| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
librpcsecgss provides authgss_free_private_data() as a pair to
authgss_get_private_data(). libtirpc does not - until recently.
This ommision results in authgss_destroy_context() sending an
incorrect RPCSEC_GSS_DESTROY request when gssd calls AUTH_DESTROY().
The call has been added to libtirpc, so this patch updates nfs-utils
to check for the presense of the function in libtirpc and to set
HAVE_AUTHGSS_FREE_PRIVATE_DATA if it is present.
This is also set unconditionally if librpcsecgss is used.
gssd is changed to test this value rather than HAVE_LIBTIRPC when
chosing whether to call authgss_free_private_data().
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
We have previously raised the size of the 'pollarray' once (32 -> 256)
and I have had another request to make it bigger.
Rather than changing the hard-coded value, make it depend on
RLIMIT_NOFILE. This is an upper limit on the size of the array
that can be passed to poll() anyway.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
| |
I can see no possible point for this test against FD_ALLOC_BLOCK,
so just remove the test.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
get_poll_index wants to walk the entire "pollarray", but uses
the constant FD_ALLOC_BLOCK, rather than the variable
pollsize (which has the same value). If we want to make the
size of the array variable, it is best not to use the constant.
As pollsize is 'unsigned long', 'i' should be too.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The target name contains a hostname in the realm that we are
authenticating
to. Since we may be authenticating to a different realm than the default
realm for the server, we should not assume that the target name and host
name point to the same string.
In fact, the kernel NFS client will always use its own hostname as the
target name, since it is always authenticating to its own default realm.
On the other hand, the NFS server's callback channel will pass the
hostname
of the NFS client that it is authenticating too (Section 3.4, RFC3530).
This patch fixes the handling of the target name in process_krb5_upcall,
and ensures that it gets passed to find_keytab_entry().
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Either we trust the info file, or we don't. The current
'checks' only work for the combination 'nfs', '100003' and
a version number between 2 and 4.
The problem is that the callback channel also wants to use
'nfs' in combination with a different program number and
version number.
This patch throws the bogus checks out altogether and lets the
kernel use whatever combination it wants....
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
| |
When svcgssd reads the supported encrytion types from the
kernel, they are prefixed with a 'enctypes='. That prefix
has to be ignored to correctly parse the rest of the types.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
| |
gssd_proc.c: In function handle_krb5_upcall:
gssd_proc.c:1117:2: warning: ISO C forbids return with expression, in
function returning void [-pedantic]
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
| |
gssd_proc.c: At top level:
gssd_proc.c:782:5: warning: no previous prototype for create_auth_rpc_client [-Wmissing-prototypes]
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
| |
gss_util.c: At top level:
gss_util.c:98:36: warning: ISO C does not allow extra ; outside of a
function [-pedantic]
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From: Andy Adamson <andros@netapp.com>
The kernel gss_cl_ctx stores the context lifetime in gc_expiry, set
by gssd in do_downcall() called by process_krb5_upcall(). The lifetime
value is currently not related at all to the Kerberos TGS lifetime.
It is either set to the value of gssd -t <timeout>, or to a kernel
default of 3600 seconds.
Most of the time the gssd -t command line is not set, and a timeout
value of zero was sent to the kernel triggering the use of the 3600
second kernel default timeout.
In order for the kernel to properly know when to renew a context, or to
stop buffering writes for a context about to expire, the gc_expiry value
needs to reflect the credential lifetime used to create the context.
Note that gss_inquire_cred returns the number of seconds for which the
context remains valid in the lifetime_rec parameter.
Send the actual TGS remaining lifetime to the kernel. It can still be
overwritten by the gssd -t command line option, or set to the kernel
default if the gss_inquire_cred call fails (which sets the lifetime_rec
to zero).
Signed-off-by: Andy Adamson <andros@netapp.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
| |
Some init systems actually expect daemons to return 0 on success.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Newer versions of systemd create a /run/user/${UID} directory
instead of the /run/user/${USER} directory, so switch to
scanning for that. To make the per-user directory bit a little
less magical, change the default to incorporate a "%U", which
gets dynamically expanded to the user's UID when needed.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
| |
In addition to matching "FILE:krb5cc_*" in the specified directory or
directories, also match "DIR:krb5cc*", if we find subdirectories with
names that match the search pattern.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use ppoll() instead.
[ cel Wed Aug 1 11:44:46 EDT 2012 - autoconfiscated Bruce's version ]
Related clean-up: Since we're pulling the poll/ppoll call out into a
separate function, note that the second argument of poll(2) and
ppoll(2) is not an int, it's an unsigned long. The nfds_t typedef
is a recent invention, so use the raw type for compatibility with
older glibc headers.
Acked-by: J. Bruce Fields" <bfields@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From: "J. Bruce Fields" <bfields@redhat.com>
Reverse the sense of the test here, and also add debugging and cleanup
in the error case.
(Though the lack of cleanup isn't currently a problem in practice since
we'll eventually exit in this case.)
