-
Notifications
You must be signed in to change notification settings - Fork 118
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
main/nfs-utils: /var via tmpfiles + fix build with libtirpc-1.3.5
- Loading branch information
Showing
8 changed files
with
416 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,8 @@ | ||
# Create rpc_pipefs mount directory and sm directories | ||
# Create nfs state | ||
|
||
d /var/lib/nfs/rpc_pipefs 0555 root root - | ||
d /var/lib/nfs/sm 0755 nobody nogroup - | ||
d /var/lib/nfs/sm.bak 0755 nobody nogroup - | ||
f /var/lib/nfs/etab 0644 root root - | ||
f /var/lib/nfs/rmtab 0644 root root - | ||
f /var/lib/nfs/state 0600 root root - |
99 changes: 99 additions & 0 deletions
99
main/nfs-utils/patches/10001-gssd-revert-commit-a5f3b7ccb01c.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
From 20c0797937e9ec43a78a2f5475d4296897f8c537 Mon Sep 17 00:00:00 2001 | ||
From: Olga Kornievskaia <[email protected]> | ||
Date: Mon, 11 Dec 2023 08:46:35 -0500 | ||
Subject: [PATCH 1/6] gssd: revert commit a5f3b7ccb01c | ||
|
||
In preparation for using rpc_gss_seccreate() function, revert commit | ||
a5f3b7ccb01c "gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for user | ||
credentials" | ||
|
||
Reviewed-by: Chuck Lever <[email protected]> | ||
Signed-off-by: Olga Kornievskaia <[email protected]> | ||
Signed-off-by: Steve Dickson <[email protected]> | ||
--- | ||
utils/gssd/gssd_proc.c | 2 -- | ||
utils/gssd/krb5_util.c | 42 ------------------------------------------ | ||
utils/gssd/krb5_util.h | 1 - | ||
3 files changed, 45 deletions(-) | ||
|
||
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c | ||
index a96647df..e5cc1d98 100644 | ||
--- a/utils/gssd/gssd_proc.c | ||
+++ b/utils/gssd/gssd_proc.c | ||
@@ -419,8 +419,6 @@ create_auth_rpc_client(struct clnt_info *clp, | ||
if (cred == GSS_C_NO_CREDENTIAL) | ||
retval = gssd_refresh_krb5_machine_credential(clp->servername, | ||
"*", NULL, 1); | ||
- else | ||
- retval = gssd_k5_remove_bad_service_cred(clp->servername); | ||
if (!retval) { | ||
auth = authgss_create_default(rpc_clnt, tgtname, | ||
&sec); | ||
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c | ||
index 6f66ef4f..f6ce1fec 100644 | ||
--- a/utils/gssd/krb5_util.c | ||
+++ b/utils/gssd/krb5_util.c | ||
@@ -1553,48 +1553,6 @@ gssd_acquire_user_cred(gss_cred_id_t *gss_cred) | ||
return ret; | ||
} | ||
|
||
-/* Removed a service ticket for nfs/<name> from the ticket cache | ||
- */ | ||
-int | ||
-gssd_k5_remove_bad_service_cred(char *name) | ||
-{ | ||
- krb5_creds in_creds, out_creds; | ||
- krb5_error_code ret; | ||
- krb5_context context; | ||
- krb5_ccache cache; | ||
- krb5_principal principal; | ||
- int retflags = KRB5_TC_MATCH_SRV_NAMEONLY; | ||
- char srvname[1024]; | ||
- | ||
- ret = krb5_init_context(&context); | ||
- if (ret) | ||
- goto out_cred; | ||
- ret = krb5_cc_default(context, &cache); | ||
- if (ret) | ||
- goto out_free_context; | ||
- ret = krb5_cc_get_principal(context, cache, &principal); | ||
- if (ret) | ||
- goto out_close_cache; | ||
- memset(&in_creds, 0, sizeof(in_creds)); | ||
- in_creds.client = principal; | ||
- sprintf(srvname, "nfs/%s", name); | ||
- ret = krb5_parse_name(context, srvname, &in_creds.server); | ||
- if (ret) | ||
- goto out_free_principal; | ||
- ret = krb5_cc_retrieve_cred(context, cache, retflags, &in_creds, &out_creds); | ||
- if (ret) | ||
- goto out_free_principal; | ||
- ret = krb5_cc_remove_cred(context, cache, 0, &out_creds); | ||
-out_free_principal: | ||
- krb5_free_principal(context, principal); | ||
-out_close_cache: | ||
- krb5_cc_close(context, cache); | ||
-out_free_context: | ||
- krb5_free_context(context); | ||
-out_cred: | ||
- return ret; | ||
-} | ||
- | ||
#ifdef HAVE_SET_ALLOWABLE_ENCTYPES | ||
/* | ||
* this routine obtains a credentials handle via gss_acquire_cred() | ||
diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h | ||
index 7ef87018..62c91a0e 100644 | ||
--- a/utils/gssd/krb5_util.h | ||
+++ b/utils/gssd/krb5_util.h | ||
@@ -22,7 +22,6 @@ char *gssd_k5_err_msg(krb5_context context, krb5_error_code code); | ||
void gssd_k5_get_default_realm(char **def_realm); | ||
|
||
int gssd_acquire_user_cred(gss_cred_id_t *gss_cred); | ||
-int gssd_k5_remove_bad_service_cred(char *srvname); | ||
|
||
#ifdef HAVE_SET_ALLOWABLE_ENCTYPES | ||
extern int limit_to_legacy_enctypes; | ||
-- | ||
2.46.0 | ||
|
51 changes: 51 additions & 0 deletions
51
main/nfs-utils/patches/10002-gssd-revert-commit-513630d720bd.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
From f05af7d9924b5e455f4e750c1e8985c560784fce Mon Sep 17 00:00:00 2001 | ||
From: Olga Kornievskaia <[email protected]> | ||
Date: Mon, 11 Dec 2023 08:50:57 -0500 | ||
Subject: [PATCH 2/6] gssd: revert commit 513630d720bd | ||
|
||
In preparation for using rpc_gss_seccreate(), revert commit 513630d720bd | ||
"gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for machine credentials" | ||
|
||
Reviewed-by: Chuck Lever <[email protected]> | ||
Signed-off-by: Olga Kornievskaia <[email protected]> | ||
Signed-off-by: Steve Dickson <[email protected]> | ||
--- | ||
utils/gssd/gssd_proc.c | 16 +--------------- | ||
1 file changed, 1 insertion(+), 15 deletions(-) | ||
|
||
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c | ||
index e5cc1d98..4fb6b72d 100644 | ||
--- a/utils/gssd/gssd_proc.c | ||
+++ b/utils/gssd/gssd_proc.c | ||
@@ -412,27 +412,13 @@ create_auth_rpc_client(struct clnt_info *clp, | ||
tid, tgtname); | ||
auth = authgss_create_default(rpc_clnt, tgtname, &sec); | ||
if (!auth) { | ||
- if (sec.minor_status == KRB5KRB_AP_ERR_BAD_INTEGRITY) { | ||
- printerr(2, "WARNING: server=%s failed context " | ||
- "creation with KRB5_AP_ERR_BAD_INTEGRITY\n", | ||
- clp->servername); | ||
- if (cred == GSS_C_NO_CREDENTIAL) | ||
- retval = gssd_refresh_krb5_machine_credential(clp->servername, | ||
- "*", NULL, 1); | ||
- if (!retval) { | ||
- auth = authgss_create_default(rpc_clnt, tgtname, | ||
- &sec); | ||
- if (auth) | ||
- goto success; | ||
- } | ||
- } | ||
/* Our caller should print appropriate message */ | ||
printerr(2, "WARNING: Failed to create krb5 context for " | ||
"user with uid %d for server %s\n", | ||
uid, tgtname); | ||
goto out_fail; | ||
} | ||
-success: | ||
+ | ||
/* Success !!! */ | ||
rpc_clnt->cl_auth = auth; | ||
*clnt_return = rpc_clnt; | ||
-- | ||
2.46.0 | ||
|
60 changes: 60 additions & 0 deletions
60
main/nfs-utils/patches/10003-gssd-switch-to-using-rpc_gss_seccreate.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
From 3abf6b5223af0ccf07d217d71978ee7987acce88 Mon Sep 17 00:00:00 2001 | ||
From: Olga Kornievskaia <[email protected]> | ||
Date: Mon, 11 Dec 2023 08:52:47 -0500 | ||
Subject: [PATCH 3/6] gssd: switch to using rpc_gss_seccreate() | ||
|
||
If available from the libtirpc library, switch to using | ||
rpc_gss_seccreate() instead of authgss_create_default() which does not | ||
expose gss error codes. | ||
|
||
Reviewed-by: Chuck Lever <[email protected]> | ||
Signed-off-by: Olga Kornievskaia <[email protected]> | ||
Signed-off-by: Steve Dickson <[email protected]> | ||
--- | ||
utils/gssd/gssd_proc.c | 15 +++++++++++++++ | ||
1 file changed, 15 insertions(+) | ||
|
||
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c | ||
index 4fb6b72d..99761157 100644 | ||
--- a/utils/gssd/gssd_proc.c | ||
+++ b/utils/gssd/gssd_proc.c | ||
@@ -70,6 +70,9 @@ | ||
#include <sys/types.h> | ||
#include <sys/wait.h> | ||
#include <syscall.h> | ||
+#ifdef HAVE_TIRPC_GSS_SECCREATE | ||
+#include <rpc/rpcsec_gss.h> | ||
+#endif | ||
|
||
#include "gssd.h" | ||
#include "err_util.h" | ||
@@ -330,6 +333,11 @@ create_auth_rpc_client(struct clnt_info *clp, | ||
struct timeval timeout; | ||
struct sockaddr *addr = (struct sockaddr *) &clp->addr; | ||
socklen_t salen; | ||
+#ifdef HAVE_TIRPC_GSS_SECCREATE | ||
+ rpc_gss_options_req_t req; | ||
+ rpc_gss_options_ret_t ret; | ||
+ char mechanism[] = "kerberos_v5"; | ||
+#endif | ||
pthread_t tid = pthread_self(); | ||
|
||
sec.qop = GSS_C_QOP_DEFAULT; | ||
@@ -410,7 +418,14 @@ create_auth_rpc_client(struct clnt_info *clp, | ||
|
||
printerr(3, "create_auth_rpc_client(0x%lx): creating context with server %s\n", | ||
tid, tgtname); | ||
+#ifdef HAVE_TIRPC_GSS_SECCREATE | ||
+ memset(&req, 0, sizeof(req)); | ||
+ req.my_cred = sec.cred; | ||
+ auth = rpc_gss_seccreate(rpc_clnt, tgtname, mechanism, | ||
+ rpcsec_gss_svc_none, NULL, &req, &ret); | ||
+#else | ||
auth = authgss_create_default(rpc_clnt, tgtname, &sec); | ||
+#endif | ||
if (!auth) { | ||
/* Our caller should print appropriate message */ | ||
printerr(2, "WARNING: Failed to create krb5 context for " | ||
-- | ||
2.46.0 | ||
|
62 changes: 62 additions & 0 deletions
62
main/nfs-utils/patches/10004-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-machine-cr.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
From 2bfb59c6f50eb86c21f8e0c33bbf32ec53480fb8 Mon Sep 17 00:00:00 2001 | ||
From: Olga Kornievskaia <[email protected]> | ||
Date: Mon, 11 Dec 2023 08:55:35 -0500 | ||
Subject: [PATCH 4/6] gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for machine | ||
credentials | ||
|
||
During context establishment, when the client received | ||
KRB5_AP_ERR_BAD_INTEGRITY error, it might be due to the server | ||
updating its key material. To handle such error, get a new | ||
service ticket and re-try the AP_REQ. | ||
|
||
This functionality relies on the new API in libtirpc that | ||
exposes the gss errors. | ||
|
||
Reviewed-by: Chuck Lever <[email protected]> | ||
Signed-off-by: Olga Kornievskaia <[email protected]> | ||
Signed-off-by: Steve Dickson <[email protected]> | ||
--- | ||
utils/gssd/gssd_proc.c | 21 ++++++++++++++++++++- | ||
1 file changed, 20 insertions(+), 1 deletion(-) | ||
|
||
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c | ||
index 99761157..29600a3f 100644 | ||
--- a/utils/gssd/gssd_proc.c | ||
+++ b/utils/gssd/gssd_proc.c | ||
@@ -427,13 +427,32 @@ create_auth_rpc_client(struct clnt_info *clp, | ||
auth = authgss_create_default(rpc_clnt, tgtname, &sec); | ||
