using a pipe.
* utils/idmapd/idmapd.c: Let libnfsidmapd parse the idmapd.conf
file for the default domain, instead of doing that ourselves.
+ * utils/gssd/gssd_proc.c: Make sure we get an error when a gssd
+ downcall fails.
2004-11-22 NeilBrown <neilb@cse.unsw.edu.au>
AC_CHECK_LIB(crypt, crypt, [LIBCRYPT="-lcrypt"])
if test "$enable_nfsv4" = yes; then
AC_CHECK_LIB(event, event_dispatch)
- AC_CHECK_LIB(nfsidmap, nfs4_uid_to_name)
+ AC_CHECK_LIB(nfsidmap, nfs4_init_name_mapping)
AC_CHECK_HEADERS(event.h)
AC_CHECK_HEADERS(nfsidmap.h)
fi
# Options for rpc.mountd
RPCMOUNTDOPTS=
+
+# If you are not running NFS with RPCSEC_GSS security, and wish to
+# disable the gssd server daemon then uncomment the following line
+# NEED_SVCGSSD=no
retval = 0;
out_fail:
+ if ((save_uid != -1) && (seteuid(save_uid) != 0)) {
+ printerr(0, "WARNING: Failed to restore euid"
+ " to uid %d (in error path)\n", save_uid);
+ }
if (sec.cred != GSS_C_NO_CREDENTIAL)
gss_release_cred(&min_stat, &sec.cred);
if (rpc_clnt) clnt_destroy(rpc_clnt);
void release_parent();
static int verbose = 0;
-static char domain[512];
static char pipefsdir[PATH_MAX];
static char *nobodyuser, *nobodygroup;
static uid_t nobodyuid;
struct group *gr;
struct stat sb;
char *xpipefsdir = NULL;
- char *xdomain = NULL;
int serverstart = 1, clientstart = 1;
conf_path = _PATH_IDMAPDCONF;
conf_init();
verbose = conf_get_num("General", "Verbosity", 0);
CONF_SAVE(xpipefsdir, conf_get_str("General", "Pipefs-Directory"));
- CONF_SAVE(xdomain, conf_get_str("General", "Domain"));
if (xpipefsdir != NULL)
strlcpy(pipefsdir, xpipefsdir, sizeof(pipefsdir));
- if (xdomain != NULL)
- strlcpy(domain, xdomain, sizeof(domain));
CONF_SAVE(nobodyuser, conf_get_str("Mapping", "Nobody-User"));
CONF_SAVE(nobodygroup, conf_get_str("Mapping", "Nobody-Group"));
+ nfs4_init_name_mapping(conf_path);
}
while ((opt = getopt(argc, argv, GETOPTSTR)) != -1)
strncat(pipefsdir, "/nfs", sizeof(pipefsdir));
- if (domain[0] == '\0') {
- struct hostent *he;
- char hname[64], *c;
-
- if (gethostname(hname, sizeof(hname)) == -1)
- errx(1, "Error getting hostname");
-
- if ((he = gethostbyname(hname)) == NULL)
- errx(1, "Error resolving hostname: %s", hname);
-
- if ((c = strchr(he->h_name, '.')) == NULL || *++c == '\0')
- errx(1, "Error resolving domain, "
- "please use the -d switch");
-
- strlcpy(domain, c, sizeof(domain));
- }
-
if ((pw = getpwnam(nobodyuser)) == NULL)
errx(1, "Could not find user \"%s\"", nobodyuser);
nobodyuid = pw->pw_uid;
errx(1, "Could not find group \"%s\"", nobodygroup);
nobodygid = gr->gr_gid;
- if (strlen(domain) == 0)
- errx(1, "Invalid domain; please specify with -d switch");
-
- if (verbose > 2)
- warnx("Using domain \"%s\"", domain);
-
if (!fg)
mydaemon(0, 0);
ic->ic_which = which;
ic->ic_id = "Server";
- strlcpy(ic->ic_clid, domain, sizeof(ic->ic_clid));
+ strlcpy(ic->ic_clid, "Server", strlen("Server"));
if (verbose > 0)
warnx("Opened %s", ic->ic_path);
static void
idtonameres(struct idmap_msg *im)
{
+ char domain[NFS4_MAX_DOMAIN_LEN];
int ret = 0;
+ ret = nfs4_get_default_domain(NULL, domain, sizeof(domain));
switch (im->im_type) {
case IDMAP_TYPE_USER:
ret = nfs4_uid_to_name(im->im_id, domain, im->im_name,
OBJS = svcgssd.o svcgssd_main_loop.o svcgssd_proc.o err_util.o gss_util.o \
gss_oids.o context.o context_heimdal.o cacheio.o svcgssd_mech2file.o
LIBDEPS = $(TOP)support/lib/librpc.a $(TOP)support/lib/libgssapi.a
-LIBS = -Wl,-rpath=$(KRBDIR)/lib -lrpc -lgssapi -ldl $(KRBLIB)
+LIBS = -Wl,-rpath=$(KRBDIR)/lib -lrpc -lgssapi -ldl $(KRBLIB) -lnfsidmap
MAN8 = svcgssd
predep ::
#include <string.h>
#include <fcntl.h>
#include <errno.h>
+#include <nfsidmap.h>
#include "svcgssd.h"
#include "gss_util.h"
#define rpcsec_gsserr_ctxproblem 14
static int
-get_ids(gss_name_t client_name, gss_OID *mech, struct svc_cred *cred)
+get_ids(gss_name_t client_name, gss_OID mech, struct svc_cred *cred)
{
u_int32_t maj_stat, min_stat;
gss_buffer_desc name;
char *sname;
int res = -1;
- struct passwd *pw = NULL;
+ uid_t uid, gid;
gss_OID name_type;
- char *c;
+ char *secname;
maj_stat = gss_display_name(&min_stat, client_name, &name, &name_type);
if (maj_stat != GSS_S_COMPLETE)
goto out;
memcpy(sname, name.value, name.length);
printerr(1, "sname = %s\n", sname);
- /* XXX: should use same mapping as idmapd? Or something; for now
- * I'm just chopping off the domain. */
- /* XXX: note that idmapd also does this! It doesn't check the domain
- * name. */
- if ((c = strchr(sname, '@')) != NULL)
- *c = '\0';
- /* XXX? mapping unknown users (including machine creds) to nobody: */
- if ( !(pw = getpwnam(sname)) && !(pw = getpwnam("nobody")) )
+
+ res = -EINVAL;
+ if ((secname = mech2file(mech)) == NULL)
+ goto out_free;
+ nfs4_init_name_mapping(NULL); /* XXX: should only do this once */
+ res = nfs4_gss_princ_to_ids(secname, sname, &uid, &gid);
+ if (res < 0)
goto out_free;
- cred->cr_uid = pw->pw_uid;
- cred->cr_gid = pw->pw_gid;
- /* XXX Read password file? Use initgroups? I dunno...*/
+ cred->cr_uid = uid;
+ cred->cr_gid = gid;
+ /*XXX: want add_supplementary_groups(secname, sname, cred)? */
cred->cr_ngroups = 0;
res = 0;
out_free:
&null_token, &null_token);
goto out_err;
}
- if (get_ids(client_name, &mech, &cred)) {
+ if (get_ids(client_name, mech, &cred)) {
printerr(0, "WARNING: handle_nullreq: get_uid failed\n");
send_response(f, &in_handle, &in_tok, GSS_S_BAD_NAME /* XXX? */,
0, &null_token, &null_token);