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From: "J. Bruce Fields" <bfields@redhat.com>
printerr() isn't actually safe to call from a signal handler. It might
be possible to make it so, but I think this is the only case in
nfs-utils where we try to, and I'm not convince it's worth it.
This fixes a bug that would eventually cause mounts to hang when gssd
is run with -vv.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
| |
From: "J. Bruce Fields" <bfields@redhat.com>
We're not actually using the extra sa_sigaction parameters.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a POLLHUP event is received on a pipe file descriptor, that
means the other side has closed its end of the pipe. If the
receiver does not close its end of the pipe, the pipe is left in an
open-but-unlinked state.
For a "gssd" upcall pipe, the kernel may close its end, removing the
directory entry for it, and then later create a fresh pipe named
"gssd" in the same directory. In this case, rpc.gssd continues to
listen on the open-but-unlinked previous "gssd" pipe. Thus upcalls
on the new "gssd" pipe are left unanswered.
In addition, poll(2) continues to return POLLHUP on the old pipe.
Since there is no logic to close the pipe in rpc.gssd, poll(2) always
returns immediately, and rpc.gssd goes into a tight loop.
Typically, the kernel closes upcall pipes and destroys their
parent directory at the same time. When an RPC client's directory
vanishes, rpc.gssd sees the change via dnotify and eventually
invokes destroy_client() which closes the user-space end of the
pipes.
However, if the kernel wants to switch authentication flavors (say
from AUTH_KRB5 to AUTH_UNIX) on an RPC client without destroying it,
the upcall pipes go away, but the RPC client's directory remains.
rpc.gssd invokes update_client_list(), but that logic never closes
upcall pipes if the client directory is still in place.
After a POLLHUP on a pipe, close it when rpc.gssd reconstructs its
list of upcall clients.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Implement a new option -l to force gssd to ignore its kernel's crypto
capabilities and use just the Single DES legacy encryption types to be
compatible with old servers. This is only relevant if those servers have
strong keys in their keytab.
Signed-off-by: Steve Dickson <steved@redhat.com>
Tested-by: Michael Weiser <weiser@science-computing.de>
|
|
|
|
|
|
|
|
|
| |
The user credential cache currently is kept in /tmp.
In upcoming Kerberos release that will be moved to
/run/user/<username>/. This patch enables gssd to
look in both the old and new caches
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is essentially the same as the previous version, but has
been respun to fix up some merge conflicts with some of Chuck's
recent changes.
When we first added tirpc support, we took a "big hammer" approach, and
had it add libtirpc to $LIBS. That had the effect of making it so that
that library was linked into every binary. That's unnecessary, and
wasteful with memory.
Don't let AC_CHECK_LIB add -ltirpc to $LIBS. Instead, have the autoconf
tests set $(LIBTIRPC) in the makefiles, and have the programs that
need it explicitly include that library. In the event that we're not
using libtirpc, then set $LIBTIRPC to a blank string.
This necessitates a change to the bindresvport_sa check too. Since that
library is no longer included in $LIBS, we need to convert that check
to use AC_CHECK_LIB instead of AC_CHECK_FUNCS.
This patch also fixes a subtle bug. If the library was usable, but the
includes were not, the test would set $enable_tirpc to "no", but
HAVE_LIBTIRPC would still be true. That configuration would likely
fail to build.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
...as that makes that library get linked into every binary. Also,
replace "hardcoded" -lnfsidmap linker flag in Makefiles with
a AC_SUBST variable.
This fixes a regression introduced in commit d7c64dd.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Free just calloc'd enc_key.data from one place, unconditionally,
after calling write_lucid_keyblock, rather than from three places.
Coverity spotted the possible double free.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
| |
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For the window of kernels between 2.6.35 (when the support
for newer encryption was added) and 2.6.39 (when the ability
to read the supported enctypes from the kernel was added),
use a default of all enctypes when the kernel supported
enctypes file cannot be read.
For kernels before 2.6.35, continue to use a default of
only DES enctypes.
Note that the version of Kerberos must also support the use of
gss_set_allowable_enctypes for service-side negotiations.
See also: http://bugzilla.redhat.com/show_bug.cgi?id=719776
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
| |
The svcgssd man page doesn't mention the "-n" flag.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
| |
Commit 544ed73d introduced a regression that caused
rpc.svcgssd to seg fault on "Wrong principal in request"
errors in gss_accept_sec_context()
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, when writing to /proc/net/rpc/*/channel, if a cache line
were larger than the default buffer size (likely 1024 bytes), mountd
and svcgssd would split writes into a number of buffer-sized writes.
Each of these writes would get an EINVAL error back from the kernel
procfs handle (it expects line-oriented input and does not account for
multiple/split writes), and no cache update would occur.
When such behavior occurs, NFS clients depending on mountd to finish
the cache operation would block/hang, or receive EPERM, depending on
the context of the operation. This is likely to happen if a user is a
member of a large (~100-200) number of groups.
