*** empty log message ***
authorneilbrown <neilbrown>
Mon, 22 Nov 2004 05:37:36 +0000 (05:37 +0000)
committerneilbrown <neilbrown>
Mon, 22 Nov 2004 05:37:36 +0000 (05:37 +0000)
ChangeLog
configure.in
debian/nfs-kernel-server.default
utils/gssd/gssd_proc.c
utils/idmapd/idmapd.c
utils/svcgssd/Makefile
utils/svcgssd/svcgssd_proc.c

index dd490b1..0c8b592 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -21,6 +21,8 @@
        using a pipe. 
        * utils/idmapd/idmapd.c: Let libnfsidmapd parse the idmapd.conf
        file for the default domain, instead of doing that ourselves.
+       * utils/gssd/gssd_proc.c: Make sure we get an error when a gssd
+       downcall fails. 
 
        
 2004-11-22 NeilBrown <neilb@cse.unsw.edu.au>
index 5b10c20..5d683a6 100644 (file)
@@ -118,7 +118,7 @@ AC_CHECK_LIB(nsl, main,     [LIBNSL="-lnsl"])
 AC_CHECK_LIB(crypt, crypt, [LIBCRYPT="-lcrypt"])
 if test "$enable_nfsv4" = yes; then
     AC_CHECK_LIB(event, event_dispatch)
-    AC_CHECK_LIB(nfsidmap, nfs4_uid_to_name)
+    AC_CHECK_LIB(nfsidmap, nfs4_init_name_mapping)
     AC_CHECK_HEADERS(event.h)
     AC_CHECK_HEADERS(nfsidmap.h)
 fi
index 4c6110b..d6d237d 100644 (file)
@@ -3,3 +3,7 @@ RPCNFSDCOUNT=8
 
 # Options for rpc.mountd
 RPCMOUNTDOPTS=
+
+# If you are not running NFS with RPCSEC_GSS security, and wish to
+# disable the gssd server daemon then uncomment the following line
+# NEED_SVCGSSD=no
index 416653b..788ecf1 100644 (file)
@@ -504,6 +504,10 @@ int create_auth_rpc_client(struct clnt_info *clp,
        retval = 0;
 
   out_fail:
+       if ((save_uid != -1) && (seteuid(save_uid) != 0)) {
+               printerr(0, "WARNING: Failed to restore euid"
+                           " to uid %d (in error path)\n", save_uid);
+       }
        if (sec.cred != GSS_C_NO_CREDENTIAL)
                gss_release_cred(&min_stat, &sec.cred);
        if (rpc_clnt) clnt_destroy(rpc_clnt);
index a5d4f72..02604df 100644 (file)
@@ -132,7 +132,6 @@ void    mydaemon(int, int);
 void    release_parent();
 
 static int verbose = 0;
-static char domain[512];
 static char pipefsdir[PATH_MAX];
 static char *nobodyuser, *nobodygroup;
 static uid_t nobodyuid;
@@ -153,7 +152,6 @@ main(int argc, char **argv)
        struct group *gr;
        struct stat sb;
        char *xpipefsdir = NULL;
-       char *xdomain = NULL;
        int serverstart = 1, clientstart = 1;
 
        conf_path = _PATH_IDMAPDCONF;
@@ -181,13 +179,11 @@ main(int argc, char **argv)
                conf_init();
                verbose = conf_get_num("General", "Verbosity", 0);
                CONF_SAVE(xpipefsdir, conf_get_str("General", "Pipefs-Directory"));
-               CONF_SAVE(xdomain, conf_get_str("General", "Domain"));
                if (xpipefsdir != NULL)
                        strlcpy(pipefsdir, xpipefsdir, sizeof(pipefsdir));
-               if (xdomain != NULL)
-                       strlcpy(domain, xdomain, sizeof(domain));
                CONF_SAVE(nobodyuser, conf_get_str("Mapping", "Nobody-User"));
                CONF_SAVE(nobodygroup, conf_get_str("Mapping", "Nobody-Group"));
+               nfs4_init_name_mapping(conf_path);
        }
 
        while ((opt = getopt(argc, argv, GETOPTSTR)) != -1)
@@ -221,23 +217,6 @@ main(int argc, char **argv)
 
        strncat(pipefsdir, "/nfs", sizeof(pipefsdir));
 
-       if (domain[0] == '\0') {
-               struct hostent *he;
-               char hname[64], *c;
-
-               if (gethostname(hname, sizeof(hname)) == -1)
-                       errx(1, "Error getting hostname");
-
-               if ((he = gethostbyname(hname)) == NULL)
-                       errx(1, "Error resolving hostname: %s", hname);
-
-               if ((c = strchr(he->h_name, '.')) == NULL || *++c == '\0')
-                       errx(1, "Error resolving domain, "
-                           "please use the -d switch");
-
-               strlcpy(domain, c, sizeof(domain));
-       }
-
        if ((pw = getpwnam(nobodyuser)) == NULL)
                errx(1, "Could not find user \"%s\"", nobodyuser);
        nobodyuid = pw->pw_uid;
@@ -246,12 +225,6 @@ main(int argc, char **argv)
                errx(1, "Could not find group \"%s\"", nobodygroup);
        nobodygid = gr->gr_gid;
 
-       if (strlen(domain) == 0)
-               errx(1, "Invalid domain; please specify with -d switch");
-
-       if (verbose > 2)
-               warnx("Using domain \"%s\"", domain);
-
        if (!fg)
                mydaemon(0, 0);
 
@@ -640,7 +613,7 @@ nfsdopenone(struct idmap_client *ic, short which, char *path)
 
        ic->ic_which = which;
        ic->ic_id = "Server";
-       strlcpy(ic->ic_clid, domain, sizeof(ic->ic_clid));
+       strlcpy(ic->ic_clid, "Server", strlen("Server"));
 
        if (verbose > 0)
                warnx("Opened %s", ic->ic_path);
@@ -688,8 +661,10 @@ static int write_name(char *dest, char *localname, char *domain, size_t len)
 static void
 idtonameres(struct idmap_msg *im)
 {
+       char domain[NFS4_MAX_DOMAIN_LEN];
        int ret = 0;
 
+       ret = nfs4_get_default_domain(NULL, domain, sizeof(domain));
        switch (im->im_type) {
        case IDMAP_TYPE_USER:
                ret = nfs4_uid_to_name(im->im_id, domain, im->im_name,
index ed3fa98..8b330db 100644 (file)
@@ -7,7 +7,7 @@ PREFIX  = rpc.
 OBJS   = svcgssd.o svcgssd_main_loop.o svcgssd_proc.o err_util.o gss_util.o \
          gss_oids.o context.o context_heimdal.o cacheio.o svcgssd_mech2file.o
 LIBDEPS        = $(TOP)support/lib/librpc.a $(TOP)support/lib/libgssapi.a
-LIBS   = -Wl,-rpath=$(KRBDIR)/lib -lrpc -lgssapi -ldl $(KRBLIB)
+LIBS   = -Wl,-rpath=$(KRBDIR)/lib -lrpc -lgssapi -ldl $(KRBLIB) -lnfsidmap
 MAN8   = svcgssd
 
 predep ::
index a25c229..8faddc1 100644 (file)
@@ -44,6 +44,7 @@
 #include <string.h>
 #include <fcntl.h>
 #include <errno.h>
+#include <nfsidmap.h>
 
 #include "svcgssd.h"
 #include "gss_util.h"
@@ -162,15 +163,15 @@ send_response(FILE *f, gss_buffer_desc *in_handle, gss_buffer_desc *in_token,
 #define rpcsec_gsserr_ctxproblem       14
 
 static int
-get_ids(gss_name_t client_name, gss_OID *mech, struct svc_cred *cred)
+get_ids(gss_name_t client_name, gss_OID mech, struct svc_cred *cred)
 {
        u_int32_t       maj_stat, min_stat;
        gss_buffer_desc name;
        char            *sname;
        int             res = -1;
-       struct passwd   *pw = NULL;
+       uid_t           uid, gid;
        gss_OID         name_type;
-       char            *c;
+       char            *secname;
 
        maj_stat = gss_display_name(&min_stat, client_name, &name, &name_type);
        if (maj_stat != GSS_S_COMPLETE)
@@ -179,18 +180,17 @@ get_ids(gss_name_t client_name, gss_OID *mech, struct svc_cred *cred)
                goto out;
        memcpy(sname, name.value, name.length);
        printerr(1, "sname = %s\n", sname);
-       /* XXX: should use same mapping as idmapd?  Or something; for now
-        * I'm just chopping off the domain. */
-       /* XXX: note that idmapd also does this!  It doesn't check the domain
-        * name. */
-       if ((c = strchr(sname, '@')) != NULL)
-               *c = '\0';
-       /* XXX? mapping unknown users (including machine creds) to nobody: */
-       if ( !(pw = getpwnam(sname)) && !(pw = getpwnam("nobody")) )
+
+       res = -EINVAL;
+       if ((secname = mech2file(mech)) == NULL)
+               goto out_free;
+       nfs4_init_name_mapping(NULL); /* XXX: should only do this once */
+       res = nfs4_gss_princ_to_ids(secname, sname, &uid, &gid);
+       if (res < 0)
                goto out_free;
-       cred->cr_uid = pw->pw_uid;
-       cred->cr_gid = pw->pw_gid;
-       /* XXX Read password file?  Use initgroups? I dunno...*/
+       cred->cr_uid = uid;
+       cred->cr_gid = gid;
+       /*XXX: want add_supplementary_groups(secname, sname, cred)? */
        cred->cr_ngroups = 0;
        res = 0;
 out_free:
@@ -310,7 +310,7 @@ handle_nullreq(FILE *f) {
                                &null_token, &null_token);
                goto out_err;
        }
-       if (get_ids(client_name, &mech, &cred)) {
+       if (get_ids(client_name, mech, &cred)) {
                printerr(0, "WARNING: handle_nullreq: get_uid failed\n");
                send_response(f, &in_handle, &in_tok, GSS_S_BAD_NAME /* XXX? */,
                                0, &null_token, &null_token);