* [PATCH] svcgssd: Adding a <-p principal> flag
@ 2010-09-28 6:36 Eberhard Kuemmerle
[not found] ` <201009280836.45487.E.Kuemmerle-97/bSmCnXvjoK6nBLMlh1Q@public.gmane.org>
0 siblings, 1 reply; 2+ messages in thread
From: Eberhard Kuemmerle @ 2010-09-28 6:36 UTC (permalink / raw)
To: linux-nfs; +Cc: Steve Dickson
Hello Steve,
we use a two-node cluster (pacemaker, corosync, drbd) as nfs-server.
We configured a virtual cluster-IP (using ocf::heartbeat:IPaddr2, iptables CLUSTERIP),
i.e. the nfs clients call the server as OurClusterIP.OurDomain.de while the real hostnames of the servers are
OurServer1.OurDomain.de and OurServer2.OurDomain.de.
If I tried to use the mount option krb5, svcgssd denied the mount with the message:
ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure. Minor code may provide more information - Wrong principal in request
I patched svcgssd that we can specify the principal to use as an option:
svcgssd -p nfs/OurClusterIP.OurDomain.de
Signed-off-by: Eberhard Kuemmerle <E.Kuemmerle@fz-juelich.de>
Here comes the code patch:
**************************************************
diff -rupN nfs-utils-1.2.1/utils/gssd/gssd.h nfs-utils-1.2.1_mod/utils/gssd/gssd.h
--- nfs-utils-1.2.1/utils/gssd/gssd.h 2009-11-04 12:13:56.000000000 +0100
+++ nfs-utils-1.2.1_mod/utils/gssd/gssd.h 2010-09-27 08:25:31.000000000 +0200
@@ -90,7 +90,6 @@ void init_client_list(void);
int update_client_list(void);
void handle_krb5_upcall(struct clnt_info *clp);
void handle_spkm3_upcall(struct clnt_info *clp);
-int gssd_acquire_cred(char *server_name);
void gssd_run(void);
diff -rupN nfs-utils-1.2.1/utils/gssd/gss_util.c nfs-utils-1.2.1_mod/utils/gssd/gss_util.c
--- nfs-utils-1.2.1/utils/gssd/gss_util.c 2009-11-04 12:13:56.000000000 +0100
+++ nfs-utils-1.2.1_mod/utils/gssd/gss_util.c 2010-09-27 08:14:47.000000000 +0200
@@ -191,7 +191,7 @@ pgsserr(char *msg, u_int32_t maj_stat, u
}
int
-gssd_acquire_cred(char *server_name)
+gssd_acquire_cred(char *server_name, const gss_OID oid)
{
gss_buffer_desc name;
gss_name_t target_name;
@@ -203,7 +203,7 @@ gssd_acquire_cred(char *server_name)
name.length = strlen(server_name);
maj_stat = gss_import_name(&min_stat, &name,
- (const gss_OID) GSS_C_NT_HOSTBASED_SERVICE,
+ oid,
&target_name);
if (maj_stat != GSS_S_COMPLETE) {
diff -rupN nfs-utils-1.2.1/utils/gssd/gss_util.h nfs-utils-1.2.1_mod/utils/gssd/gss_util.h
--- nfs-utils-1.2.1/utils/gssd/gss_util.h 2009-11-04 12:13:56.000000000 +0100
+++ nfs-utils-1.2.1_mod/utils/gssd/gss_util.h 2010-09-27 08:22:11.000000000 +0200
@@ -37,7 +37,7 @@
extern gss_cred_id_t gssd_creds;
-int gssd_acquire_cred(char *server_name);
+int gssd_acquire_cred(char *server_name, const gss_OID oid);
void pgsserr(char *msg, u_int32_t maj_stat, u_int32_t min_stat,
const gss_OID mech);
int gssd_check_mechs(void);
diff -rupN nfs-utils-1.2.1/utils/gssd/svcgssd.c nfs-utils-1.2.1_mod/utils/gssd/svcgssd.c
--- nfs-utils-1.2.1/utils/gssd/svcgssd.c 2009-11-04 12:13:56.000000000 +0100
+++ nfs-utils-1.2.1_mod/utils/gssd/svcgssd.c 2010-09-27 15:48:47.000000000 +0200
@@ -167,7 +167,7 @@ sig_hup(int signal)
static void
usage(char *progname)
{
- fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r] [-i]\n",
+ fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r] [-i] [-P principal]\n",
progname);
exit(1);
}
@@ -183,8 +183,9 @@ main(int argc, char *argv[])
int opt;
extern char *optarg;
char *progname;
+ char *principal = NULL;
- while ((opt = getopt(argc, argv, "fivrnp:")) != -1) {
+ while ((opt = getopt(argc, argv, "fivrnP:")) != -1) {
switch (opt) {
case 'f':
fg = 1;
@@ -201,6 +202,9 @@ main(int argc, char *argv[])
case 'r':
rpc_verbosity++;
break;
+ case 'P':
+ principal = optarg;
+ break;
default:
usage(argv[0]);
break;
@@ -244,7 +248,9 @@ main(int argc, char *argv[])
signal(SIGTERM, sig_die);
signal(SIGHUP, sig_hup);
- if (get_creds && !gssd_acquire_cred(GSSD_SERVICE_NAME)) {
+ if (get_creds && !(principal
+ ? gssd_acquire_cred(principal, GSS_C_NT_USER_NAME)
+ : gssd_acquire_cred(GSSD_SERVICE_NAME, GSS_C_NT_HOSTBASED_SERVICE))) {
printerr(0, "unable to obtain root (machine) credentials\n");
printerr(0, "do you have a keytab entry for "
"nfs/<your.host>@<YOUR.REALM> in "
**************************************************
And here is the man page patch.
I removed the old option [-p pipefsdir] from the man page because it is
obviously removed in the code.
**************************************************
diff -rupN nfs-utils-1.2.1/utils/gssd/svcgssd.man nfs-utils-1.2.1_mod/utils/gssd/svcgssd.man
--- nfs-utils-1.2.1/utils/gssd/svcgssd.man 2009-11-04 12:13:56.000000000 +0100
+++ nfs-utils-1.2.1_mod/utils/gssd/svcgssd.man 2010-09-27 16:01:28.000000000 +0200
@@ -6,7 +6,7 @@
.SH NAME
rpc.svcgssd \- server-side rpcsec_gss daemon
.SH SYNOPSIS
-.B "rpc.svcgssd [-v] [-r] [-i] [-f] [-p pipefsdir]"
+.B "rpc.svcgssd [-v] [-r] [-i] [-f] [-P principal]"
.SH DESCRIPTION
The rpcsec_gss protocol gives a means of using the gss-api generic security
api to provide security for protocols using rpc (in particular, nfs). Before
@@ -35,9 +35,12 @@ increases the verbosity of the output (c
.B -i
If the nfsidmap library supports setting debug level,
increases the verbosity of the output (can be specified multiple times).
+.TP
+.B -P
+Use \fIprincipal\fR instead of the default nfs/host.domain.
.SH SEE ALSO
-.BR rpc.gssd(8),
+.BR rpc.gssd(8)
.SH AUTHORS
.br
Dug Song <dugsong@umich.edu>
**************************************************
Signed-off-by: Eberhard Kuemmerle <e.kuemmerle@fz-juelich.de>
Best regards,
Eberhard
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDirig Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] svcgssd: Adding a <-p principal> flag
[not found] ` <201009280836.45487.E.Kuemmerle-97/bSmCnXvjoK6nBLMlh1Q@public.gmane.org>
@ 2010-09-28 12:06 ` Steve Dickson
0 siblings, 0 replies; 2+ messages in thread
From: Steve Dickson @ 2010-09-28 12:06 UTC (permalink / raw)
To: Eberhard Kuemmerle; +Cc: linux-nfs
On 09/28/2010 02:36 AM, Eberhard Kuemmerle wrote:
> Hello Steve,
>
> we use a two-node cluster (pacemaker, corosync, drbd) as nfs-server.
> We configured a virtual cluster-IP (using ocf::heartbeat:IPaddr2, iptables CLUSTERIP),
> i.e. the nfs clients call the server as OurClusterIP.OurDomain.de while the real hostnames of the servers are
> OurServer1.OurDomain.de and OurServer2.OurDomain.de.
>
> If I tried to use the mount option krb5, svcgssd denied the mount with the message:
> ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure. Minor code may provide more information - Wrong principal in request
>
> I patched svcgssd that we can specify the principal to use as an option:
> svcgssd -p nfs/OurClusterIP.OurDomain.de
>
> Signed-off-by: Eberhard Kuemmerle <E.Kuemmerle-97/bSmCnXvjoK6nBLMlh1Q@public.gmane.org>
>
> Here comes the code patch:
Committed...
steved.
>
> **************************************************
>
> diff -rupN nfs-utils-1.2.1/utils/gssd/gssd.h nfs-utils-1.2.1_mod/utils/gssd/gssd.h
> --- nfs-utils-1.2.1/utils/gssd/gssd.h 2009-11-04 12:13:56.000000000 +0100
> +++ nfs-utils-1.2.1_mod/utils/gssd/gssd.h 2010-09-27 08:25:31.000000000 +0200
> @@ -90,7 +90,6 @@ void init_client_list(void);
> int update_client_list(void);
> void handle_krb5_upcall(struct clnt_info *clp);
> void handle_spkm3_upcall(struct clnt_info *clp);
> -int gssd_acquire_cred(char *server_name);
> void gssd_run(void);
>
>
> diff -rupN nfs-utils-1.2.1/utils/gssd/gss_util.c nfs-utils-1.2.1_mod/utils/gssd/gss_util.c
> --- nfs-utils-1.2.1/utils/gssd/gss_util.c 2009-11-04 12:13:56.000000000 +0100
> +++ nfs-utils-1.2.1_mod/utils/gssd/gss_util.c 2010-09-27 08:14:47.000000000 +0200
> @@ -191,7 +191,7 @@ pgsserr(char *msg, u_int32_t maj_stat, u
> }
>
> int
> -gssd_acquire_cred(char *server_name)
> +gssd_acquire_cred(char *server_name, const gss_OID oid)
> {
> gss_buffer_desc name;
> gss_name_t target_name;
> @@ -203,7 +203,7 @@ gssd_acquire_cred(char *server_name)
> name.length = strlen(server_name);
>
> maj_stat = gss_import_name(&min_stat, &name,
> - (const gss_OID) GSS_C_NT_HOSTBASED_SERVICE,
> + oid,
> &target_name);
>
> if (maj_stat != GSS_S_COMPLETE) {
> diff -rupN nfs-utils-1.2.1/utils/gssd/gss_util.h nfs-utils-1.2.1_mod/utils/gssd/gss_util.h
> --- nfs-utils-1.2.1/utils/gssd/gss_util.h 2009-11-04 12:13:56.000000000 +0100
> +++ nfs-utils-1.2.1_mod/utils/gssd/gss_util.h 2010-09-27 08:22:11.000000000 +0200
> @@ -37,7 +37,7 @@
>
> extern gss_cred_id_t gssd_creds;
>
> -int gssd_acquire_cred(char *server_name);
> +int gssd_acquire_cred(char *server_name, const gss_OID oid);
> void pgsserr(char *msg, u_int32_t maj_stat, u_int32_t min_stat,
> const gss_OID mech);
> int gssd_check_mechs(void);
> diff -rupN nfs-utils-1.2.1/utils/gssd/svcgssd.c nfs-utils-1.2.1_mod/utils/gssd/svcgssd.c
> --- nfs-utils-1.2.1/utils/gssd/svcgssd.c 2009-11-04 12:13:56.000000000 +0100
> +++ nfs-utils-1.2.1_mod/utils/gssd/svcgssd.c 2010-09-27 15:48:47.000000000 +0200
> @@ -167,7 +167,7 @@ sig_hup(int signal)
> static void
> usage(char *progname)
> {
> - fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r] [-i]\n",
> + fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r] [-i] [-P principal]\n",
> progname);
> exit(1);
> }
> @@ -183,8 +183,9 @@ main(int argc, char *argv[])
> int opt;
> extern char *optarg;
> char *progname;
> + char *principal = NULL;
>
> - while ((opt = getopt(argc, argv, "fivrnp:")) != -1) {
> + while ((opt = getopt(argc, argv, "fivrnP:")) != -1) {
> switch (opt) {
> case 'f':
> fg = 1;
> @@ -201,6 +202,9 @@ main(int argc, char *argv[])
> case 'r':
> rpc_verbosity++;
> break;
> + case 'P':
> + principal = optarg;
> + break;
> default:
> usage(argv[0]);
> break;
> @@ -244,7 +248,9 @@ main(int argc, char *argv[])
> signal(SIGTERM, sig_die);
> signal(SIGHUP, sig_hup);
>
> - if (get_creds && !gssd_acquire_cred(GSSD_SERVICE_NAME)) {
> + if (get_creds && !(principal
> + ? gssd_acquire_cred(principal, GSS_C_NT_USER_NAME)
> + : gssd_acquire_cred(GSSD_SERVICE_NAME, GSS_C_NT_HOSTBASED_SERVICE))) {
> printerr(0, "unable to obtain root (machine) credentials\n");
> printerr(0, "do you have a keytab entry for "
> "nfs/<your.host>@<YOUR.REALM> in "
>
> **************************************************
>
> And here is the man page patch.
>
> I removed the old option [-p pipefsdir] from the man page because it is
> obviously removed in the code.
>
> **************************************************
>
> diff -rupN nfs-utils-1.2.1/utils/gssd/svcgssd.man nfs-utils-1.2.1_mod/utils/gssd/svcgssd.man
> --- nfs-utils-1.2.1/utils/gssd/svcgssd.man 2009-11-04 12:13:56.000000000 +0100
> +++ nfs-utils-1.2.1_mod/utils/gssd/svcgssd.man 2010-09-27 16:01:28.000000000 +0200
> @@ -6,7 +6,7 @@
> .SH NAME
> rpc.svcgssd \- server-side rpcsec_gss daemon
> .SH SYNOPSIS
> -.B "rpc.svcgssd [-v] [-r] [-i] [-f] [-p pipefsdir]"
> +.B "rpc.svcgssd [-v] [-r] [-i] [-f] [-P principal]"
> .SH DESCRIPTION
> The rpcsec_gss protocol gives a means of using the gss-api generic security
> api to provide security for protocols using rpc (in particular, nfs). Before
> @@ -35,9 +35,12 @@ increases the verbosity of the output (c
> .B -i
> If the nfsidmap library supports setting debug level,
> increases the verbosity of the output (can be specified multiple times).
> +.TP
> +.B -P
> +Use \fIprincipal\fR instead of the default nfs/host.domain.
>
> .SH SEE ALSO
> -.BR rpc.gssd(8),
> +.BR rpc.gssd(8)
> .SH AUTHORS
> .br
> Dug Song <dugsong@umich.edu>
>
> **************************************************
>
> Signed-off-by: Eberhard Kuemmerle <e.kuemmerle-97/bSmCnXvjoK6nBLMlh1Q@public.gmane.org>
>
> Best regards,
>
> Eberhard
>
> ------------------------------------------------------------------------------------------------
> ------------------------------------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDirig Dr. Karl Eugen Huthmacher
> Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
> Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
> Prof. Dr. Sebastian M. Schmidt
> ------------------------------------------------------------------------------------------------
> ------------------------------------------------------------------------------------------------
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-09-28 12:06 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-09-28 6:36 [PATCH] svcgssd: Adding a <-p principal> flag Eberhard Kuemmerle
[not found] ` <201009280836.45487.E.Kuemmerle-97/bSmCnXvjoK6nBLMlh1Q@public.gmane.org>
2010-09-28 12:06 ` Steve Dickson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox