From: neilbrown Date: Fri, 26 Aug 2005 02:04:40 +0000 (+0000) Subject: Add option to set rpcsec_gss debugging level (if available) X-Git-Tag: nfs-utils-1-0-7-post3^0 X-Git-Url: https://git.decadent.org.uk/gitweb/?a=commitdiff_plain;h=651b5d3cf5428cbf1d2cd3ae572453af249bef1e;p=nfs-utils.git Add option to set rpcsec_gss debugging level (if available) Changes to allow gssd/svcgssd to build when using Hiemdal Kerberos libraries. Note that there are still run-time issues preventing this from working when shared libraries for libgssapi and librpcsecgss are used. --- diff --git a/ChangeLog b/ChangeLog index 7f98cdf..cf0a254 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2005-08-26 Kevin Coffman + Add option to set rpcsec_gss debugging level (if available) + + Changes to allow gssd/svcgssd to build when using Hiemdal Kerberos + libraries. Note that there are still run-time issues preventing + this from working when shared libraries for libgssapi and librpcsecgss + are used. + 2005-08-26 Kevin Coffman Remove the rpcsec_gss code and rely on an external library instead. diff --git a/configure b/configure index 141232e..4127631 100755 --- a/configure +++ b/configure @@ -2006,6 +2006,91 @@ fi echo "configure: warning: Using $KRBDIR instead of requested value of $krb5_with for Kerberos!" 1>&2 fi + echo $ac_n "checking for authgss_create_default in -lrpcsecgss""... $ac_c" 1>&6 +echo "configure:2011: checking for authgss_create_default in -lrpcsecgss" >&5 +ac_lib_var=`echo rpcsecgss'_'authgss_create_default | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lrpcsecgss $KRBLIB $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + librpcsecgss=1 +else + echo "$ac_t""no" 1>&6 +{ echo "configure: error: librpcsecgss needed for nfsv4 support" 1>&2; exit 1; } +fi + + echo $ac_n "checking for authgss_set_debug_level in -lrpcsecgss""... $ac_c" 1>&6 +echo "configure:2052: checking for authgss_set_debug_level in -lrpcsecgss" >&5 +ac_lib_var=`echo rpcsecgss'_'authgss_set_debug_level | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lrpcsecgss $KRBLIB $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + cat >> confdefs.h <<\EOF +#define HAVE_AUTHGSS_SET_DEBUG_LEVEL 1 +EOF + +else + echo "$ac_t""no" 1>&6 +fi + + @@ -2016,17 +2101,17 @@ for ac_hdr in com_err.h do ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 -echo "configure:2020: checking for $ac_hdr" >&5 +echo "configure:2105: checking for $ac_hdr" >&5 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:2030: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:2115: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then rm -rf conftest* @@ -2056,17 +2141,17 @@ for ac_hdr in et/com_err.h do ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 -echo "configure:2060: checking for $ac_hdr" >&5 +echo "configure:2145: checking for $ac_hdr" >&5 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:2070: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:2155: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then rm -rf conftest* @@ -2096,12 +2181,12 @@ done for ac_func in innetgr do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2100: checking for $ac_func" >&5 +echo "configure:2185: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2213: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -2150,7 +2235,7 @@ done echo $ac_n "checking size of short""... $ac_c" 1>&6 -echo "configure:2154: checking size of short" >&5 +echo "configure:2239: checking size of short" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_short'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -2158,7 +2243,7 @@ else { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext < #include @@ -2170,7 +2255,7 @@ else exit(0); } EOF -if { (eval echo configure:2174: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:2259: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_short=`cat conftestval` else @@ -2191,7 +2276,7 @@ EOF echo $ac_n "checking size of int""... $ac_c" 1>&6 -echo "configure:2195: checking size of int" >&5 +echo "configure:2280: checking size of int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -2199,7 +2284,7 @@ else { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext < #include @@ -2211,7 +2296,7 @@ else exit(0); } EOF -if { (eval echo configure:2215: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:2300: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_int=`cat conftestval` else @@ -2232,7 +2317,7 @@ EOF echo $ac_n "checking size of long""... $ac_c" 1>&6 -echo "configure:2236: checking size of long" >&5 +echo "configure:2321: checking size of long" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_long'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -2240,7 +2325,7 @@ else { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext < #include @@ -2252,7 +2337,7 @@ else exit(0); } EOF -if { (eval echo configure:2256: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:2341: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_long=`cat conftestval` else @@ -2273,7 +2358,7 @@ EOF echo $ac_n "checking size of size_t""... $ac_c" 1>&6 -echo "configure:2277: checking size of size_t" >&5 +echo "configure:2362: checking size of size_t" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_size_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -2281,7 +2366,7 @@ else { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext < #include @@ -2293,7 +2378,7 @@ else exit(0); } EOF -if { (eval echo configure:2297: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:2382: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_size_t=`cat conftestval` else diff --git a/utils/gssd/context_heimdal.c b/utils/gssd/context_heimdal.c index 27c44a3..edd4dfc 100644 --- a/utils/gssd/context_heimdal.c +++ b/utils/gssd/context_heimdal.c @@ -37,9 +37,11 @@ #include #include #include -#include #include +#include /* Must use the heimdal copy! */ +#ifdef HAVE_COM_ERR_H #include +#endif #include "err_util.h" #include "gss_oids.h" #include "write_bytes.h" @@ -83,9 +85,14 @@ int write_heimdal_enc_key(char **p, char *end, gss_ctx_id_t ctx) } memset(&enc_key, 0, sizeof(enc_key)); - printerr(1, "WARN: write_heimdal_enc_key: " - "overriding heimdal keytype\n"); - enc_key.keytype = 4 /* XXX XXX XXX XXX key->keytype */; + enc_key.keytype = key->keytype; + /* XXX current kernel code only handles des-cbc-raw (4) */ + if (enc_key.keytype != 4) { + printerr(1, "WARN: write_heimdal_enc_key: " + "overriding heimdal keytype (%d => %d)\n", + enc_key.keytype, 4); + enc_key.keytype = 4; + } enc_key.keyvalue.length = key->keyvalue.length; if ((enc_key.keyvalue.data = calloc(1, enc_key.keyvalue.length)) == NULL) { @@ -135,9 +142,13 @@ int write_heimdal_seq_key(char **p, char *end, gss_ctx_id_t ctx) goto out_err_free_context; } - printerr(1, "WARN: write_heimdal_seq_key: " - "overriding heimdal keytype\n"); - key->keytype = 4; /* XXX XXX XXX XXX XXX */ + /* XXX current kernel code only handles des-cbc-raw (4) */ + if (key->keytype != 4) { + printerr(1, "WARN: write_heimdal_seq_key: " + "overriding heimdal keytype (%d => %d)\n", + key->keytype, 4); + key->keytype = 4; + } if (write_heimdal_keyblock(p, end, key)) { goto out_err_free_key; diff --git a/utils/gssd/gss_oids.h b/utils/gssd/gss_oids.h index 850c013..8b0a352 100644 --- a/utils/gssd/gss_oids.h +++ b/utils/gssd/gss_oids.h @@ -32,7 +32,6 @@ #define _GSS_OIDS_H_ #include -#include extern gss_OID_desc krb5oid; extern gss_OID_desc spkm3oid; diff --git a/utils/gssd/gssd.c b/utils/gssd/gssd.c index 7f28320..8031d48 100644 --- a/utils/gssd/gssd.c +++ b/utils/gssd/gssd.c @@ -36,6 +36,8 @@ */ +#include "config.h" + #include #include #include @@ -74,7 +76,7 @@ sig_hup(int signal) static void usage(char *progname) { - fprintf(stderr, "usage: %s [-f] [-v] [-p pipefsdir] [-k keytab]\n", + fprintf(stderr, "usage: %s [-f] [-v] [-r] [-p pipefsdir] [-k keytab]\n", progname); exit(1); } @@ -84,11 +86,12 @@ main(int argc, char *argv[]) { int fg = 0; int verbosity = 0; + int rpc_verbosity = 0; int opt; extern char *optarg; char *progname; - while ((opt = getopt(argc, argv, "fvmp:k:")) != -1) { + while ((opt = getopt(argc, argv, "fvrmp:k:")) != -1) { switch (opt) { case 'f': fg = 1; @@ -99,6 +102,9 @@ main(int argc, char *argv[]) case 'v': verbosity++; break; + case 'r': + rpc_verbosity++; + break; case 'p': strncpy(pipefsdir, optarg, sizeof(pipefsdir)); if (pipefsdir[sizeof(pipefsdir)-1] != '\0') @@ -125,6 +131,13 @@ main(int argc, char *argv[]) progname = argv[0]; initerr(progname, verbosity, fg); +#ifdef HAVE_AUTHGSS_SET_DEBUG_LEVEL + authgss_set_debug_level(rpc_verbosity); +#else + if (rpc_verbosity > 0) + printerr(0, "Warning: rpcsec_gss library does not " + "support setting debug level\n"); +#endif if (!fg && daemon(0, 0) < 0) errx(1, "fork"); diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man index d8f9a0f..01404d1 100644 --- a/utils/gssd/gssd.man +++ b/utils/gssd/gssd.man @@ -6,7 +6,7 @@ .SH NAME rpc.gssd \- rpcsec_gss daemon .SH SYNOPSIS -.B "rpc.gssd [-f] [-k keytab] [-p pipefsdir] [-v]" +.B "rpc.gssd [-f] [-k keytab] [-p pipefsdir] [-v] [-r]" .SH DESCRIPTION The rpcsec_gss protocol gives a means of using the gss-api generic security api to provide security for protocols using rpc (in particular, nfs). Before @@ -50,6 +50,10 @@ where to look for the rpc_pipefs filesystem. The default value is .TP .B -v Increases the verbosity of the output (can be specified multiple times). +.TP +.B -r +If the rpcsec_gss library supports setting debug level, +increases the verbosity of the output (can be specified multiple times). .SH SEE ALSO .BR rpc.svcgssd(8) .SH AUTHORS diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c index d29b839..353a93e 100644 --- a/utils/gssd/krb5_util.c +++ b/utils/gssd/krb5_util.c @@ -131,7 +131,7 @@ static int select_krb5_ccache(const struct dirent *d); static int gssd_find_existing_krb5_ccache(uid_t uid, struct dirent **d); static int gssd_get_single_krb5_cred(krb5_context context, krb5_keytab kt, struct gssd_k5_kt_princ *ple); -static int gssd_have_realm_ple(krb5_data *realm); +static int gssd_have_realm_ple(void *realm); static int gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt, char *kt_name); @@ -355,7 +355,7 @@ gssd_get_single_krb5_cred(krb5_context context, krb5_get_init_creds_opt_set_tkt_life(&options, 5*60); #endif if ((code = krb5_get_init_creds_keytab(context, &my_creds, ple->princ, - kt, 0, 0, &options))) { + kt, 0, NULL, &options))) { char *pname; if ((krb5_unparse_name(context, ple->princ, &pname))) { pname = NULL; @@ -364,7 +364,11 @@ gssd_get_single_krb5_cred(krb5_context context, "principal '%s' from keytab '%s'\n", error_message(code), pname ? pname : "", kt_name); +#ifdef HAVE_KRB5 if (pname) krb5_free_unparsed_name(context, pname); +#else + if (pname) free(pname); +#endif goto out; } @@ -416,13 +420,22 @@ gssd_get_single_krb5_cred(krb5_context context, * 1 => found ple for given realm */ static int -gssd_have_realm_ple(krb5_data *realm) +gssd_have_realm_ple(void *r) { struct gssd_k5_kt_princ *ple; +#ifdef HAVE_KRB5 + krb5_data *realm = (krb5_data *)r; +#else + char *realm = (char *)r; +#endif for (ple = gssd_k5_kt_princ_list; ple; ple = ple->next) { +#ifdef HAVE_KRB5 if ((realm->length == strlen(ple->realm)) && (strncmp(realm->data, ple->realm, realm->length) == 0)) { +#else + if (strcmp(realm, ple->realm) == 0) { +#endif return 1; } } @@ -472,16 +485,27 @@ gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt, char *kt_name) } printerr(2, "Processing keytab entry for principal '%s'\n", pname); +#ifdef HAVE_KRB5 if ( (kte.principal->data[0].length == GSSD_SERVICE_NAME_LEN) && (strncmp(kte.principal->data[0].data, GSSD_SERVICE_NAME, GSSD_SERVICE_NAME_LEN) == 0) && - (!gssd_have_realm_ple(&kte.principal->realm)) ) { +#else + if ( (strlen(kte.principal->name.name_string.val[0]) == GSSD_SERVICE_NAME_LEN) && + (strncmp(kte.principal->name.name_string.val[0], GSSD_SERVICE_NAME, + GSSD_SERVICE_NAME_LEN) == 0) && + +#endif + (!gssd_have_realm_ple((void *)&kte.principal->realm)) ) { printerr(2, "We will use this entry (%s)\n", pname); ple = malloc(sizeof(struct gssd_k5_kt_princ)); if (ple == NULL) { printerr(0, "ERROR: could not allocate storage " "for principal list entry\n"); +#ifdef HAVE_KRB5 krb5_free_unparsed_name(context, pname); +#else + free(pname); +#endif retval = ENOMEM; goto out; } @@ -490,13 +514,21 @@ gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt, char *kt_name) ple->ccname = NULL; ple->endtime = 0; if ((ple->realm = +#ifdef HAVE_KRB5 strndup(kte.principal->realm.data, kte.principal->realm.length)) +#else + strdup(kte.principal->realm)) +#endif == NULL) { printerr(0, "ERROR: %s while copying realm to " "principal list entry\n", "not enough memory"); +#ifdef HAVE_KRB5 krb5_free_unparsed_name(context, pname); +#else + free(pname); +#endif retval = ENOMEM; goto out; } @@ -505,7 +537,11 @@ gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt, char *kt_name) printerr(0, "ERROR: %s while copying principal " "to principal list entry\n", error_message(code)); +#ifdef HAVE_KRB5 krb5_free_unparsed_name(context, pname); +#else + free(pname); +#endif retval = code; goto out; } @@ -520,7 +556,11 @@ gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt, char *kt_name) printerr(2, "We will NOT use this entry (%s)\n", pname); } +#ifdef HAVE_KRB5 krb5_free_unparsed_name(context, pname); +#else + free(pname); +#endif } if ((code = krb5_kt_end_seq_get(context, kt, &cursor))) { diff --git a/utils/svcgssd/svcgssd.c b/utils/svcgssd/svcgssd.c index 8e5cc99..3b5a981 100644 --- a/utils/svcgssd/svcgssd.c +++ b/utils/svcgssd/svcgssd.c @@ -37,6 +37,8 @@ */ +#include "config.h" + #include #include #include @@ -154,7 +156,7 @@ sig_hup(int signal) static void usage(char *progname) { - fprintf(stderr, "usage: %s [-n] [-f] [-v]\n", + fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r]\n", progname); exit(1); } @@ -165,11 +167,12 @@ main(int argc, char *argv[]) int get_creds = 1; int fg = 0; int verbosity = 0; + int rpc_verbosity = 0; int opt; extern char *optarg; char *progname; - while ((opt = getopt(argc, argv, "fvnp:")) != -1) { + while ((opt = getopt(argc, argv, "fvrnp:")) != -1) { switch (opt) { case 'f': fg = 1; @@ -180,6 +183,9 @@ main(int argc, char *argv[]) case 'v': verbosity++; break; + case 'r': + rpc_verbosity++; + break; default: usage(argv[0]); break; @@ -192,6 +198,13 @@ main(int argc, char *argv[]) progname = argv[0]; initerr(progname, verbosity, fg); +#ifdef HAVE_AUTHGSS_SET_DEBUG_LEVEL + authgss_set_debug_level(rpc_verbosity); +#else + if (rpc_verbosity > 0) + printerr(0, "Warning: rpcsec_gss library does not " + "support setting debug level\n"); +#endif if (!fg) mydaemon(0, 0); diff --git a/utils/svcgssd/svcgssd.man b/utils/svcgssd/svcgssd.man index f17f772..a770662 100644 --- a/utils/svcgssd/svcgssd.man +++ b/utils/svcgssd/svcgssd.man @@ -6,7 +6,7 @@ .SH NAME rpc.svcgssd \- server-side rpcsec_gss daemon .SH SYNOPSIS -.B "rpc.svcgssd [-v] [-f] [-p pipefsdir]" +.B "rpc.svcgssd [-v] [-r] [-f] [-p pipefsdir]" .SH DESCRIPTION The rpcsec_gss protocol gives a means of using the gss-api generic security api to provide security for protocols using rpc (in particular, nfs). Before @@ -27,6 +27,10 @@ in the foreground and sends output to stderr (as opposed to syslogd) .TP .B -v Increases the verbosity of the output (can be specified multiple times). +.TP +.B -r +If the rpcsec_gss library supports setting debug level, +increases the verbosity of the output (can be specified multiple times). .SH SEE ALSO .BR rpc.gssd(8),