* [PATCH 0/4] nfs-utils gssd
@ 2008-05-01 13:34 Kevin Coffman
[not found] ` <20080501133455.28884.4768.stgit-zTNJhAanYLVZN1qrTdtDg5Vzexx5G7lz@public.gmane.org>
0 siblings, 1 reply; 6+ messages in thread
From: Kevin Coffman @ 2008-05-01 13:34 UTC (permalink / raw)
To: steved; +Cc: linux-nfs
Hi Steve,
These have all been sent before, with various levels of formality,
but haven't made it into git yet.
1) adds code to gssd to read a possible alternate port number
from the info file.
2) adds the "other" DES encryption types to the default list that
can currently be negotiated.
3) adds a utility function to retrieve the current logging
verbosity. (Used by the fourth patch to determine whether
it should print certain error messages.)
4) allows the administrator to specify multiple directories
where gssd can look for credentials caches.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/4] gssd: read port number from info file if supplied
[not found] ` <20080501133455.28884.4768.stgit-zTNJhAanYLVZN1qrTdtDg5Vzexx5G7lz@public.gmane.org>
@ 2008-05-01 13:35 ` Kevin Coffman
2008-05-01 13:35 ` [PATCH 2/4] gssd: add other des encryption types to default list Kevin Coffman
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Kevin Coffman @ 2008-05-01 13:35 UTC (permalink / raw)
To: steved; +Cc: linux-nfs
From: Olga Kornievskaia <aglo@citi.umich.edu>
Check the info file information to see if a port number is supplied.
If so, use it rather than the standard port number.
Signed-off-by: Olga Kornievskaia <aglo@citi.umich.edu>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
---
utils/gssd/gssd.h | 1 +
utils/gssd/gssd_proc.c | 14 ++++++++++++--
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/utils/gssd/gssd.h b/utils/gssd/gssd.h
index e17edde..6f14c34 100644
--- a/utils/gssd/gssd.h
+++ b/utils/gssd/gssd.h
@@ -80,6 +80,7 @@ struct clnt_info {
int krb5_poll_index;
int spkm3_fd;
int spkm3_poll_index;
+ int port;
};
void init_client_list(void);
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index 6860cc8..bac7295 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -102,7 +102,7 @@ int pollsize; /* the size of pollaray (in pollfd's) */
/* XXX buffer problems: */
static int
read_service_info(char *info_file_name, char **servicename, char **servername,
- int *prog, int *vers, char **protocol) {
+ int *prog, int *vers, char **protocol, int *port) {
#define INFOBUFLEN 256
char buf[INFOBUFLEN];
static char dummy[128];
@@ -112,6 +112,8 @@ read_service_info(char *info_file_name, char **servicename, char **servername,
char program[16];
char version[16];
char protoname[16];
+ char cb_port[128];
+ char *p;
in_addr_t inaddr;
int fd = -1;
struct hostent *ent = NULL;
@@ -143,6 +145,10 @@ read_service_info(char *info_file_name, char **servicename, char **servername,
goto fail;
}
+ cb_port[0] = '\0';
+ if ((p = strstr(buf, "port")) != NULL)
+ sscanf(p, "port: %127s\n", cb_port);
+
/* check service, program, and version */
if(memcmp(service, "nfs", 3)) return -1;
*prog = atoi(program + 1); /* skip open paren */
@@ -163,6 +169,8 @@ read_service_info(char *info_file_name, char **servicename, char **servername,
if (!(*servicename = calloc(strlen(buf) + 1, 1)))
goto fail;
memcpy(*servicename, buf, strlen(buf));
+ if (cb_port[0] != '\0')
+ *port = atoi(cb_port);
if (!(*protocol = strdup(protoname)))
goto fail;
@@ -238,7 +246,7 @@ process_clnt_dir_files(struct clnt_info * clp)
if ((clp->servicename == NULL) &&
read_service_info(info_file_name, &clp->servicename,
&clp->servername, &clp->prog, &clp->vers,
- &clp->protocol))
+ &clp->protocol, &clp->port))
return -1;
return 0;
}
@@ -587,6 +595,8 @@ int create_auth_rpc_client(struct clnt_info *clp,
clp->servername, uid);
goto out_fail;
}
+ if (clp->port)
+ ((struct sockaddr_in *)a->ai_addr)->sin_port = htons(clp->port);
if (a->ai_protocol == IPPROTO_TCP) {
if ((rpc_clnt = clnttcp_create(
(struct sockaddr_in *) a->ai_addr,
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/4] gssd: add other des encryption types to default list
[not found] ` <20080501133455.28884.4768.stgit-zTNJhAanYLVZN1qrTdtDg5Vzexx5G7lz@public.gmane.org>
2008-05-01 13:35 ` [PATCH 1/4] gssd: read port number from info file if supplied Kevin Coffman
@ 2008-05-01 13:35 ` Kevin Coffman
2008-05-01 13:35 ` [PATCH 3/4] gssd: add a function to retrieve the current verbosity level Kevin Coffman
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Kevin Coffman @ 2008-05-01 13:35 UTC (permalink / raw)
To: steved; +Cc: linux-nfs
Add the other two DES encryption types to the default list of
Kerberos encryption types that may be negotiated.
