From: "Steinar H. Gunderson" <sgunderson-jG/AHqQBv7lBDgjK7y7TUQ@public.gmane.org>
To: nfs@lists.sourceforge.net
Subject: [NFS] [andrew.phillips-5jPdWwX6g8k@public.gmane.org: Bug#451402: nfs-kernel-server: rpc.svcgssd needs option to authenticate using different hostname]
Date: Sun, 18 Nov 2007 12:05:51 +0100 [thread overview]
Message-ID: <20071118110551.GA10815@uio.no> (raw)
[-- Attachment #1: Type: text/plain, Size: 128 bytes --]
Hi,
I'm sending this on from a user. Does the patch seem reasonable to you?
/* Steinar */
--
Homepage: http://www.sesse.net/
[-- Attachment #2: Type: message/rfc822, Size: 11906 bytes --]
From: Andrew Phillips <andrew.phillips-5jPdWwX6g8k@public.gmane.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#451402: nfs-kernel-server: rpc.svcgssd needs option to authenticate using different hostname
Date: Thu, 15 Nov 2007 14:11:29 -0400
Message-ID: <20071115181129.14914.6007.reportbug-bmuJXYsvn0hRdhyElPwyhWvNCLGBfJgzPBtRn7vrt+k@public.gmane.org>
Package: nfs-kernel-server
Version: 1:1.1.1~git-20070929-1
Severity: wishlist
Tags: patch
Normally you can only connect to NFS using Kerberos using the hostname
of the server. If you have a cluster where the NFS service can
failover between machines, using heartbeat for instance, you would
want to connect to a single address. This does not work with
rpc.svcgssd as it will only authenticate machines connecting to it's
hostname, not another address the machine handles. For instance, if
you have servers nfs1.foo and nfs2.foo, you might want to have an
address nfs.foo that passes between each other.
The following two patches (one for 1.1.1~git-2007092 (sid), and one
for 1.0.10 (etch)) add an option to rpc.svcgssd to specify the
hostname (-h) you will be connecting to it by. They also remove
references to options that rpc.svcgssd does not support.
Ideally, in the long run nfs-utils would provide an option similar to
what recent openssh versions use, and authenticate with any key in the
keytab.
Patch for 1.1.1~git-2007092:
diff -rud nfs-utils-1.1.1~git-20070929/utils/gssd/svcgssd.c nfs-utils-1.1.1~git-20070929-krb/utils/gssd/svcgssd.c
--- nfs-utils-1.1.1~git-20070929/utils/gssd/svcgssd.c 2007-09-29 09:55:13.000000000 -0300
+++ nfs-utils-1.1.1~git-20070929-krb/utils/gssd/svcgssd.c 2007-11-15 10:43:33.000000000 -0400
@@ -155,7 +155,7 @@
static void
usage(char *progname)
{
- fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r] [-i]\n",
+ fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r] [-i] [-h hostname]\n",
progname);
exit(1);
}
@@ -171,8 +171,9 @@
int opt;
extern char *optarg;
char *progname;
+ char *servicename = NULL;
- while ((opt = getopt(argc, argv, "fivrnp:")) != -1) {
+ while ((opt = getopt(argc, argv, "fivrnh:")) != -1) {
switch (opt) {
case 'f':
fg = 1;
@@ -189,6 +190,12 @@
case 'r':
rpc_verbosity++;
break;
+ case 'h':
+ servicename = calloc(strlen(optarg) + strlen(GSSD_SERVICE_NAME) + 2, sizeof(char));
+
+ /* GSSAPI needs @ instead of / between service name and hostname */
+ snprintf(servicename, strlen(optarg) + strlen(GSSD_SERVICE_NAME) + 2, "%s@%s", GSSD_SERVICE_NAME, optarg);
+ break;
default:
usage(argv[0]);
break;
@@ -228,7 +235,10 @@
signal(SIGTERM, sig_die);
signal(SIGHUP, sig_hup);
- if (get_creds && !gssd_acquire_cred(GSSD_SERVICE_NAME)) {
+ if (servicename == NULL)
+ servicename = GSSD_SERVICE_NAME;
+
+ if (get_creds && !gssd_acquire_cred(servicename)) {
printerr(0, "unable to obtain root (machine) credentials\n");
printerr(0, "do you have a keytab entry for "
"nfs/<your.host>@<YOUR.REALM> in "
Only in nfs-utils-1.1.1~git-20070929-krb/utils/gssd: svcgssd.c.orig
diff -rud nfs-utils-1.1.1~git-20070929/utils/gssd/svcgssd.man nfs-utils-1.1.1~git-20070929-krb/utils/gssd/svcgssd.man
--- nfs-utils-1.1.1~git-20070929/utils/gssd/svcgssd.man 2007-09-29 09:55:13.000000000 -0300
+++ nfs-utils-1.1.1~git-20070929-krb/utils/gssd/svcgssd.man 2007-11-15 10:26:01.000000000 -0400
@@ -6,7 +6,7 @@
.SH NAME
rpc.svcgssd \- server-side rpcsec_gss daemon
.SH SYNOPSIS
-.B "rpc.svcgssd [-v] [-r] [-i] [-f] [-p pipefsdir]"
+.B "rpc.svcgssd [-v] [-r] [-i] [-f] [-h hostname]"
.SH DESCRIPTION
The rpcsec_gss protocol gives a means of using the gss-api generic security
api to provide security for protocols using rpc (in particular, nfs). Before
@@ -35,6 +35,10 @@
.B -i
If the nfsidmap library supports setting debug level,
increases the verbosity of the output (can be specified multiple times).
