Avoid DNS reverse resolution for server names (take 3) A NFS client should be able to work properly even if the DNS Reverse record for the server is not set. This means a DNS lookup should not be done on server names at are passed to GSSAPI. This patch changes the default behavior to no longer do those types of lookups This change default behavior could negatively impact some current environments, so the -D option is also being added that will re-enable the DNS reverse looks on server names, which are passed to GSSAPI. Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
gssd: Allow GSSAPI to try to acquire credentials first. GSSAPI can be given a uid number as a special name, and then gss_acquire_cred() can use the name to try to find credentials for the user. Give GSSAPI a chance to do it on its own, then fallback to the classic method of trolling through the file system to find a credential cache. This patch uses a little know feature of GSSAPI that permits to acquire crdentials specifying the user's UID. Normally GSSAPI will simply perform a getpwuid() call and use the user name to generate a principal name and then see if it can find a TGT for that principal in the local ccache. This feature is vital to allow the GSS-Proxy to be able to initiate crdentials on behalf of rpc.gssd using client keytabs stored in the filsystem. GSS-Proxy works through an interposer-type plugin (new feature in MIT 1.11) that allows to intercept all GSSAPI requestes and relay them to a system daemon via a socket. This daemon (GSS-Proxy) then can perform operations on behalf of other applications with additional logic. In the rpc.gssd case the GSS-Proxy daemon allows applications running as system users to properly access krb5 protected shares by creating a credential cache on the fly when necessary. This way all applications that need access to krb5 protected shares do not need to be taught how to initiate crdentials on their own, nor they need to be wrapped in additional init scripts like k5start or use wasteful cronjobs to keep credentials fresh. All is needed is to drop a keytab with the right keys in a special location on the system and gss-proxy will do the rest. Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
gssd: Fix double free when exporting lucid context When using GSSAPI's gss_krb5_export_lucid_context the context passed into the function is actually deleted during the export (to avoid reuse as the context contains state that depends on its usage). Change the code to pass in a pointer to the context so that it can be properly NULLed if we are using the GSSAPI context and following calls to gss_delete_sec_context will not cause double free errors and segfaults. Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
gssd: Fix whitespace nits Acked-by: J. Bruce Fields <bfields@fieldses.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
gssd: use correct test for success of getrlimit() commit 7c5cb5e732a4b8704f8c79ec819c5d271e040339 gssd: base the size of the fd array on the RLIMIT_NOFILE limit. didn't actually work as claimed. It only uses the returned value if getrlimit() returns -1 -- which of course it only does when there was an error. So change the test to "== 0". Reported-by: Leonardo Chiquitto< lchiquitto@suse.com> Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
gssd: Call authgss_free_private_data() if library provides it. librpcsecgss provides authgss_free_private_data() as a pair to authgss_get_private_data(). libtirpc does not - until recently. This ommision results in authgss_destroy_context() sending an incorrect RPCSEC_GSS_DESTROY request when gssd calls AUTH_DESTROY(). The call has been added to libtirpc, so this patch updates nfs-utils to check for the presense of the function in libtirpc and to set HAVE_AUTHGSS_FREE_PRIVATE_DATA if it is present. This is also set unconditionally if librpcsecgss is used. gssd is changed to test this value rather than HAVE_LIBTIRPC when chosing whether to call authgss_free_private_data(). Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
gssd: base the size of the fd array on the RLIMIT_NOFILE limit. We have previously raised the size of the 'pollarray' once (32 -> 256) and I have had another request to make it bigger. Rather than changing the hard-coded value, make it depend on RLIMIT_NOFILE. This is an upper limit on the size of the array that can be passed to poll() anyway. Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
gssd_proc: remove pointless test against FD_ALLOC_BLOCK in process_pipedir I can see no possible point for this test against FD_ALLOC_BLOCK, so just remove the test. Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
gssd_proc: use pollsize, not FD_ALLOC_BLOCK, in get_poll_index() get_poll_index wants to walk the entire "pollarray", but uses the constant FD_ALLOC_BLOCK, rather than the variable pollsize (which has the same value). If we want to make the size of the array variable, it is best not to use the constant. As pollsize is 'unsigned long', 'i' should be too. Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
gssd: Handle the target name correctly The target name contains a hostname in the realm that we are authenticating to. Since we may be authenticating to a different realm than the default realm for the server, we should not assume that the target name and host name point to the same string. In fact, the kernel NFS client will always use its own hostname as the target name, since it is always authenticating to its own default realm. On the other hand, the NFS server's callback channel will pass the hostname of the NFS client that it is authenticating too (Section 3.4, RFC3530). This patch fixes the handling of the target name in process_krb5_upcall, and ensures that it gets passed to find_keytab_entry(). Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Steve Dickson <steved@redhat.com>