Instead, every fopen() on the procfs files in question is followed by
a call to setvbuf(), using a per-file dedicated buffer of
RPC_CHAN_BUF_SIZE length.
Really, mountd should not be using stdio-style buffered file operations
on files in /proc to begin with. A better solution would be to use
internally managed buffers and calls to write() instead of these stdio
calls, but that would be a more extensive change; so this is proposed
as a quick and not-so-dirty fix in the meantime.
Signed-off-by: Sean Finney <sean.finney@sonyericsson.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recent versions of Kerberos libraries negotiate and use
an "acceptor subkey". This negotiation does not consider
that a service may have limited the encryption keys in its
keytab. A patch (http://src.mit.edu/fisheye/changelog/krb5/?cs=24603)
has been added to the MIT Kerberos code to allow an application
to indicate that it wants to limit the encryption types negotiated.
(This functionality has been available on the client/initiator
side for a while. The new patch adds this support to the
server/acceptor side.)
This patch adds support to read a recently added nfsd
proc file to determine the encryption types supported by
the kernel and calls the function to limit encryption
types negotiated for the acceptor subkey.
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
| |
Modify wrong err message at handle_gssd_upcall when
sscanf encryption types fail.
Signed-off-by: Mi Jinlong <mijinlong@cn.fujitsu.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
An Active Directory KDC will only grant a TGT for UPNs, getting
a TGT for SPNs is not possible:
$ kinit -k host/ib5@ADS.ORCORP.CA
kinit: Client not found in Kerberos database while getting initial
credentials
The correct thing to do for machine credentials is to get a TGT
for the computer UPN <HOSTNAME>$@REALM:
$ kinit -k IB5\$
$ klist
12/22/10 11:43:47 12/22/10 21:43:47 krbtgt/ADS.ORCORP.CA@ADS.ORCORP.CA
Samba automatically creates /etc/krb5.keytab entry for the computer UPN,
this patch makes gssd_refresh_krb5_machine_credential prefer it above
the SPNs if it is present.
The net result is that nfs client works automatically out of the box
if samba has been used to setup kerberos via 'net ads join' 'net ads
keytab create'
Tested using Windows Server 2003 R2 as the AD server.
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added in gss_display_error() which translates the GSS error into the
actual GSS macro name. Currently only the translation of these errors
are logged. Since those translations are buried deep in the kerberos
library code, having the actual GSS macro name makes it easier to
follow the code.
Moved the nfs4_init_name_mapping() call into main() so if debug is
enabled the DNS name and realms will be logged during start up.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Eberhard Kuemmerle <E.Kuemmerle@fz-juelich.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Allow the principal that is used to get the machines creds definable
on the command like with the new '-p <principal>'. This is useful
in cluster environments.
Signed-off-by: Eberhard Kuemmerle <E.Kuemmerle@fz-juelich.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
| |
svcgssd_proc.c: In function 'send_response':
svcgssd_proc.c:135: warning: unused parameter 'f'
svcgssd_proc.c: In function 'handle_nullreq':
svcgssd_proc.c:434: warning: comparison of unsigned expression < 0 is always false
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
| |
svcgssd.c: In function 'sig_hup':
svcgssd.c:160: warning: unused parameter 'signal'
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
gssd_proc.c: In function 'create_auth_rpc_client':
gssd_proc.c:939: warning: comparison between signed and unsigned integer expressions
gssd_proc.c:939: warning: comparison between signed and unsigned integer expressions
gssd_proc.c: In function 'handle_krb5_upcall':
gssd_proc.c:1164: warning: comparison between signed and unsigned integer expressions
gssd_proc.c: In function 'handle_spkm3_upcall':
gssd_proc.c:1178: warning: comparison between signed and unsigned integer expressions
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
| |
krb5_util.c: In function 'realm_and_service_match':
krb5_util.c:617: warning: unused parameter 'context'
krb5_util.c: In function 'limit_krb5_enctypes':
krb5_util.c:1275: warning: unused parameter 'uid'
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
| |
gssd_main_loop.c: In function 'dir_notify_handler':
gssd_main_loop.c:64: warning: unused parameter 'sig'
gssd_main_loop.c:64: warning: unused parameter 'si'
gssd_main_loop.c:64: warning: unused parameter 'data'
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
| |
gssd.c: In function 'sig_hup':
gssd.c:78: warning: unused parameter 'signal'
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
| |
When not using machine credentials for root, if the machine
credential cache file is newer than the root credential file
the wrong file will get picked. Ignore the machine file in
this case.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Commit 4c5ff6d4 removed the setting of endtime for a few contexts by
accident.
Now to figure out why I get stale handles on submounts.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
| |
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
| |
Sends a new format of context information to the kernel.
(Requires kernel support to do anything useful.)
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This patch replaces a hard-coded list with a function to obtain
the Kerberos encryption types that the kernel's rpcsec_gss code
can support. Defaults to old behavior if kernel does not supply
information.
Signed-off-by: Steve Dickson <steved@redhat.com>
|