From: Steve Dickson <SteveD@redhat.com>
To: "Myklebust, Trond" <Trond.Myklebust@netapp.com>
Cc: Bruce Fields <bfields@fieldses.org>,
"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH 1/2] gssd: Fix bugs in process_krb5_upcall
Date: Tue, 27 Nov 2012 11:43:59 -0500 [thread overview]
Message-ID: <50B4EDCF.3000704@RedHat.com> (raw)
In-Reply-To: <4FA345DA4F4AE44899BD2B03EEEC2FA90B309AAD@sacexcmbx05-prd.hq.netapp.com>
On 27/11/12 11:05, Myklebust, Trond wrote:
>> -----Original Message-----
>> From: Trond Myklebust [mailto:Trond.Myklebust@netapp.com]
>> Sent: Monday, November 26, 2012 5:31 PM
>> To: Steve Dickson
>> Cc: Bruce Fields; linux-nfs@vger.kernel.org
>> Subject: [PATCH 1/2] gssd: Fix bugs in process_krb5_upcall
>>
>> The 'tgtname' parameter is the _server_ name, not the service name.
>>
>> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
>> ---
>> utils/gssd/gssd_proc.c | 6 ++----
>> 1 file changed, 2 insertions(+), 4 deletions(-)
>>
>> diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index
>> ec251fa..b79e872 100644
>> --- a/utils/gssd/gssd_proc.c
>> +++ b/utils/gssd/gssd_proc.c
>> @@ -963,10 +963,8 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid,
>> int fd, char *tgtname,
>> printerr(1, "handling krb5 upcall (%s)\n", clp->dirname);
>>
>> if (tgtname) {
>> - if (clp->servicename) {
>> - free(clp->servicename);
>> - clp->servicename = strdup(tgtname);
>> - }
>> + free(clp->servername);
>> + clp->servername = strdup(tgtname);
>> }
>> token.length = 0;
>> token.value = NULL;
>> --
>
> Sigh... Actually, this isn't right either. The log comment for commit 8b1c7bf5b624c9bc91b41ae577b9fc5c21641705 (rpc: add target field to new upcall) on the Linux client does indeed talk about who we want to authenticate to, but the choice of 'clnt->cl_principal' will actually give us our client hostname.
>
> It turns out that nfs@"client hostname "is indeed the correct machine cred name when we're acting as the client, but when doing _callbacks_, the server has to authenticate using the same principal used by the client in the SETCLIENTID call (See Section 3.4, RFC3530). i.e. the nfs@hostname used does in fact include the NFS client's hostname (not the server's)!
>
> So while PATCH 2/2 is still good, this patch appears to be incorrect and should be dropped for now.
>
Duly noted...
steved.
prev parent reply other threads:[~2012-11-27 16:44 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-26 22:31 [PATCH 1/2] gssd: Fix bugs in process_krb5_upcall Trond Myklebust
2012-11-26 22:31 ` [PATCH 2/2] gssd: Remove insane sanity checks of the service name Trond Myklebust
2012-11-26 22:37 ` Bruce Fields
2012-11-28 19:53 ` Steve Dickson
2012-11-27 16:05 ` [PATCH 1/2] gssd: Fix bugs in process_krb5_upcall Myklebust, Trond
2012-11-27 16:43 ` Steve Dickson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50B4EDCF.3000704@RedHat.com \
--to=steved@redhat.com \
--cc=Trond.Myklebust@netapp.com \
--cc=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.