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
---
utils/gssd/krb5_util.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 3cf27ca..0589cd8 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -277,7 +277,9 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid)
u_int maj_stat, min_stat;
gss_cred_id_t credh;
gss_OID_set_desc desired_mechs;
- krb5_enctype enctypes[] = { ENCTYPE_DES_CBC_CRC };
+ krb5_enctype enctypes[] = { ENCTYPE_DES_CBC_CRC,
+ ENCTYPE_DES_CBC_MD5,
+ ENCTYPE_DES_CBC_MD4 };
int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]);
/* We only care about getting a krb5 cred */
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/4] gssd: add a function to retrieve the current verbosity level
[not found] ` <20080501133455.28884.4768.stgit-zTNJhAanYLVZN1qrTdtDg5Vzexx5G7lz@public.gmane.org>
2008-05-01 13:35 ` [PATCH 1/4] gssd: read port number from info file if supplied Kevin Coffman
2008-05-01 13:35 ` [PATCH 2/4] gssd: add other des encryption types to default list Kevin Coffman
@ 2008-05-01 13:35 ` Kevin Coffman
2008-05-01 13:35 ` [PATCH 4/4] gssd: search multiple directories for Kerberos credentials Kevin Coffman
2008-05-08 8:58 ` [PATCH 0/4] nfs-utils gssd Steve Dickson
4 siblings, 0 replies; 6+ messages in thread
From: Kevin Coffman @ 2008-05-01 13:35 UTC (permalink / raw)
To: steved; +Cc: linux-nfs
Add a new function to retrieve the current verbosity level
so that some messages that would otherwise always print may
be silenced.
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
---
utils/gssd/err_util.c | 5 +++++
utils/gssd/err_util.h | 1 +
2 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/utils/gssd/err_util.c b/utils/gssd/err_util.c
index 5644db6..2583e06 100644
--- a/utils/gssd/err_util.c
+++ b/utils/gssd/err_util.c
@@ -60,3 +60,8 @@ void printerr(int priority, char *format, ...)
xlog_backend(L_ERROR, format, args);
va_end(args);
}
+
+int get_verbosity(void)
+{
+ return verbosity;
+}
diff --git a/utils/gssd/err_util.h b/utils/gssd/err_util.h
index 5e5af48..c4df32d 100644
--- a/utils/gssd/err_util.h
+++ b/utils/gssd/err_util.h
@@ -33,5 +33,6 @@
void initerr(char *progname, int verbosity, int fg);
void printerr(int priority, char *format, ...);
+int get_verbosity(void);
#endif /* _ERR_UTIL_H_ */
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 4/4] gssd: search multiple directories for Kerberos credentials
[not found] ` <20080501133455.28884.4768.stgit-zTNJhAanYLVZN1qrTdtDg5Vzexx5G7lz@public.gmane.org>
` (2 preceding siblings ...)
2008-05-01 13:35 ` [PATCH 3/4] gssd: add a function to retrieve the current verbosity level Kevin Coffman
@ 2008-05-01 13:35 ` Kevin Coffman
2008-05-08 8:58 ` [PATCH 0/4] nfs-utils gssd Steve Dickson
4 siblings, 0 replies; 6+ messages in thread
From: Kevin Coffman @ 2008-05-01 13:35 UTC (permalink / raw)
To: steved; +Cc: linux-nfs
From: Vince Busam <vbusam@google.com>
Kerberos credentials may be stored in multiple places. Make it
possible to search several directories for valid credentials when
making NFS requests.
Original patch from Vince Busam <vbusam@google.com>, modified by
Kevin Coffman <kwc@citi.umich.edu>.
Signed-off-by: Vince Busam <vbusam@google.com>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
---
utils/gssd/gssd.c | 10 ++++++++++
utils/gssd/gssd.h | 3 ++-
utils/gssd/gssd.man | 6 +++++-
utils/gssd/gssd_proc.c | 11 ++++++++---
utils/gssd/krb5_util.c | 30 ++++++++++++++++--------------
utils/gssd/krb5_util.h | 3 ++-
6 files changed, 43 insertions(+), 20 deletions(-)
diff --git a/utils/gssd/gssd.c b/utils/gssd/gssd.c
index bbcad20..e8612a5 100644
--- a/utils/gssd/gssd.c
+++ b/utils/gssd/gssd.c
@@ -57,6 +57,7 @@ char pipefs_dir[PATH_MAX] = GSSD_PIPEFS_DIR;
char pipefs_nfsdir[PATH_MAX] = GSSD_PIPEFS_DIR;
char keytabfile[PATH_MAX] = GSSD_DEFAULT_KEYTAB_FILE;
char ccachedir[PATH_MAX] = GSSD_DEFAULT_CRED_DIR;
+char *ccachesearch[GSSD_MAX_CCACHE_SEARCH + 1];
int use_memcache = 0;
int root_uses_machine_creds = 1;
@@ -93,9 +94,11 @@ main(int argc, char *argv[])
int verbosity = 0;
int rpc_verbosity = 0;
int opt;
+ int i;
extern char *optarg;
char *progname;
+ memset(ccachesearch, 0, sizeof(ccachesearch));
while ((opt = getopt(argc, argv, "fvrmnMp:k:d:")) != -1) {
switch (opt) {
case 'f':
@@ -136,6 +139,13 @@ main(int argc, char *argv[])
break;
}
}
+
+ i = 0;
+ ccachesearch[i++] = strtok(ccachedir, ":");
+ do {
+ ccachesearch[i++] = strtok(NULL, ":");
+ } while (ccachesearch[i-1] != NULL && i < GSSD_MAX_CCACHE_SEARCH);
+
snprintf(pipefs_nfsdir, sizeof(pipefs_nfsdir), "%s/%s",
pipefs_dir, GSSD_SERVICE_NAME);
if (pipefs_nfsdir[sizeof(pipefs_nfsdir)-1] != '\0')
diff --git a/utils/gssd/gssd.h b/utils/gssd/gssd.h
index 6f14c34..0f9f428 100644
--- a/utils/gssd/gssd.h
+++ b/utils/gssd/gssd.h
@@ -50,6 +50,7 @@
#define GSSD_DEFAULT_KEYTAB_FILE "/etc/krb5.keytab"
#define GSSD_SERVICE_NAME "nfs"
#define GSSD_SERVICE_NAME_LEN 3
+#define GSSD_MAX_CCACHE_SEARCH 16
/*
* The gss mechanisms that we can handle
@@ -61,7 +62,7 @@ enum {AUTHTYPE_KRB5, AUTHTYPE_SPKM3, AUTHTYPE_LIPKEY};
extern char pipefs_dir[PATH_MAX];
extern char pipefs_nfsdir[PATH_MAX];
extern char keytabfile[PATH_MAX];
-extern char ccachedir[PATH_MAX];
+extern char *ccachesearch[];
extern int use_memcache;
extern int root_uses_machine_creds;
diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man
index 2fa749e..8fa4f4a 100644
--- a/utils/gssd/gssd.man
+++ b/utils/gssd/gssd.man
@@ -74,7 +74,11 @@ where to look for the rpc_pipefs filesystem. The default value is
.B -d directory
Tells
.B rpc.gssd
-where to look for kerberos credential files. The default value is "/tmp".
+where to look for Kerberos credential files. The default value is "/tmp".
+This can also be a colon separated list of directories to be searched
+for Kerberos credential files. Note that if machine credentials are being
+stored in files, then the first directory on this list is where the
+machine credentials are stored.
.TP
.B -v
Increases the verbosity of the output (can be specified multiple times).
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index bac7295..be6f440 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -685,6 +685,7 @@ handle_krb5_upcall(struct clnt_info *clp)
gss_buffer_desc token;
char **credlist = NULL;
char **ccname;
+ char **dirname;
int create_resp = -1;
printerr(1, "handling krb5 upcall\n");
@@ -701,10 +702,14 @@ handle_krb5_upcall(struct clnt_info *clp)
if (uid != 0 || (uid == 0 && root_uses_machine_creds == 0)) {
/* Tell krb5 gss which credentials cache to use */
- gssd_setup_krb5_user_gss_ccache(uid, clp->servername);
+ for (dirname = ccachesearch; *dirname != NULL; dirname++) {
+ gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *dirname);
- create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid,
- AUTHTYPE_KRB5);
+ create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid,
+ AUTHTYPE_KRB5);
+ if (create_resp == 0)
+ break;
+ }
}
if (create_resp != 0) {
if (uid == 0 && root_uses_machine_creds == 1) {
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 0589cd8..512c1cf 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -131,7 +131,8 @@ struct gssd_k5_kt_princ *gssd_k5_kt_princ_list = NULL;
/*==========================*/
static int select_krb5_ccache(const struct dirent *d);
-static int gssd_find_existing_krb5_ccache(uid_t uid, struct dirent **d);
+static int gssd_find_existing_krb5_ccache(uid_t uid, char *dirname,
+ struct dirent **d);
static int gssd_get_single_krb5_cred(krb5_context context,
krb5_keytab kt, struct gssd_k5_kt_princ *ple);
@@ -159,7 +160,7 @@ select_krb5_ccache(const struct dirent *d)
}
/*
- * Look in the ccachedir for files that look like they
+ * Look in directory "dirname" for files that look like they
* are Kerberos Credential Cache files for a given UID. Return
* non-zero and the dirent pointer for the entry most likely to be
* what we want. Otherwise, return zero and no dirent pointer.
@@ -170,7 +171,7 @@ select_krb5_ccache(const struct dirent *d)
* 1 => found an existing entry
*/
static int
-gssd_find_existing_krb5_ccache(uid_t uid, struct dirent **d)
+gssd_find_existing_krb5_ccache(uid_t uid, char *dirname, struct dirent **d)
{
struct dirent **namelist;
int n;
@@ -181,9 +182,10 @@ gssd_find_existing_krb5_ccache(uid_t uid, struct dirent **d)
memset(&best_match_stat, 0, sizeof(best_match_stat));
*d = NULL;
- n = scandir(ccachedir, &namelist, select_krb5_ccache, 0);
+ n = scandir(dirname, &namelist, select_krb5_ccache, 0);
if (n < 0) {
- perror("scandir looking for krb5 credentials caches");
+ printerr(1, "Error doing scandir on directory '%s': %s\n",
+ dirname, strerror(errno));
}
else if (n > 0) {
char statname[1024];
@@ -191,7 +193,7 @@ gssd_find_existing_krb5_ccache(uid_t uid, struct dirent **d)
printerr(3, "CC file '%s' being considered\n",
namelist[i]->d_name);
snprintf(statname, sizeof(statname),
- "%s/%s", ccachedir, namelist[i]->d_name);
+ "%s/%s", dirname, namelist[i]->d_name);
if (lstat(statname, &tmp_stat)) {
printerr(0, "Error doing stat on file '%s'\n",
statname);
@@ -291,8 +293,9 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid)
&credh, NULL, NULL);
if (maj_stat != GSS_S_COMPLETE) {
- pgsserr("gss_acquire_cred",
- maj_stat, min_stat, &krb5oid);
+ if (get_verbosity() > 0)
+ pgsserr("gss_acquire_cred",
+ maj_stat, min_stat, &krb5oid);
return -1;
}
