[PATCH] Add "-e" option to rpc.gssd to allow error on ticket expiry

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] Add "-e" option to rpc.gssd to allow error on ticket expiry
@ 2011-11-18 11:32 John Hughes
  2011-11-18 13:44 ` Steve Dickson
  0 siblings, 1 reply; 6+ messages in thread
From: John Hughes @ 2011-11-18 11:32 UTC (permalink / raw)
  To: Trond Myklebust; +Cc: linux-nfs, linux-kernel

[-- Attachment #1: Type: text/plain, Size: 165 bytes --]

By adding a new option to rpc.gssd the administrator can choose whether 
she wants the old "EACCESS on ticket expiry" or the new "wait for new 
ticket" behaviour.



[-- Attachment #2: ticket-expired-error.patch --]
[-- Type: text/x-patch, Size: 2699 bytes --]

Description: Add "-e" (ticket expiry is error) option to rpc.gssd
 In kernels starting around 2.6.34 the nfs4 server will block all I/O
 when a user ticket expires.  In earlier kernels the I/O would fail
 with an EACCESS error.  This patch adds a "-e" option to rpc.gssd
 which allow the earlier behaviour (EKEYEXPIRED is converted to
 EACCESS).  This behaviour is particularly useful when user home
 directories are nfs4 mounted with krb5 security - if the user is
 absent from their workstation for long enough for the ticket to
 expire a new ticket will be obtained (via pam_krb5) by the screen
 unlock process.
Author: John Hughes <john@calva.com>
Signed-off-by: John Hughes <john@calva.com>
Bug-Debian: http://bugs.debian.org/648155
Bug-Ubuntu: https://launchpad.net/bugs/648155

--- nfs-utils-1.2.5.orig/utils/gssd/gssd_proc.c
+++ nfs-utils-1.2.5/utils/gssd/gssd_proc.c
@@ -1007,7 +1007,7 @@ process_krb5_upcall(struct clnt_info *cl
 		/* Tell krb5 gss which credentials cache to use */
 		for (dirname = ccachesearch; *dirname != NULL; dirname++) {
 			err = gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *dirname);
-			if (err == -EKEYEXPIRED)
+			if (err == -EKEYEXPIRED && !ticket_expiry_is_error)
 				downcall_err = -EKEYEXPIRED;
 			else if (!err)
 				create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid,
--- nfs-utils-1.2.5.orig/utils/gssd/gssd.c
+++ nfs-utils-1.2.5/utils/gssd/gssd.c
@@ -63,6 +63,7 @@ int  use_memcache = 0;
 int  root_uses_machine_creds = 1;
 unsigned int  context_timeout = 0;
 char *preferred_realm = NULL;
+int ticket_expiry_is_error = 0;
 
 void
 sig_die(int signal)
@@ -85,7 +86,7 @@ sig_hup(int signal)
 static void
 usage(char *progname)
 {
-	fprintf(stderr, "usage: %s [-f] [-M] [-n] [-v] [-r] [-p pipefsdir] [-k keytab] [-d ccachedir] [-t timeout] [-R preferred realm]\n",
+	fprintf(stderr, "usage: %s [-e] [-f] [-M] [-n] [-v] [-r] [-p pipefsdir] [-k keytab] [-d ccachedir] [-t timeout] [-R preferred realm]\n",
 		progname);
 	exit(1);
 }
@@ -102,8 +103,11 @@ main(int argc, char *argv[])
 	char *progname;
 
 	memset(ccachesearch, 0, sizeof(ccachesearch));
-	while ((opt = getopt(argc, argv, "fvrmnMp:k:d:t:R:")) != -1) {
+	while ((opt = getopt(argc, argv, "efvrmnMp:k:d:t:R:")) != -1) {
 		switch (opt) {
+			case 'e':
+				ticket_expiry_is_error = 1;
+				break;
 			case 'f':
 				fg = 1;
 				break;
--- nfs-utils-1.2.5.orig/utils/gssd/gssd.h
+++ nfs-utils-1.2.5/utils/gssd/gssd.h
@@ -66,6 +66,7 @@ extern int			use_memcache;
 extern int			root_uses_machine_creds;
 extern unsigned int 		context_timeout;
 extern char			*preferred_realm;
+extern int			ticket_expiry_is_error;
 
 TAILQ_HEAD(clnt_list_head, clnt_info) clnt_list;
 

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] Add "-e" option to rpc.gssd to allow error on ticket expiry
  2011-11-18 11:32 [PATCH] Add "-e" option to rpc.gssd to allow error on ticket expiry John Hughes
@ 2011-11-18 13:44 ` Steve Dickson
  2011-11-18 13:51   ` John Hughes
  2011-11-18 13:59   ` John Hughes
  0 siblings, 2 replies; 6+ messages in thread
From: Steve Dickson @ 2011-11-18 13:44 UTC (permalink / raw)
  To: John Hughes; +Cc: Trond Myklebust, linux-nfs, linux-kernel

On 11/18/2011 06:32 AM, John Hughes wrote:
> By adding a new option to rpc.gssd the administrator can choose whether she wants the old "EACCESS on ticket expiry" or the new "wait for new ticket" behaviour.
> 
> 
I am not too keen this idea at all.... I've never been a fan of
added command line arguments for this purpose... Plus there 
is no man page update... Also please post patches in-line
the email not as email attachments...