gssd: Remove insane sanity checks of the service name Either we trust the info file, or we don't. The current 'checks' only work for the combination 'nfs', '100003' and a version number between 2 and 4. The problem is that the callback channel also wants to use 'nfs' in combination with a different program number and version number. This patch throws the bogus checks out altogether and lets the kernel use whatever combination it wants.... Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Steve Dickson <steved@redhat.com>
rpc.gssd: Squelch compiler error gssd_proc.c: In function handle_krb5_upcall: gssd_proc.c:1117:2: warning: ISO C forbids return with expression, in function returning void [-pedantic] Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
rpc.gssd: Squelch compiler warning gssd_proc.c: At top level: gssd_proc.c:782:5: warning: no previous prototype for create_auth_rpc_client [-Wmissing-prototypes] Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
GSSD: Pass GSS_context lifetime to the kernel. From: Andy Adamson <andros@netapp.com> The kernel gss_cl_ctx stores the context lifetime in gc_expiry, set by gssd in do_downcall() called by process_krb5_upcall(). The lifetime value is currently not related at all to the Kerberos TGS lifetime. It is either set to the value of gssd -t <timeout>, or to a kernel default of 3600 seconds. Most of the time the gssd -t command line is not set, and a timeout value of zero was sent to the kernel triggering the use of the 3600 second kernel default timeout. In order for the kernel to properly know when to renew a context, or to stop buffering writes for a context about to expire, the gc_expiry value needs to reflect the credential lifetime used to create the context. Note that gss_inquire_cred returns the number of seconds for which the context remains valid in the lifetime_rec parameter. Send the actual TGS remaining lifetime to the kernel. It can still be overwritten by the gssd -t command line option, or set to the kernel default if the gss_inquire_cred call fails (which sets the lifetime_rec to zero). Signed-off-by: Andy Adamson <andros@netapp.com> Signed-off-by: Steve Dickson <steved@redhat.com>
gssd: Use /run/user/${UID} instead of /run/user/${USER} Newer versions of systemd create a /run/user/${UID} directory instead of the /run/user/${USER} directory, so switch to scanning for that. To make the per-user directory bit a little less magical, change the default to incorporate a "%U", which gets dynamically expanded to the user's UID when needed. Signed-off-by: Steve Dickson <steved@redhat.com>
rpc.gssd: don't call poll(2) twice a second Use ppoll() instead. [ cel Wed Aug 1 11:44:46 EDT 2012 - autoconfiscated Bruce's version ] Related clean-up: Since we're pulling the poll/ppoll call out into a separate function, note that the second argument of poll(2) and ppoll(2) is not an int, it's an unsigned long. The nfds_t typedef is a recent invention, so use the raw type for compatibility with older glibc headers. Acked-by: J. Bruce Fields" <bfields@redhat.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
rpc.gssd: close upcall pipe on POLLHUP When a POLLHUP event is received on a pipe file descriptor, that means the other side has closed its end of the pipe. If the receiver does not close its end of the pipe, the pipe is left in an open-but-unlinked state. For a "gssd" upcall pipe, the kernel may close its end, removing the directory entry for it, and then later create a fresh pipe named "gssd" in the same directory. In this case, rpc.gssd continues to listen on the open-but-unlinked previous "gssd" pipe. Thus upcalls on the new "gssd" pipe are left unanswered. In addition, poll(2) continues to return POLLHUP on the old pipe. Since there is no logic to close the pipe in rpc.gssd, poll(2) always returns immediately, and rpc.gssd goes into a tight loop. Typically, the kernel closes upcall pipes and destroys their parent directory at the same time. When an RPC client's directory vanishes, rpc.gssd sees the change via dnotify and eventually invokes destroy_client() which closes the user-space end of the pipes. However, if the kernel wants to switch authentication flavors (say from AUTH_KRB5 to AUTH_UNIX) on an RPC client without destroying it, the upcall pipes go away, but the RPC client's directory remains. rpc.gssd invokes update_client_list(), but that logic never closes upcall pipes if the client directory is still in place. After a POLLHUP on a pipe, close it when rpc.gssd reconstructs its list of upcall clients. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
gssd: Look for user creds in user defined directory The user credential cache currently is kept in /tmp. In upcoming Kerberos release that will be moved to /run/user/<username>/. This patch enables gssd to look in both the old and new caches Signed-off-by: Steve Dickson <steved@redhat.com>
Kill SPKM3: Remove spkm3 support from gssd Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Gssd: modify wrong err message at handle_gssd_upcall Modify wrong err message at handle_gssd_upcall when sscanf encryption types fail. Signed-off-by: Mi Jinlong <mijinlong@cn.fujitsu.com> Signed-off-by: Steve Dickson <steved@redhat.com>