pass it down to the kernel. Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Signed-off-by: Steve Dickson <steved@redhat.com>
* Use nfslib versions of cacheio functionsKevin Coffman2007-10-151-1/+1
| | | | | | | | | | Now that the nfslib library has all the necessary functions and they all operate as needed, use them instead of the private versions in utils/gssd/cacheio.c. The obsolete private versions are removed in the next patch. Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Signed-off-by: Neil Brown <neilb@suse.de>
* Use printerr to print svcgssd downcall debugging infoKevin Coffman2007-10-151-1/+7
| | | | | | | | | | | Rather than depending on modified qword_* functions to print svcgssd debugging information, use printerr in the downcall function. And while we're at it, label things so we know what we're looking at! Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Signed-off-by: Neil Brown <neilb@suse.de>
* Make print_hexl function write to stdout rather than using printerrKevin Coffman2007-10-151-15/+18
| | | | | | | | | | print_hexl() currently uses printerr, but is really only necessary for local debugging and should simply write to stdout. Also change it to print the description internally. Wrap it and its use in #ifdef DEBUG. Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Signed-off-by: Neil Brown <neilb@suse.de>
* Treat GSSAPI error codes as unsigned.Kevin Coffman2007-02-091-2/+2
| | | | | | | | | | Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> GSSAPI error codes (major and minor) are defined as unsigned values. However, we treat them as signed while passing them down to the kernel where conversion fails if they include the minus sign. Convert them as unsigned. Signed-off-by: Neil Brown <neilb@suse.de>
* Error check messages sent to the kernel.Neil Brown2007-01-111-2/+3
| | | | | | And make sure that if we fail to export a filesystem in mountd, then we don't try to get a filehandle on it, or a deadlock might occur.
* Use uid/gid of -1 to indicate the export's anonuid/anongid should be usedKevin Coffman2006-07-081-2/+5
| | | | | | | | | | | Kernel routine nfsd_setuser() in fs/nfsd/auth.c checks for the value -1 and defaults the credential's fsuid/fsgid to the correct anonuid/anongid values for the given export. We should be passing this value (-1) down when a name mapping cannot be found. Thanks to J. Bruce Fields <bfields@fieldses.org> for the reference. Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Acked-by: J. Bruce Fields <bfields@fieldses.org>
* Use 65534 instead of -2 in svcgssd_proc.cNeil Brown2006-07-061-4/+3
| | | | as this is more consistant across achitectures.
* Handle mapping failure from get_ids.kwc@citi.umich.edu2006-07-041-2/+15
| | | | | | | | | Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Temporary patch to do default mapping if we get an error while trying to map a gss principal to the appropriate uid/gid. This currently returns hardcoded values. This may be correct, or we may need to try and figure out the correct values to match the anonuid/anongid for the export.
* Properly report errors in readline() functionkwc@citi.umich.edu2006-07-041-1/+1
| | | | | | Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Change message priorities for errors and debug messages.
* 2006-04-10 NeilBrown <neilb@suse.de>neilbrown2006-04-101-1/+2
| | | | | | | | | | | | | Various paranoia checks: gssd_proc.c: pass max_field sizes to sscanf to avoid buffer overflow svcgssd_proc.c: range_check name.length, to ensure name.length+1 doesn't wrap idmapd.c(nfsdcb): make sure at least one byte is read before zeroing the last byte that was read, otherwise memory corruption is possible. Found by SuSE security audit.
* 2006-04-10 kwc@citi.umich.eduneilbrown2006-04-091-0/+13
| | | | | | Plug memory leaks in svcgssd Various memory leaks in the svcgssd context processing are eliminated.
* Remove unused groups variable from get_ids() which was causing a compiler ↵neilbrown2006-03-281-1/+0
| | | | | | warning. (really this time)
* Update krb5 code to use glue routine lucid context functionsneilbrown2006-03-281-1/+1
| | | | | | | | | | | The gssd code should not know about the glue layer's context structure. A previous patch added gss_export_lucid_sec_context() and gss_free_lucid_sec_context() functions to the gssapi glue layer. Use these functions rather than calling directly to the Kerberos gssapi code (which requires the Kerberos context handle rather than the glue's context handle). (really this time)
* Fix up the svcgss mess I made, and run autoconf/automakeneilbrown2006-03-271-0/+388
generated by cgit (git 2.34.1) at 2025-09-25 12:34:56 +0000