If commit 2c64348 which causes the process to hang when 
its kerberos ticket expires is a regression... then so
be it... lets revert that commit and have the process error
out with EPERM.... It sounds like the apps would rather
have the error than the hanging... 

I think the answer to all this is have the ticket
renewed before it expires. There is a daemon call sssd
that is part of the FreeIPA project that will supposedly
do that for us... I'm looking into it... 

steved.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] Add "-e" option to rpc.gssd to allow error on ticket expiry
  2011-11-18 13:44 ` Steve Dickson
@ 2011-11-18 13:51   ` John Hughes
  2011-11-18 13:59   ` John Hughes
  1 sibling, 0 replies; 6+ messages in thread
From: John Hughes @ 2011-11-18 13:51 UTC (permalink / raw)
  To: Steve Dickson; +Cc: Trond Myklebust, linux-nfs, linux-kernel

On 18/11/11 14:44, Steve Dickson wrote:
>
> I think the answer to all this is have the ticket
> renewed before it expires. There is a daemon call sssd
> that is part of the FreeIPA project that will supposedly
> do that for us... I'm looking into it...
You can only renoew the ticket before it expires if it hasn't yet expired.

Imagine this case:

I go home for the evening.

The screensaver kicks in.

The machine suspends to ram.

The ticket expires.  Yes, it was renewable but nobody could renew it 
because they were asleep.

I come back the next morning, hit a key, the unlock screen pops up, I 
enter my password, pam_krb5 gets a new ticket.



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] Add "-e" option to rpc.gssd to allow error on ticket expiry
  2011-11-18 13:44 ` Steve Dickson
  2011-11-18 13:51   ` John Hughes
@ 2011-11-18 13:59   ` John Hughes
  2011-11-18 14:48     ` Luk Claes
  1 sibling, 1 reply; 6+ messages in thread
From: John Hughes @ 2011-11-18 13:59 UTC (permalink / raw)
  To: Steve Dickson; +Cc: Trond Myklebust, linux-nfs, linux-kernel

On 18/11/11 14:44, Steve Dickson wrote:
>
> On 11/18/2011 06:32 AM, John Hughes wrote:
>> By adding a new option to rpc.gssd the administrator can choose whether she wants the old "EACCESS on ticket expiry" or the new "wait for new ticket" behaviour.
>>
>>
> I am not too keen this idea at all.... I've never been a fan of
> added command line arguments for this purpose..

Nope, me neither.

> . Plus there is no man page update...

Okeydoke, let's see, where's the man page...

$ find  /usr/share/man* -name 'rcp.gssd*'

find: cannot get current directory: Permission denied


AArgh!  :-)  Yum, this dogfood tastes nice!

> Also please post patches in-line
> the email not as email attachments...

De gustibus non disputandum est.

New version of patch on it's way.



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] Add "-e" option to rpc.gssd to allow error on ticket expiry
  2011-11-18 13:59   ` John Hughes
@ 2011-11-18 14:48     ` Luk Claes
  2011-11-18 14:54       ` John Hughes
  0 siblings, 1 reply; 6+ messages in thread
From: Luk Claes @ 2011-11-18 14:48 UTC (permalink / raw)
  To: John Hughes; +Cc: Steve Dickson, Trond Myklebust, linux-nfs, linux-kernel

On 11/18/2011 02:59 PM, John Hughes wrote:
> On 18/11/11 14:44, Steve Dickson wrote:
>>
>> On 11/18/2011 06:32 AM, John Hughes wrote:

>> . Plus there is no man page update...
> 
> Okeydoke, let's see, where's the man page...
> 
> $ find  /usr/share/man* -name 'rcp.gssd*'
> 
> find: cannot get current directory: Permission denied

rcp != rpc

Cheers

Luk

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] Add "-e" option to rpc.gssd to allow error on ticket expiry
  2011-11-18 14:48     ` Luk Claes
@ 2011-11-18 14:54       ` John Hughes
  0 siblings, 0 replies; 6+ messages in thread
From: John Hughes @ 2011-11-18 14:54 UTC (permalink / raw)
  To: Luk Claes; +Cc: linux-kernel

On 18/11/11 15:48, Luk Claes wrote:
> On 11/18/2011 02:59 PM, John Hughes wrote:
>>
>> Okeydoke, let's see, where's the man page...
>>
>> $ find  /usr/share/man* -name 'rcp.gssd*'
>>
>> find: cannot get current directory: Permission denied
> rcp != rpc

The joke was that I was using the patched rpc.gssd and my (deliberately 
short life) ticket had expired, so find bitched about not being able to 
read my home directory.

And I made a typo.  What a maroon I am.


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2011-11-18 14:57 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-11-18 11:32 [PATCH] Add "-e" option to rpc.gssd to allow error on ticket expiry John Hughes
2011-11-18 13:44 ` Steve Dickson
2011-11-18 13:51   ` John Hughes
2011-11-18 13:59   ` John Hughes
2011-11-18 14:48     ` Luk Claes
2011-11-18 14:54       ` John Hughes

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox