Linux NFS development
 help / color / mirror / Atom feed
* [PATCH] svcgssd: Adding a <-p principal> flag
@ 2010-09-28  6:36 Eberhard Kuemmerle
       [not found] ` <201009280836.45487.E.Kuemmerle-97/bSmCnXvjoK6nBLMlh1Q@public.gmane.org>
  0 siblings, 1 reply; 2+ messages in thread
From: Eberhard Kuemmerle @ 2010-09-28  6:36 UTC (permalink / raw)
  To: linux-nfs; +Cc: Steve Dickson

Hello Steve,

we use a two-node cluster (pacemaker, corosync, drbd) as nfs-server.
We configured a virtual cluster-IP (using ocf::heartbeat:IPaddr2, iptables CLUSTERIP),
i.e. the nfs clients call the server as OurClusterIP.OurDomain.de while the real hostnames of the servers are
OurServer1.OurDomain.de and OurServer2.OurDomain.de.

If I tried to use the mount option krb5, svcgssd denied the mount with the message:
ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure.  Minor code may provide more information - Wrong principal in request

I patched svcgssd that we can specify the principal to use as an option:
svcgssd -p nfs/OurClusterIP.OurDomain.de

Signed-off-by:  Eberhard Kuemmerle <E.Kuemmerle@fz-juelich.de>

Here comes the code patch:

**************************************************

diff -rupN nfs-utils-1.2.1/utils/gssd/gssd.h nfs-utils-1.2.1_mod/utils/gssd/gssd.h
--- nfs-utils-1.2.1/utils/gssd/gssd.h   2009-11-04 12:13:56.000000000 +0100
+++ nfs-utils-1.2.1_mod/utils/gssd/gssd.h       2010-09-27 08:25:31.000000000 +0200
@@ -90,7 +90,6 @@ void init_client_list(void);
 int update_client_list(void);
 void handle_krb5_upcall(struct clnt_info *clp);
 void handle_spkm3_upcall(struct clnt_info *clp);
-int gssd_acquire_cred(char *server_name);
 void gssd_run(void);


diff -rupN nfs-utils-1.2.1/utils/gssd/gss_util.c nfs-utils-1.2.1_mod/utils/gssd/gss_util.c
--- nfs-utils-1.2.1/utils/gssd/gss_util.c       2009-11-04 12:13:56.000000000 +0100
+++ nfs-utils-1.2.1_mod/utils/gssd/gss_util.c   2010-09-27 08:14:47.000000000 +0200
@@ -191,7 +191,7 @@ pgsserr(char *msg, u_int32_t maj_stat, u
 }

 int
-gssd_acquire_cred(char *server_name)
+gssd_acquire_cred(char *server_name, const gss_OID oid)
 {
        gss_buffer_desc name;
        gss_name_t target_name;
@@ -203,7 +203,7 @@ gssd_acquire_cred(char *server_name)
        name.length = strlen(server_name);

        maj_stat = gss_import_name(&min_stat, &name,
-                       (const gss_OID) GSS_C_NT_HOSTBASED_SERVICE,
+                       oid,
                        &target_name);

        if (maj_stat != GSS_S_COMPLETE) {
diff -rupN nfs-utils-1.2.1/utils/gssd/gss_util.h nfs-utils-1.2.1_mod/utils/gssd/gss_util.h
--- nfs-utils-1.2.1/utils/gssd/gss_util.h       2009-11-04 12:13:56.000000000 +0100
+++ nfs-utils-1.2.1_mod/utils/gssd/gss_util.h   2010-09-27 08:22:11.000000000 +0200
@@ -37,7 +37,7 @@

 extern gss_cred_id_t   gssd_creds;

-int gssd_acquire_cred(char *server_name);
+int gssd_acquire_cred(char *server_name, const gss_OID oid);
 void pgsserr(char *msg, u_int32_t maj_stat, u_int32_t min_stat,
        const gss_OID mech);
 int gssd_check_mechs(void);
diff -rupN nfs-utils-1.2.1/utils/gssd/svcgssd.c nfs-utils-1.2.1_mod/utils/gssd/svcgssd.c
--- nfs-utils-1.2.1/utils/gssd/svcgssd.c        2009-11-04 12:13:56.000000000 +0100
+++ nfs-utils-1.2.1_mod/utils/gssd/svcgssd.c    2010-09-27 15:48:47.000000000 +0200
@@ -167,7 +167,7 @@ sig_hup(int signal)
 static void
 usage(char *progname)
 {
-       fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r] [-i]\n",
+       fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r] [-i] [-P principal]\n",
                progname);
        exit(1);
 }
@@ -183,8 +183,9 @@ main(int argc, char *argv[])
        int opt;
        extern char *optarg;
        char *progname;
+       char *principal = NULL;

-       while ((opt = getopt(argc, argv, "fivrnp:")) != -1) {
+       while ((opt = getopt(argc, argv, "fivrnP:")) != -1) {
                switch (opt) {
                        case 'f':
                                fg = 1;
@@ -201,6 +202,9 @@ main(int argc, char *argv[])
                        case 'r':
                                rpc_verbosity++;
                                break;
+                       case 'P':
+                               principal = optarg;
+                               break;
                        default:
                                usage(argv[0]);
                                break;
@@ -244,7 +248,9 @@ main(int argc, char *argv[])
        signal(SIGTERM, sig_die);
        signal(SIGHUP, sig_hup);

-       if (get_creds && !gssd_acquire_cred(GSSD_SERVICE_NAME)) {
+       if (get_creds && !(principal
+                          ? gssd_acquire_cred(principal, GSS_C_NT_USER_NAME)
+                          : gssd_acquire_cred(GSSD_SERVICE_NAME, GSS_C_NT_HOSTBASED_SERVICE))) {
                 printerr(0, "unable to obtain root (machine) credentials\n");
                 printerr(0, "do you have a keytab entry for "
                            "nfs/<your.host>@<YOUR.REALM> in "

**************************************************

And here is the man page patch.

I removed the old option [-p pipefsdir] from the man page because it is
obviously removed in the code.

**************************************************

diff -rupN nfs-utils-1.2.1/utils/gssd/svcgssd.man nfs-utils-1.2.1_mod/utils/gssd/svcgssd.man
--- nfs-utils-1.2.1/utils/gssd/svcgssd.man      2009-11-04 12:13:56.000000000 +0100
+++ nfs-utils-1.2.1_mod/utils/gssd/svcgssd.man  2010-09-27 16:01:28.000000000 +0200
@@ -6,7 +6,7 @@
 .SH NAME
 rpc.svcgssd \- server-side rpcsec_gss daemon
 .SH SYNOPSIS
-.B "rpc.svcgssd [-v] [-r] [-i] [-f] [-p pipefsdir]"
+.B "rpc.svcgssd [-v] [-r] [-i] [-f] [-P principal]"
 .SH DESCRIPTION
 The rpcsec_gss protocol gives a means of using the gss-api generic security
 api to provide security for protocols using rpc (in particular, nfs).  Before
@@ -35,9 +35,12 @@ increases the verbosity of the output (c
 .B -i
 If the nfsidmap library supports setting debug level,
 increases the verbosity of the output (can be specified multiple times).
+.TP
+.B -P
+Use \fIprincipal\fR instead of the default nfs/host.domain.

 .SH SEE ALSO
-.BR rpc.gssd(8),
+.BR rpc.gssd(8)
 .SH AUTHORS
 .br
 Dug Song <dugsong@umich.edu>

**************************************************

Signed-off-by: Eberhard Kuemmerle <e.kuemmerle@fz-juelich.de>

Best regards,

Eberhard

------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDirig Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-09-28 12:06 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-09-28  6:36 [PATCH] svcgssd: Adding a <-p principal> flag Eberhard Kuemmerle
     [not found] ` <201009280836.45487.E.Kuemmerle-97/bSmCnXvjoK6nBLMlh1Q@public.gmane.org>
2010-09-28 12:06   ` Steve Dickson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox