From: Steve Dickson <SteveD@redhat.com>
To: Eberhard Kuemmerle <E.Kuemmerle-97/bSmCnXvjoK6nBLMlh1Q@public.gmane.org>
Cc: linux-nfs@vger.kernel.org
Subject: Re: [PATCH] svcgssd: Adding a <-p principal> flag
Date: Tue, 28 Sep 2010 08:06:53 -0400 [thread overview]
Message-ID: <4CA1DA5D.1060802@RedHat.com> (raw)
In-Reply-To: <201009280836.45487.E.Kuemmerle-97/bSmCnXvjoK6nBLMlh1Q@public.gmane.org>
On 09/28/2010 02:36 AM, Eberhard Kuemmerle wrote:
> Hello Steve,
>
> we use a two-node cluster (pacemaker, corosync, drbd) as nfs-server.
> We configured a virtual cluster-IP (using ocf::heartbeat:IPaddr2, iptables CLUSTERIP),
> i.e. the nfs clients call the server as OurClusterIP.OurDomain.de while the real hostnames of the servers are
> OurServer1.OurDomain.de and OurServer2.OurDomain.de.
>
> If I tried to use the mount option krb5, svcgssd denied the mount with the message:
> ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure. Minor code may provide more information - Wrong principal in request
>
> I patched svcgssd that we can specify the principal to use as an option:
> svcgssd -p nfs/OurClusterIP.OurDomain.de
>
> Signed-off-by: Eberhard Kuemmerle <E.Kuemmerle-97/bSmCnXvjoK6nBLMlh1Q@public.gmane.org>
>
> Here comes the code patch:
Committed...
steved.
>
> **************************************************
>
> diff -rupN nfs-utils-1.2.1/utils/gssd/gssd.h nfs-utils-1.2.1_mod/utils/gssd/gssd.h
> --- nfs-utils-1.2.1/utils/gssd/gssd.h 2009-11-04 12:13:56.000000000 +0100
> +++ nfs-utils-1.2.1_mod/utils/gssd/gssd.h 2010-09-27 08:25:31.000000000 +0200
> @@ -90,7 +90,6 @@ void init_client_list(void);
> int update_client_list(void);
> void handle_krb5_upcall(struct clnt_info *clp);
> void handle_spkm3_upcall(struct clnt_info *clp);
> -int gssd_acquire_cred(char *server_name);
> void gssd_run(void);
>
>
> diff -rupN nfs-utils-1.2.1/utils/gssd/gss_util.c nfs-utils-1.2.1_mod/utils/gssd/gss_util.c
> --- nfs-utils-1.2.1/utils/gssd/gss_util.c 2009-11-04 12:13:56.000000000 +0100
> +++ nfs-utils-1.2.1_mod/utils/gssd/gss_util.c 2010-09-27 08:14:47.000000000 +0200
> @@ -191,7 +191,7 @@ pgsserr(char *msg, u_int32_t maj_stat, u
> }
>
> int
> -gssd_acquire_cred(char *server_name)
> +gssd_acquire_cred(char *server_name, const gss_OID oid)
> {
> gss_buffer_desc name;
> gss_name_t target_name;
> @@ -203,7 +203,7 @@ gssd_acquire_cred(char *server_name)
> name.length = strlen(server_name);
>
> maj_stat = gss_import_name(&min_stat, &name,
> - (const gss_OID) GSS_C_NT_HOSTBASED_SERVICE,
> + oid,
> &target_name);
>
> if (maj_stat != GSS_S_COMPLETE) {
> diff -rupN nfs-utils-1.2.1/utils/gssd/gss_util.h nfs-utils-1.2.1_mod/utils/gssd/gss_util.h
> --- nfs-utils-1.2.1/utils/gssd/gss_util.h 2009-11-04 12:13:56.000000000 +0100
> +++ nfs-utils-1.2.1_mod/utils/gssd/gss_util.h 2010-09-27 08:22:11.000000000 +0200
> @@ -37,7 +37,7 @@
>
> extern gss_cred_id_t gssd_creds;
>
> -int gssd_acquire_cred(char *server_name);
> +int gssd_acquire_cred(char *server_name, const gss_OID oid);
> void pgsserr(char *msg, u_int32_t maj_stat, u_int32_t min_stat,
> const gss_OID mech);
> int gssd_check_mechs(void);
> diff -rupN nfs-utils-1.2.1/utils/gssd/svcgssd.c nfs-utils-1.2.1_mod/utils/gssd/svcgssd.c
> --- nfs-utils-1.2.1/utils/gssd/svcgssd.c 2009-11-04 12:13:56.000000000 +0100
> +++ nfs-utils-1.2.1_mod/utils/gssd/svcgssd.c 2010-09-27 15:48:47.000000000 +0200
> @@ -167,7 +167,7 @@ sig_hup(int signal)
> static void
> usage(char *progname)
> {
> - fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r] [-i]\n",
> + fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r] [-i] [-P principal]\n",
> progname);
> exit(1);
> }
> @@ -183,8 +183,9 @@ main(int argc, char *argv[])
> int opt;
> extern char *optarg;
> char *progname;
> + char *principal = NULL;
>
> - while ((opt = getopt(argc, argv, "fivrnp:")) != -1) {
> + while ((opt = getopt(argc, argv, "fivrnP:")) != -1) {
> switch (opt) {
> case 'f':
> fg = 1;
> @@ -201,6 +202,9 @@ main(int argc, char *argv[])
> case 'r':
> rpc_verbosity++;
> break;
> + case 'P':
> + principal = optarg;
> + break;
> default:
> usage(argv[0]);
> break;
> @@ -244,7 +248,9 @@ main(int argc, char *argv[])
> signal(SIGTERM, sig_die);
> signal(SIGHUP, sig_hup);
>
> - if (get_creds && !gssd_acquire_cred(GSSD_SERVICE_NAME)) {
> + if (get_creds && !(principal
> + ? gssd_acquire_cred(principal, GSS_C_NT_USER_NAME)
> + : gssd_acquire_cred(GSSD_SERVICE_NAME, GSS_C_NT_HOSTBASED_SERVICE))) {
> printerr(0, "unable to obtain root (machine) credentials\n");
> printerr(0, "do you have a keytab entry for "
> "nfs/<your.host>@<YOUR.REALM> in "
>
> **************************************************
>
> And here is the man page patch.
>
> I removed the old option [-p pipefsdir] from the man page because it is
> obviously removed in the code.
>
> **************************************************
>
> diff -rupN nfs-utils-1.2.1/utils/gssd/svcgssd.man nfs-utils-1.2.1_mod/utils/gssd/svcgssd.man
> --- nfs-utils-1.2.1/utils/gssd/svcgssd.man 2009-11-04 12:13:56.000000000 +0100
> +++ nfs-utils-1.2.1_mod/utils/gssd/svcgssd.man 2010-09-27 16:01:28.000000000 +0200
> @@ -6,7 +6,7 @@
> .SH NAME
> rpc.svcgssd \- server-side rpcsec_gss daemon
> .SH SYNOPSIS
> -.B "rpc.svcgssd [-v] [-r] [-i] [-f] [-p pipefsdir]"
> +.B "rpc.svcgssd [-v] [-r] [-i] [-f] [-P principal]"
> .SH DESCRIPTION
> The rpcsec_gss protocol gives a means of using the gss-api generic security
> api to provide security for protocols using rpc (in particular, nfs). Before
> @@ -35,9 +35,12 @@ increases the verbosity of the output (c
> .B -i
> If the nfsidmap library supports setting debug level,
> increases the verbosity of the output (can be specified multiple times).
> +.TP
> +.B -P
> +Use \fIprincipal\fR instead of the default nfs/host.domain.
>
> .SH SEE ALSO
> -.BR rpc.gssd(8),
> +.BR rpc.gssd(8)
> .SH AUTHORS
> .br
> Dug Song <dugsong@umich.edu>
>
> **************************************************
>
> Signed-off-by: Eberhard Kuemmerle <e.kuemmerle-97/bSmCnXvjoK6nBLMlh1Q@public.gmane.org>
>
> Best regards,
>
> Eberhard
>
> ------------------------------------------------------------------------------------------------
> ------------------------------------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDirig Dr. Karl Eugen Huthmacher
> Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
> Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
> Prof. Dr. Sebastian M. Schmidt
> ------------------------------------------------------------------------------------------------
> ------------------------------------------------------------------------------------------------
prev parent reply other threads:[~2010-09-28 12:06 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-28 6:36 [PATCH] svcgssd: Adding a <-p principal> flag Eberhard Kuemmerle
[not found] ` <201009280836.45487.E.Kuemmerle-97/bSmCnXvjoK6nBLMlh1Q@public.gmane.org>
2010-09-28 12:06 ` Steve Dickson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CA1DA5D.1060802@RedHat.com \
--to=steved@redhat.com \
--cc=E.Kuemmerle-97/bSmCnXvjoK6nBLMlh1Q@public.gmane.org \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.