[PATCH 3/3] NFS test SECINFO RPC_AUTH_GSS pseudoflavors for support

linux-nfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: <andros@netapp.com>
To: <trond.myklebust@primarydata.com>
Cc: <linux-nfs@vger.kernel.org>, Andy Adamson <andros@netapp.com>
Subject: [PATCH 3/3] NFS test SECINFO RPC_AUTH_GSS pseudoflavors for support
Date: Mon, 9 Jun 2014 15:33:21 -0400	[thread overview]
Message-ID: <1402342401-5640-4-git-send-email-andros@netapp.com> (raw)
In-Reply-To: <1402342401-5640-1-git-send-email-andros@netapp.com>

From: Andy Adamson <andros@netapp.com>

The current code returns an RPC_AUTH_GSS pseudoflavor without testing to see
if it is configured properly. If an RPC_AUTH_GSS pseudoflavor fails then the
next SECINFO flavor should be tried.

Create an rpc_auth, rpc_cred, and initialize the cred (e.g. get a GSS Context)
using the short-lived SECINFO rpc client to test if the use of the RPC_AUTH_GSS
pseudoflavor succeeds.

Signed-off-by: Andy Adamson <andros@netapp.com>
---
 fs/nfs/nfs4namespace.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 46 insertions(+), 2 deletions(-)

diff --git a/fs/nfs/nfs4namespace.c b/fs/nfs/nfs4namespace.c
index fd4dcb6..e0a5491 100644
--- a/fs/nfs/nfs4namespace.c
+++ b/fs/nfs/nfs4namespace.c
@@ -135,6 +135,39 @@ static size_t nfs_parse_server_name(char *string, size_t len,
 }
 
 /**
+ * nfs_test_gss - Test client support of pseudoflavor
+ * @server: NFS server struct
+ * @flavor: RPC_AUTH_GSS pseudoflavor
+ */
+
+static int nfs_test_gss_flavor(struct nfs_server *server,
+			       rpc_authflavor_t pseudoflavor)
+{
+	struct rpc_auth_create_args auth_args = {
+		.pseudoflavor = pseudoflavor,
+	};
+	struct rpc_auth *auth;
+	struct rpc_cred *rcred;
+	const struct cred *cred = current_cred();
+	struct auth_cred acred = {
+		.uid = cred->fsuid,
+		.gid = cred->fsgid,
+		.group_info = get_group_info(((struct cred *)cred)->group_info),
+	};
+
+	auth = rpcauth_create(&auth_args, server->client);
+	if (IS_ERR(auth))
+		return -EACCES;
+
+	/* This will call cr_init to create a gss context */
+	rcred = rpcauth_lookup_credcache(auth, &acred, 0);
+	if (IS_ERR(cred))
+		return -EACCES;
+
+	return 0;
+}
+
+/**
  * nfs_find_best_sec - Find a security mechanism supported locally
  * @server: NFS server struct
  * @flavors: List of security tuples returned by SECINFO procedure
@@ -152,21 +185,32 @@ static rpc_authflavor_t nfs_find_best_sec(struct nfs_server *server,
 	rpc_authflavor_t pseudoflavor;
 	struct nfs4_secinfo4 *secinfo;
 	unsigned int i;
+	int err = 0;
 
 	for (i = 0; i < flavors->num_flavors; i++) {
+		bool gss = false;
+
 		secinfo = &flavors->flavors[i];
 
 		switch (secinfo->flavor) {
+		case RPC_AUTH_GSS:
+			gss = true;
 		case RPC_AUTH_NULL:
 		case RPC_AUTH_UNIX:
-		case RPC_AUTH_GSS:
 			pseudoflavor = rpcauth_get_pseudoflavor(secinfo->flavor,
 							&secinfo->flavor_info);
 			/* make sure pseudoflavor matches sec= mount opt */
 			if (pseudoflavor != RPC_AUTH_MAXFLAVOR &&
 			    nfs_auth_info_match(&server->auth_info,
-						pseudoflavor))
+						pseudoflavor)) {
+				if (gss) {
+					err = nfs_test_gss_flavor(server,
+								  pseudoflavor);
+					if (err) /* try the next flavor */
+						continue;
+				}
 				return pseudoflavor;
+			}
 			break;
 		}
 	}
-- 
1.8.3.1

next prev parent reply	other threads:[~2014-06-09 19:33 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-06-09 19:33 [PATCH 0/3] NFS: Fix SECINFO processing regression andros
2014-06-09 19:33 ` [PATCH 1/3] NFS check the return of nfs4_negotiate_security in nfs4_submount andros
2014-06-09 19:33 ` [PATCH 2/3] NFS Return -EPERM if no supported or matching SECINFO flavor andros
2014-06-09 19:33 ` andros [this message]
2014-06-10 16:21   ` [PATCH 3/3] NFS test SECINFO RPC_AUTH_GSS pseudoflavors for support Trond Myklebust
2014-06-10 18:38     ` Adamson, Andy
2014-06-10 19:29       ` Trond Myklebust
2014-06-10 19:37         ` Adamson, Andy
2014-06-10 15:04 ` [PATCH 0/3] NFS: Fix SECINFO processing regression Steve Dickson

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:fd4dcb6 dfblob:e0a5491 )
 OR (
bs:"[PATCH 3/3] NFS test SECINFO RPC_AUTH_GSS pseudoflavors for support" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1402342401-5640-4-git-send-email-andros@netapp.com \
    --to=andros@netapp.com \
    --cc=linux-nfs@vger.kernel.org \
    --cc=trond.myklebust@primarydata.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).