From: Kevin Coffman <kwc@citi.umich.edu>
Date: Fri, 16 Mar 2007 14:27:44 +0000 (-0400)
Subject: Add option to allow root to use credentials other than machine credentials
X-Git-Tag: nfs-utils-1-1-0-rc1~52
X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=commitdiff_plain;h=1a5b79866092e5061f3a6d2cd1a644f47e65ba3a;hp=1a5b79866092e5061f3a6d2cd1a644f47e65ba3a

Add option to allow root to use credentials other than machine credentials

Add a new option ("-n") to rpc.gssd to indicate that accesses as root
(uid 0) should not use machine credentials, but should instead use
"normal" Kerberos credentials obtained by root.

This change was prompted by a suggestion and patch from Daniel
Muntz <Dan.Muntz@netapp.com>.  That patch suggested trying "normal"
credentials first and falling back to using machine creds for
uid 0 if normal creds failed.

This opens up the case where root may have credentials as "foo@REALM"
and begins accessing files.  Then the context using those credentials
expires and must be renewed.  If the credentials are now expired, then
root's new context would fall back and be created with the machine
credentials.

Instead, this patch insists that the administrator choose to use either
machine credentials for accesses by uid 0 (the default behavior, as
it was before) or "normal" credentials.  In the latter case, arrangements
must be made to obtain credentials before attempting a mount.  There
should be no doubts which credentials are used for uid 0.

Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
---