neilbrown [Sun, 26 Mar 2006 23:54:16 +0000 (23:54 +0000)]
Set libnfsidmap library debugging level and logging function.
This patch adds a call to the new libnfsidmap library function
nfs4_set_debug(), which defines the verbosity level libnfsidmap
should use as well as the logging function.
neilbrown [Fri, 26 Aug 2005 02:04:40 +0000 (02:04 +0000)]
Add option to set rpcsec_gss debugging level (if available)
Changes to allow gssd/svcgssd to build when using Hiemdal Kerberos
libraries. Note that there are still run-time issues preventing
this from working when shared libraries for libgssapi and librpcsecgss
are used.
neilbrown [Fri, 26 Aug 2005 01:36:14 +0000 (01:36 +0000)]
2005-08-26 Kevin Coffman <kwc@citi.umich.edu>
*utils/mountd/mountd.c:
mountd currently always returns AUTH_NULL and AUTH_SYS as the
allowable flavors in mount replies. We want it to also return gss
flavors when appropriate. For now as a hack we just have it always
return the KRB5 flavors as well.
*utils/mountd/cache.c:
When attempting to mount an NFSv4 pseudofilesystem (fsid=0) and the
actual exported directory does not exist on the server, rpc.mountd
doesn't check the directory exists (when fsidtype=1, i.e. using fsid,
but does check for fsidtype=0, i.e. using dev/ino). The non-existent
exported directory path with fsid=0 is written to the kernel via
/proc/net/rpc/nfsd.export/channel, which leads to path_lookup() to
return ENOENT (seems appropriate). Unfortunately, the new_cache
approach ignores errors returned when writing via the channel file so
that particular error is lost and the mount request is silently ignored.
Assuming it doesn't make sense to revamp the new_cache/up-call method to
not ignore returned errors, it seems appropriate to fix the case where
rpc.mountd doesn't check for the existence of an exported directory with
fsid= semantics. The following patch does this by moving the stat() up
so it is done for both fsidtype's. I'm not certain whether the other
tests need to be executed for fsidtype=1, but it doesn't appear to hurt
[Not exactly true: the comparison of inode numbers caused problems so
now it's kept for fsidtype=0 only].
Would it be also desirable to log a warning for every error, if any,
returned by a write to any of the /proc/net/rpc/*/channel files which
would otherwise be ignored (maybe under a debug flag)?
* gssd/mountd/svcgssd: Changes gssd, svcgssd, and mountd to ignore a
SIGHUP rather than dying.
* many: Remove the gssapi code and rely on an external library instead.
neilbrown [Fri, 26 Aug 2005 01:27:17 +0000 (01:27 +0000)]
2005-08-26 Kevin Coffman <kwc@citi.umich.edu>
* utils/exportfs/exports.man: Document the "crossmnt" export export option
* utils/gssd/krb5_util.c:
Add better debugging and partially revert the function
check for gss_krb5_ccache_name.
For MIT Kerberos releases up to and including 1.3.1, we *must*
use the routine gss_krb5_ccache_name to get the K5 gssapi code
to use a different credentials cache.
For releases 1.3.2 and on, we want to use the KRB5CCNAME
environment variable to tell it what to use.
(A problem was reported where 1.3.5 was being used, our
code was using gss_krb5_ccache_name, but the underlying
code continued to use the first (or default?) credentials
cache. Switching to using the env variable fixed the problem.
I cannot recreate this problem.
*utils/gssd/krb5_util.c:
Andrew Mahone <andrew.mahone@gmail.com> reported that reiser4
always has DT_UNKNOWN. He supplied patch to move the check
for regular files after the stat() call to correctly find
ccache files in reiser4 filesystem.
Also change the name comparison so that the wrong file is
not selected when the substring comparison is done.
*utils/gssd/krb5_util.c:
Limit the set of encryption types that can be negotiated by
the Kerberos library to those that the kernel code currently
supports.
This should eventually query the kernel for the list of
supported enctypes.
*utils/gssd/gss_util.c, utils/svcgssd/svcgssd_main_loop.c:
Print more information in error messages to help debugging failures.
*utils/svcgssd/svcgssd_proc.c: Increase token buffer size and
update error handling so that a response is always sent.
*utils/svcgssd/svcgssd_proc.c: Add support to retrieve
supplementary groups.
neilbrown [Fri, 26 Aug 2005 01:20:12 +0000 (01:20 +0000)]
2005-08-26 Kevin Coffman <kwc@citi.umich.edu>
* configure.in etc
Consolidate some of the Kerberos checking instead of repeating
the same things for MIT and Heimdal.
Also adds more checks to distinguish 32-bit from 64-bit
(mainly for gssapi.h)
Fix svcgssd Makefile so make TOP=../../ works correctly there.
Enable running a modern autoheader.
* utils/gssd/gss_oids.c: Use correct OID value for SPKM-3
* utils/gssd/gss_util.c: Fix build with older MIT releases that do not define GSS_C_NT_HOSTBASED_SERVICE
* utils/gssd/write_bytes.h, support/include/gssapi/gssapi.h:
Length of gss_buffer_desc is a size_t which is 64-bits on a
64-bit machine. Kernel code expects 32-bit integer for length.
Coerce length value into a 32-bit value when reading from or
writing to the kernel.
Change gssapi.h to use datatype size values obtained from
configure rather than hard-coded values.
* utils/idmapd/idmapd.c: The EV_INIT check here was wrong, and was
causing idmapd to become unresponsive to server requests after
receiving a sighup.
* utils/idmapd/idmapd.c: Idmapd should flush the server id<->name
caches when its started.
neilbrown [Fri, 26 Aug 2005 01:14:46 +0000 (01:14 +0000)]
From: Kevin Coffman <kwc@citi.umich.edu>
Consolidate some of the Kerberos checking instead of repeating
the same things for MIT and Heimdal.
Also adds more checks to distinguish 32-bit from 64-bit
(mainly for gssapi.h)
Fix svcgssd Makefile so make TOP=../../ works correctly there.
Enable running a modern autoheader.
(Requires that autoconf be run to regenerate configure script.)