public inbox for linux-nfs@vger.kernel.org
 help / color / mirror / Atom feed
From: Steve Dickson <SteveD@redhat.com>
To: Kevin Coffman <kwc@citi.umich.edu>
Cc: linux-nfs@vger.kernel.org
Subject: [PATCH] libnfsidmap: debug log when local Realms are not found
Date: Fri, 05 Jun 2009 11:12:52 -0400	[thread overview]
Message-ID: <4A2935F4.8040702@RedHat.com> (raw)

Hey Kevin,

When the krb5 realm and the DNS domain name are not
the same and the 'Local-Realm' variable is not
set (or set incorrectly) in /etc/idmapd.conf, 
causes the krb5 mounted file system to be inaccessible
by any and all users, which is the right thing to do.

But, the problem is, there is no reason logged as
to why the all users are being denied assess; with
or without debug enabled. 

This patch will log, with debug enabled, when the
krb5 realm can not be used since it does not match 
the DNS domain name or the 'Local-Realm' variable 
defined in /etc/idmad.conf.

Signed-off-by: Steve Dickson <steved@redhat.com>
---------------------------------

diff -up libnfsidmap/nss.c.orig libnfsidmap/nss.c
--- libnfsidmap/nss.c.orig	2009-04-13 14:46:17.000000000 -0400
+++ libnfsidmap/nss.c	2009-06-05 10:37:46.000000000 -0400
@@ -298,9 +298,11 @@ static int nss_gss_princ_to_ids(char *se
 			break;
 		}
 	}
-	if (!found)
+	if (!found) {
+		IDMAP_LOG(1, ("nss_gss_princ_to_ids: Local-Realm '%s': NOT FOUND", 
+			princ_realm));
 		return -ENOENT;
-
+	}
 	/* XXX: this should call something like getgssauthnam instead? */
 	pw = nss_getpwnam(princ, NULL, &err);
 	if (pw == NULL) {

                 reply	other threads:[~2009-06-05 15:15 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4A2935F4.8040702@RedHat.com \
    --to=steved@redhat.com \
    --cc=kwc@citi.umich.edu \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox