* bad principal used by gssd
@ 2019-02-22 18:36 Charles Hedrick
2019-02-22 20:46 ` J. Bruce Fields
0 siblings, 1 reply; 2+ messages in thread
From: Charles Hedrick @ 2019-02-22 18:36 UTC (permalink / raw)
To: linux-nfs@vger.kernel.org
Would someone please look at https://bugzilla.linux-nfs.org/show_bug.cgi?id=318?
If I’m logged in as hedrick but current credentials are hedrick.admin, I have a key ring with credentials for both hedrick and hedrick.admin.
If gssd needs to recreate its context (e.g. because the credentials have expired) it acquires GSSAPI credentials with NONAME. That will give it the current selected principal, which is hedrick.admin. Of course for NFS only a principal that matches the current UID can work. So later in the code it checks to see if the credentials it has are for hedrick, and fails. This is kind of silly. If you tell acquire what credentials you want, it will look through the keyring and pick the right one. So the call to acquire should specify the desired principal.
The bug report gives code to fix it. Because I don’t want to build my own gssd, my patch uses LD_PRELOAD to intercept calls, but the code could be put into the source in the obvious way.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: bad principal used by gssd
2019-02-22 18:36 bad principal used by gssd Charles Hedrick
@ 2019-02-22 20:46 ` J. Bruce Fields
0 siblings, 0 replies; 2+ messages in thread
From: J. Bruce Fields @ 2019-02-22 20:46 UTC (permalink / raw)
To: Charles Hedrick; +Cc: linux-nfs@vger.kernel.org, steved
On Fri, Feb 22, 2019 at 06:36:54PM +0000, Charles Hedrick wrote:
> Would someone please look at
> https://bugzilla.linux-nfs.org/show_bug.cgi?id=318?
>
> If I’m logged in as hedrick but current credentials are hedrick.admin,
> I have a key ring with credentials for both hedrick and hedrick.admin.
>
> If gssd needs to recreate its context (e.g. because the credentials
> have expired) it acquires GSSAPI credentials with NONAME. That will
> give it the current selected principal, which is hedrick.admin. Of
> course for NFS only a principal that matches the current UID can work.
> So later in the code it checks to see if the credentials it has are
> for hedrick, and fails. This is kind of silly. If you tell acquire
> what credentials you want, it will look through the keyring and pick
> the right one. So the call to acquire should specify the desired
> principal.
>
> The bug report gives code to fix it. Because I don’t want to build my
> own gssd, my patch uses LD_PRELOAD to intercept calls, but the code
> could be put into the source in the obvious way.
No comment on whether that's the right behavior (I just don't know), but
for what it's worth I think you'll get a quicker response if it were
possible to just make it a patch against nfs-utils, and post it to the
list instead of that bugzilla.
--b.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-02-22 20:46 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-02-22 18:36 bad principal used by gssd Charles Hedrick
2019-02-22 20:46 ` J. Bruce Fields
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.