Allow any credential to be used for machine credentials

Don't restrict machine credentials to be "nfs/<machine.name>".
Use any usable credentials contained in the keytab file.
[We actually attempt to use the first entry found for each
realm, not every entry, in the keytab.]

Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>

diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man
index 1a30d692e668b811d53cd186560a1a8382a3fcbc..f2ecd69995f589832198066f78b90136bceba951 100644 (file)
--- a/utils/gssd/gssd.man
+++ b/utils/gssd/gssd.man
@@ -41,10 +41,18 @@ authentication.
 .B -k keytab
 Tells
 .B rpc.gssd
-to use the keys for principals nfs/hostname in
+to use the keys found in
 .I keytab
-to obtain machine credentials.
+to obtain "machine credentials".
 The default value is "/etc/krb5.keytab".
+Previous versions of
+.B rpc.gssd
+used only "nfs/*" keys found within the keytab.
+Now, the first keytab entry for each distinct Kerberos realm
+within the keytab is used.  This means that an NFS client
+no longer needs an "nfs/hostname" principal and keytab entry,
+but can instead use a "host/hostname" (or any other) keytab
+entry that is available.
 .TP
 .B -p path
 Tells

diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index cd777e46bdab4eebd58afdd5153dee5707c77725..f1682b8ec8701f5090577122869b76cf470c0eb9 100644 (file)
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -448,7 +448,7 @@ gssd_have_realm_ple(void *r)
 
 /*
  * Process the given keytab file and create a list of principals we
- * might use to perform mount operations.
+ * might use as machine credentials.
  *
  * Returns:
  *     0 => Sucess
@@ -465,9 +465,8 @@ gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt, char *kt_name)
 
        /*
         * Look through each entry in the keytab file and determine
-        * if we might want to use it later to do a mount.  If so,
-        * save info in the global principal list
-        * (gssd_k5_kt_princ_list).
+        * if we might want to use it as machine credentials.  If so,
+        * save info in the global principal list (gssd_k5_kt_princ_list).
         * Note: (ple == principal list entry)
         */
        if ((code = krb5_kt_start_seq_get(context, kt, &cursor))) {
@@ -490,18 +489,9 @@ gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt, char *kt_name)
                }
                printerr(2, "Processing keytab entry for principal '%s'\n",
                         pname);
-#ifdef HAVE_KRB5
-               if ( (kte.principal->data[0].length == GSSD_SERVICE_NAME_LEN) &&
-                    (strncmp(kte.principal->data[0].data, GSSD_SERVICE_NAME,
-                             GSSD_SERVICE_NAME_LEN) == 0) &&
-#else
-               if ( (strlen(kte.principal->name.name_string.val[0]) == GSSD_SERVICE_NAME_LEN) &&
-                    (strncmp(kte.principal->name.name_string.val[0], GSSD_SERVICE_NAME,
-                             GSSD_SERVICE_NAME_LEN) == 0) &&
-                             
-#endif
-                    (!gssd_have_realm_ple((void *)&kte.principal->realm)) ) {
-                       printerr(2, "We will use this entry (%s)\n", pname);
+               /* Just use the first keytab entry found for each realm */
+               if ((!gssd_have_realm_ple((void *)&kte.principal->realm)) ) {
+                       printerr(2, "We WILL use this entry (%s)\n", pname);
                        ple = malloc(sizeof(struct gssd_k5_kt_princ));
                        if (ple == NULL) {
                                printerr(0, "ERROR: could not allocate storage "