+.TP
+.B -h hostname
+Specify the hostname to use when looking for the service principal in
+the keytab.
.SH SEE ALSO
.BR rpc.gssd(8),
Patch for 1.0.10:
diff -rud nfs-utils-1.0.10/utils/gssd/svcgssd.c nfs-utils-1.0.10-krb/utils/gssd/svcgssd.c
--- nfs-utils-1.0.10/utils/gssd/svcgssd.c 2006-08-07 03:40:50.000000000 -0300
+++ nfs-utils-1.0.10-krb/utils/gssd/svcgssd.c 2007-11-15 10:41:58.000000000 -0400
@@ -154,7 +154,7 @@
static void
usage(char *progname)
{
- fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r]\n",
+ fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r] [-h hostname]\n",
progname);
exit(1);
}
@@ -169,8 +169,9 @@
int opt;
extern char *optarg;
char *progname;
+ char *servicename = NULL;
- while ((opt = getopt(argc, argv, "fvrnp:")) != -1) {
+ while ((opt = getopt(argc, argv, "fvrnh:")) != -1) {
switch (opt) {
case 'f':
fg = 1;
@@ -184,6 +185,12 @@
case 'r':
rpc_verbosity++;
break;
+ case 'h':
+ servicename = calloc(strlen(optarg) + strlen(GSSD_SERVICE_NAME) + 2, sizeof(char));
+
+ /* GSSAPI needs @ instead of / between service name and hostname */
+ snprintf(servicename, strlen(optarg) + strlen(GSSD_SERVICE_NAME) + 2, "%s@%s", GSSD_SERVICE_NAME, optarg);
+ break;
default:
usage(argv[0]);
break;
@@ -216,7 +223,10 @@
signal(SIGTERM, sig_die);
signal(SIGHUP, sig_hup);
- if (get_creds && !gssd_acquire_cred(GSSD_SERVICE_NAME)) {
+ if (servicename == NULL)
+ servicename = GSSD_SERVICE_NAME;
+
+ if (get_creds && !gssd_acquire_cred(servicename)) {
printerr(0, "unable to obtain root (machine) credentials\n");
printerr(0, "do you have a keytab entry for "
"nfs/<your.host>@<YOUR.REALM> in "
diff -rud nfs-utils-1.0.10/utils/gssd/svcgssd.man nfs-utils-1.0.10-krb/utils/gssd/svcgssd.man
--- nfs-utils-1.0.10/utils/gssd/svcgssd.man 2006-08-07 03:40:50.000000000 -0300
+++ nfs-utils-1.0.10-krb/utils/gssd/svcgssd.man 2007-11-15 10:27:42.000000000 -0400
@@ -6,7 +6,7 @@
.SH NAME
rpc.svcgssd \- server-side rpcsec_gss daemon
.SH SYNOPSIS
-.B "rpc.svcgssd [-v] [-r] [-f] [-p pipefsdir]"
+.B "rpc.svcgssd [-v] [-r] [-f] [-h hostname]"
.SH DESCRIPTION
The rpcsec_gss protocol gives a means of using the gss-api generic security
api to provide security for protocols using rpc (in particular, nfs). Before
@@ -31,6 +31,10 @@
.B -r
If the rpcsec_gss library supports setting debug level,
increases the verbosity of the output (can be specified multiple times).
+.TP
+.B -h hostname
+Specify the hostname to use when looking for the service principal in
+the keytab.
.SH SEE ALSO
.BR rpc.gssd(8),
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages nfs-kernel-server depends on:
ii libblkid1 1.40.2-1 block device id library
ii libc6 2.6.1-1+b1 GNU C Library: Shared libraries
ii libcomerr2 1.40.2-1 common error description library
ii libgssglue1 0.1-1 mechanism-switch gssapi library
ii libkrb53 1.6.dfsg.3~beta1-2 MIT Kerberos runtime libraries
ii libnfsidmap2 0.20-0 An nfs idmapping library
ii librpcsecgss3 0.17-1 allows secure rpc communication us
ii libwrap0 7.6.dbs-14 Wietse Venema's TCP wrappers libra
ii lsb-base 3.1-24 Linux Standard Base 3.1 init scrip
ii nfs-common 1:1.1.1~git-20070929-1 NFS support files common to client
ii ucf 3.003 Update Configuration File: preserv
nfs-kernel-server recommends no packages.
-- no debconf information
[-- Attachment #3: Type: text/plain, Size: 228 bytes --]
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
[-- Attachment #4: Type: text/plain, Size: 362 bytes --]
_______________________________________________
NFS maillist - NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs
_______________________________________________
Please note that nfs@lists.sourceforge.net is being discontinued.
Please subscribe to linux-nfs@vger.kernel.org instead.
http://vger.kernel.org/vger-lists.html#linux-nfs
next reply other threads:[~2007-11-18 11:05 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-18 11:05 Steinar H. Gunderson [this message]
[not found] ` <20071118110551.GA10815-6Z/AllhyZU4@public.gmane.org>
2007-11-18 17:35 ` [NFS] [andrew.phillips-5jPdWwX6g8k@public.gmane.org: Bug#451402: nfs-kernel-server: rpc.svcgssd needs option to authenticate using different hostname] Trond Myklebust
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071118110551.GA10815@uio.no \
--to=sgunderson-jg/ahqqbv7lbdgjk7y7tuq@public.gmane.org \
--cc=nfs@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.