@@ -406,7 +409,7 @@ gssd_get_single_krb5_cred(krb5_context context,
cache_type = "FILE";
snprintf(cc_name, sizeof(cc_name), "%s:%s/%s%s_%s",
cache_type,
- ccachedir, GSSD_DEFAULT_CRED_PREFIX,
+ ccachesearch[0], GSSD_DEFAULT_CRED_PREFIX,
GSSD_DEFAULT_MACHINE_CRED_SUFFIX, ple->realm);
ple->endtime = my_creds.times.endtime;
if (ple->ccname != NULL)
@@ -894,7 +897,7 @@ out:
* void
*/
void
-gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername)
+gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername, char *dirname)
{
char buf[MAX_NETOBJ_SZ];
struct dirent *d;
@@ -902,14 +905,13 @@ gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername)
printerr(2, "getting credentials for client with uid %u for "
"server %s\n", uid, servername);
memset(buf, 0, sizeof(buf));
- if (gssd_find_existing_krb5_ccache(uid, &d)) {
- snprintf(buf, sizeof(buf), "FILE:%s/%s",
- ccachedir, d->d_name);
+ if (gssd_find_existing_krb5_ccache(uid, dirname, &d)) {
+ snprintf(buf, sizeof(buf), "FILE:%s/%s", dirname, d->d_name);
free(d);
}
else
snprintf(buf, sizeof(buf), "FILE:%s/%s%u",
- ccachedir, GSSD_DEFAULT_CRED_PREFIX, uid);
+ dirname, GSSD_DEFAULT_CRED_PREFIX, uid);
printerr(2, "using %s as credentials cache for client with "
"uid %u for server %s\n", buf, uid, servername);
gssd_set_krb5_ccache_name(buf);
diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h
index 78ad45c..431fdaf 100644
--- a/utils/gssd/krb5_util.h
+++ b/utils/gssd/krb5_util.h
@@ -17,7 +17,8 @@ struct gssd_k5_kt_princ {
};
-void gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername);
+void gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername,
+ char *dirname);
int gssd_get_krb5_machine_cred_list(char ***list);
void gssd_free_krb5_machine_cred_list(char **list);
void gssd_setup_krb5_machine_gss_ccache(char *servername);
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 0/4] nfs-utils gssd
[not found] ` <20080501133455.28884.4768.stgit-zTNJhAanYLVZN1qrTdtDg5Vzexx5G7lz@public.gmane.org>
` (3 preceding siblings ...)
2008-05-01 13:35 ` [PATCH 4/4] gssd: search multiple directories for Kerberos credentials Kevin Coffman
@ 2008-05-08 8:58 ` Steve Dickson
4 siblings, 0 replies; 6+ messages in thread
From: Steve Dickson @ 2008-05-08 8:58 UTC (permalink / raw)
To: Kevin Coffman; +Cc: linux-nfs
Kevin Coffman wrote:
> Hi Steve,
> These have all been sent before, with various levels of formality,
> but haven't made it into git yet.
>
> 1) adds code to gssd to read a possible alternate port number
> from the info file.
>
> 2) adds the "other" DES encryption types to the default list that
> can currently be negotiated.
>
> 3) adds a utility function to retrieve the current logging
> verbosity. (Used by the fourth patch to determine whether
> it should print certain error messages.)
>
> 4) allows the administrator to specify multiple directories
> where gssd can look for credentials caches.
Committed... thanks...
steved.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2008-05-08 9:03 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-05-01 13:34 [PATCH 0/4] nfs-utils gssd Kevin Coffman
[not found] ` <20080501133455.28884.4768.stgit-zTNJhAanYLVZN1qrTdtDg5Vzexx5G7lz@public.gmane.org>
2008-05-01 13:35 ` [PATCH 1/4] gssd: read port number from info file if supplied Kevin Coffman
2008-05-01 13:35 ` [PATCH 2/4] gssd: add other des encryption types to default list Kevin Coffman
2008-05-01 13:35 ` [PATCH 3/4] gssd: add a function to retrieve the current verbosity level Kevin Coffman
2008-05-01 13:35 ` [PATCH 4/4] gssd: search multiple directories for Kerberos credentials Kevin Coffman
2008-05-08 8:58 ` [PATCH 0/4] nfs-utils gssd Steve Dickson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox