+2005-08-26 Kevin Coffman <kwc@citi.umich.edu>
+ Add option to set rpcsec_gss debugging level (if available)
+
+ Changes to allow gssd/svcgssd to build when using Hiemdal Kerberos
+ libraries. Note that there are still run-time issues preventing
+ this from working when shared libraries for libgssapi and librpcsecgss
+ are used.
+
2005-08-26 Kevin Coffman <kwc@citi.umich.edu>
Remove the rpcsec_gss code and rely on an external library instead.
echo "configure: warning: Using $KRBDIR instead of requested value of $krb5_with for Kerberos!" 1>&2
fi
+ echo $ac_n "checking for authgss_create_default in -lrpcsecgss""... $ac_c" 1>&6
+echo "configure:2011: checking for authgss_create_default in -lrpcsecgss" >&5
+ac_lib_var=`echo rpcsecgss'_'authgss_create_default | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ ac_save_LIBS="$LIBS"
+LIBS="-lrpcsecgss $KRBLIB $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 2019 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error. */
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+char authgss_create_default();
+
+int main() {
+authgss_create_default()
+; return 0; }
+EOF
+if { (eval echo configure:2030: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+ librpcsecgss=1
+else
+ echo "$ac_t""no" 1>&6
+{ echo "configure: error: librpcsecgss needed for nfsv4 support" 1>&2; exit 1; }
+fi
+
+ echo $ac_n "checking for authgss_set_debug_level in -lrpcsecgss""... $ac_c" 1>&6
+echo "configure:2052: checking for authgss_set_debug_level in -lrpcsecgss" >&5
+ac_lib_var=`echo rpcsecgss'_'authgss_set_debug_level | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ ac_save_LIBS="$LIBS"
+LIBS="-lrpcsecgss $KRBLIB $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 2060 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error. */
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+char authgss_set_debug_level();
+
+int main() {
+authgss_set_debug_level()
+; return 0; }
+EOF
+if { (eval echo configure:2071: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+ cat >> confdefs.h <<\EOF
+#define HAVE_AUTHGSS_SET_DEBUG_LEVEL 1
+EOF
+
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:2020: checking for $ac_hdr" >&5
+echo "configure:2105: checking for $ac_hdr" >&5
if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 2025 "configure"
+#line 2110 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:2030: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:2115: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:2060: checking for $ac_hdr" >&5
+echo "configure:2145: checking for $ac_hdr" >&5
if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 2065 "configure"
+#line 2150 "configure"
#include "confdefs.h"
#include <$ac_hdr>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:2070: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:2155: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
for ac_func in innetgr
do
echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:2100: checking for $ac_func" >&5
+echo "configure:2185: checking for $ac_func" >&5
if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 2105 "configure"
+#line 2190 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char $ac_func(); below. */
; return 0; }
EOF
-if { (eval echo configure:2128: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:2213: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_$ac_func=yes"
else
echo $ac_n "checking size of short""... $ac_c" 1>&6
-echo "configure:2154: checking size of short" >&5
+echo "configure:2239: checking size of short" >&5
if eval "test \"`echo '$''{'ac_cv_sizeof_short'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
{ echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; }
else
cat > conftest.$ac_ext <<EOF
-#line 2162 "configure"
+#line 2247 "configure"
#include "confdefs.h"
#include <stdio.h>
#include <sys/types.h>
exit(0);
}
EOF
-if { (eval echo configure:2174: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:2259: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ac_cv_sizeof_short=`cat conftestval`
else
echo $ac_n "checking size of int""... $ac_c" 1>&6
-echo "configure:2195: checking size of int" >&5
+echo "configure:2280: checking size of int" >&5
if eval "test \"`echo '$''{'ac_cv_sizeof_int'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
{ echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; }
else
cat > conftest.$ac_ext <<EOF
-#line 2203 "configure"
+#line 2288 "configure"
#include "confdefs.h"
#include <stdio.h>
#include <sys/types.h>
exit(0);
}
EOF
-if { (eval echo configure:2215: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:2300: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ac_cv_sizeof_int=`cat conftestval`
else
echo $ac_n "checking size of long""... $ac_c" 1>&6
-echo "configure:2236: checking size of long" >&5
+echo "configure:2321: checking size of long" >&5
if eval "test \"`echo '$''{'ac_cv_sizeof_long'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
{ echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; }
else
cat > conftest.$ac_ext <<EOF
-#line 2244 "configure"
+#line 2329 "configure"
#include "confdefs.h"
#include <stdio.h>
#include <sys/types.h>
exit(0);
}
EOF
-if { (eval echo configure:2256: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:2341: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ac_cv_sizeof_long=`cat conftestval`
else
echo $ac_n "checking size of size_t""... $ac_c" 1>&6
-echo "configure:2277: checking size of size_t" >&5
+echo "configure:2362: checking size of size_t" >&5
if eval "test \"`echo '$''{'ac_cv_sizeof_size_t'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
{ echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; }
else
cat > conftest.$ac_ext <<EOF
-#line 2285 "configure"
+#line 2370 "configure"
#include "confdefs.h"
#include <stdio.h>
#include <sys/types.h>
exit(0);
}
EOF
-if { (eval echo configure:2297: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:2382: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
then
ac_cv_sizeof_size_t=`cat conftestval`
else
#include <syslog.h>
#include <string.h>
#include <errno.h>
-#include <gssapi.h>
#include <krb5.h>
+#include <gssapi.h> /* Must use the heimdal copy! */
+#ifdef HAVE_COM_ERR_H
#include <com_err.h>
+#endif
#include "err_util.h"
#include "gss_oids.h"
#include "write_bytes.h"
}
memset(&enc_key, 0, sizeof(enc_key));
- printerr(1, "WARN: write_heimdal_enc_key: "
- "overriding heimdal keytype\n");
- enc_key.keytype = 4 /* XXX XXX XXX XXX key->keytype */;
+ enc_key.keytype = key->keytype;
+ /* XXX current kernel code only handles des-cbc-raw (4) */
+ if (enc_key.keytype != 4) {
+ printerr(1, "WARN: write_heimdal_enc_key: "
+ "overriding heimdal keytype (%d => %d)\n",
+ enc_key.keytype, 4);
+ enc_key.keytype = 4;
+ }
enc_key.keyvalue.length = key->keyvalue.length;
if ((enc_key.keyvalue.data =
calloc(1, enc_key.keyvalue.length)) == NULL) {
goto out_err_free_context;
}
- printerr(1, "WARN: write_heimdal_seq_key: "
- "overriding heimdal keytype\n");
- key->keytype = 4; /* XXX XXX XXX XXX XXX */
+ /* XXX current kernel code only handles des-cbc-raw (4) */
+ if (key->keytype != 4) {
+ printerr(1, "WARN: write_heimdal_seq_key: "
+ "overriding heimdal keytype (%d => %d)\n",
+ key->keytype, 4);
+ key->keytype = 4;
+ }
if (write_heimdal_keyblock(p, end, key)) {
goto out_err_free_key;
#define _GSS_OIDS_H_
#include <sys/types.h>
-#include <gssapi/gssapi.h>
extern gss_OID_desc krb5oid;
extern gss_OID_desc spkm3oid;
*/
+#include "config.h"
+
#include <sys/param.h>
#include <sys/socket.h>
#include <rpc/rpc.h>
static void
usage(char *progname)
{
- fprintf(stderr, "usage: %s [-f] [-v] [-p pipefsdir] [-k keytab]\n",
+ fprintf(stderr, "usage: %s [-f] [-v] [-r] [-p pipefsdir] [-k keytab]\n",
progname);
exit(1);
}
{
int fg = 0;
int verbosity = 0;
+ int rpc_verbosity = 0;
int opt;
extern char *optarg;
char *progname;
- while ((opt = getopt(argc, argv, "fvmp:k:")) != -1) {
+ while ((opt = getopt(argc, argv, "fvrmp:k:")) != -1) {
switch (opt) {
case 'f':
fg = 1;
case 'v':
verbosity++;
break;
+ case 'r':
+ rpc_verbosity++;
+ break;
case 'p':
strncpy(pipefsdir, optarg, sizeof(pipefsdir));
if (pipefsdir[sizeof(pipefsdir)-1] != '\0')
progname = argv[0];
initerr(progname, verbosity, fg);
+#ifdef HAVE_AUTHGSS_SET_DEBUG_LEVEL
+ authgss_set_debug_level(rpc_verbosity);
+#else
+ if (rpc_verbosity > 0)
+ printerr(0, "Warning: rpcsec_gss library does not "
+ "support setting debug level\n");
+#endif
if (!fg && daemon(0, 0) < 0)
errx(1, "fork");
.SH NAME
rpc.gssd \- rpcsec_gss daemon
.SH SYNOPSIS
-.B "rpc.gssd [-f] [-k keytab] [-p pipefsdir] [-v]"
+.B "rpc.gssd [-f] [-k keytab] [-p pipefsdir] [-v] [-r]"
.SH DESCRIPTION
The rpcsec_gss protocol gives a means of using the gss-api generic security
api to provide security for protocols using rpc (in particular, nfs). Before
.TP
.B -v
Increases the verbosity of the output (can be specified multiple times).
+.TP
+.B -r
+If the rpcsec_gss library supports setting debug level,
+increases the verbosity of the output (can be specified multiple times).
.SH SEE ALSO
.BR rpc.svcgssd(8)
.SH AUTHORS
static int gssd_find_existing_krb5_ccache(uid_t uid, struct dirent **d);
static int gssd_get_single_krb5_cred(krb5_context context,
krb5_keytab kt, struct gssd_k5_kt_princ *ple);
-static int gssd_have_realm_ple(krb5_data *realm);
+static int gssd_have_realm_ple(void *realm);
static int gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt,
char *kt_name);
krb5_get_init_creds_opt_set_tkt_life(&options, 5*60);
#endif
if ((code = krb5_get_init_creds_keytab(context, &my_creds, ple->princ,
- kt, 0, 0, &options))) {
+ kt, 0, NULL, &options))) {
char *pname;
if ((krb5_unparse_name(context, ple->princ, &pname))) {
pname = NULL;
"principal '%s' from keytab '%s'\n",
error_message(code),
pname ? pname : "<unparsable>", kt_name);
+#ifdef HAVE_KRB5
if (pname) krb5_free_unparsed_name(context, pname);
+#else
+ if (pname) free(pname);
+#endif
goto out;
}
* 1 => found ple for given realm
*/
static int
-gssd_have_realm_ple(krb5_data *realm)
+gssd_have_realm_ple(void *r)
{
struct gssd_k5_kt_princ *ple;
+#ifdef HAVE_KRB5
+ krb5_data *realm = (krb5_data *)r;
+#else
+ char *realm = (char *)r;
+#endif
for (ple = gssd_k5_kt_princ_list; ple; ple = ple->next) {
+#ifdef HAVE_KRB5
if ((realm->length == strlen(ple->realm)) &&
(strncmp(realm->data, ple->realm, realm->length) == 0)) {
+#else
+ if (strcmp(realm, ple->realm) == 0) {
+#endif
return 1;
}
}
}
printerr(2, "Processing keytab entry for principal '%s'\n",
pname);
+#ifdef HAVE_KRB5
if ( (kte.principal->data[0].length == GSSD_SERVICE_NAME_LEN) &&
(strncmp(kte.principal->data[0].data, GSSD_SERVICE_NAME,
GSSD_SERVICE_NAME_LEN) == 0) &&
- (!gssd_have_realm_ple(&kte.principal->realm)) ) {
+#else
+ if ( (strlen(kte.principal->name.name_string.val[0]) == GSSD_SERVICE_NAME_LEN) &&
+ (strncmp(kte.principal->name.name_string.val[0], GSSD_SERVICE_NAME,
+ GSSD_SERVICE_NAME_LEN) == 0) &&
+
+#endif
+ (!gssd_have_realm_ple((void *)&kte.principal->realm)) ) {
printerr(2, "We will use this entry (%s)\n", pname);
ple = malloc(sizeof(struct gssd_k5_kt_princ));
if (ple == NULL) {
printerr(0, "ERROR: could not allocate storage "
"for principal list entry\n");
+#ifdef HAVE_KRB5
krb5_free_unparsed_name(context, pname);
+#else
+ free(pname);
+#endif
retval = ENOMEM;
goto out;
}
ple->ccname = NULL;
ple->endtime = 0;
if ((ple->realm =
+#ifdef HAVE_KRB5
strndup(kte.principal->realm.data,
kte.principal->realm.length))
+#else
+ strdup(kte.principal->realm))
+#endif
== NULL) {
printerr(0, "ERROR: %s while copying realm to "
"principal list entry\n",
"not enough memory");
+#ifdef HAVE_KRB5
krb5_free_unparsed_name(context, pname);
+#else
+ free(pname);
+#endif
retval = ENOMEM;
goto out;
}
printerr(0, "ERROR: %s while copying principal "
"to principal list entry\n",
error_message(code));
+#ifdef HAVE_KRB5
krb5_free_unparsed_name(context, pname);
+#else
+ free(pname);
+#endif
retval = code;
goto out;
}
printerr(2, "We will NOT use this entry (%s)\n",
pname);
}
+#ifdef HAVE_KRB5
krb5_free_unparsed_name(context, pname);
+#else
+ free(pname);
+#endif
}
if ((code = krb5_kt_end_seq_get(context, kt, &cursor))) {
*/
+#include "config.h"
+
#include <sys/param.h>
#include <sys/types.h>
#include <sys/stat.h>
static void
usage(char *progname)
{
- fprintf(stderr, "usage: %s [-n] [-f] [-v]\n",
+ fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r]\n",
progname);
exit(1);
}
int get_creds = 1;
int fg = 0;
int verbosity = 0;
+ int rpc_verbosity = 0;
int opt;
extern char *optarg;
char *progname;
- while ((opt = getopt(argc, argv, "fvnp:")) != -1) {
+ while ((opt = getopt(argc, argv, "fvrnp:")) != -1) {
switch (opt) {
case 'f':
fg = 1;
case 'v':
verbosity++;
break;
+ case 'r':
+ rpc_verbosity++;
+ break;
default:
usage(argv[0]);
break;
progname = argv[0];
initerr(progname, verbosity, fg);
+#ifdef HAVE_AUTHGSS_SET_DEBUG_LEVEL
+ authgss_set_debug_level(rpc_verbosity);
+#else
+ if (rpc_verbosity > 0)
+ printerr(0, "Warning: rpcsec_gss library does not "
+ "support setting debug level\n");
+#endif
if (!fg)
mydaemon(0, 0);
.SH NAME
rpc.svcgssd \- server-side rpcsec_gss daemon
.SH SYNOPSIS
-.B "rpc.svcgssd [-v] [-f] [-p pipefsdir]"
+.B "rpc.svcgssd [-v] [-r] [-f] [-p pipefsdir]"
.SH DESCRIPTION
The rpcsec_gss protocol gives a means of using the gss-api generic security
api to provide security for protocols using rpc (in particular, nfs). Before
.TP
.B -v
Increases the verbosity of the output (can be specified multiple times).
+.TP
+.B -r
+If the rpcsec_gss library supports setting debug level,
+increases the verbosity of the output (can be specified multiple times).
.SH SEE ALSO
.BR rpc.gssd(8),