#endif | ||
if (!auth) { | ||
+#ifdef HAVE_TIRPC_GSS_SECCREATE | ||
+ if (ret.minor_status == KRB5KRB_AP_ERR_BAD_INTEGRITY) { | ||
+ printerr(2, "WARNING: server=%s failed context " | ||
+ "creation with KRB5_AP_ERR_BAD_INTEGRITY\n", | ||
+ clp->servername); | ||
+ if (cred == GSS_C_NO_CREDENTIAL) | ||
+ retval = gssd_refresh_krb5_machine_credential(clp->servername, | ||
+ "*", NULL, 1); | ||
+ if (!retval) { | ||
+ auth = rpc_gss_seccreate(rpc_clnt, tgtname, | ||
+ mechanism, rpcsec_gss_svc_none, | ||
+ NULL, &req, &ret); | ||
+ if (auth) | ||
+ goto success; | ||
+ } | ||
+ } | ||
+#endif | ||
/* Our caller should print appropriate message */ | ||
printerr(2, "WARNING: Failed to create krb5 context for " | ||
"user with uid %d for server %s\n", | ||
uid, tgtname); | ||
goto out_fail; | ||
} | ||
- | ||
+#ifdef HAVE_TIRPC_GSS_SECCREATE | ||
+success: | ||
+#endif | ||
/* Success !!! */ | ||
rpc_clnt->cl_auth = auth; | ||
*clnt_return = rpc_clnt; | ||
-- | ||
2.46.0 | ||
|
101 changes: 101 additions & 0 deletions
101
main/nfs-utils/patches/10005-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-user-crede.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
From 15cd566633b1546f0808d0694ede094b4c99752d Mon Sep 17 00:00:00 2001 | ||
From: Olga Kornievskaia <[email protected]> | ||
Date: Mon, 11 Dec 2023 08:57:28 -0500 | ||
Subject: [PATCH 5/6] gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for user | ||
credentials | ||
|
||
Unlike the machine credential case, we can't throw away the ticket | ||
cache and use the keytab to renew the credentials. Instead, we | ||
need to remove the service ticket for the server that returned | ||
KRB5_AP_ERR_BAD_INTEGRITY and try again. | ||
|
||
Reviewed-by: Chuck Lever <[email protected]> | ||
Signed-off-by: Olga Kornievskaia <[email protected]> | ||
Signed-off-by: Steve Dickson <[email protected]> | ||
--- | ||
utils/gssd/gssd_proc.c | 2 ++ | ||
utils/gssd/krb5_util.c | 42 ++++++++++++++++++++++++++++++++++++++++++ | ||
utils/gssd/krb5_util.h | 1 + | ||
3 files changed, 45 insertions(+) | ||
|
||
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c | ||
index 29600a3f..7629de0b 100644 | ||
--- a/utils/gssd/gssd_proc.c | ||
+++ b/utils/gssd/gssd_proc.c | ||
@@ -435,6 +435,8 @@ create_auth_rpc_client(struct clnt_info *clp, | ||
if (cred == GSS_C_NO_CREDENTIAL) | ||
retval = gssd_refresh_krb5_machine_credential(clp->servername, | ||
"*", NULL, 1); | ||
+ else | ||
+ retval = gssd_k5_remove_bad_service_cred(clp->servername); | ||
if (!retval) { | ||
auth = rpc_gss_seccreate(rpc_clnt, tgtname, | ||
mechanism, rpcsec_gss_svc_none, | ||
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c | ||
index f6ce1fec..6f66ef4f 100644 | ||
--- a/utils/gssd/krb5_util.c | ||
+++ b/utils/gssd/krb5_util.c | ||
@@ -1553,6 +1553,48 @@ gssd_acquire_user_cred(gss_cred_id_t *gss_cred) | ||
return ret; | ||
} | ||
|
||
+/* Removed a service ticket for nfs/<name> from the ticket cache | ||
+ */ | ||
+int | ||
+gssd_k5_remove_bad_service_cred(char *name) | ||
+{ | ||
+ krb5_creds in_creds, out_creds; | ||
+ krb5_error_code ret; | ||
+ krb5_context context; | ||
+ krb5_ccache cache; | ||
+ krb5_principal principal; | ||
+ int retflags = KRB5_TC_MATCH_SRV_NAMEONLY; | ||
+ char srvname[1024]; | ||
+ | ||
+ ret = krb5_init_context(&context); | ||
+ if (ret) | ||
+ goto out_cred; | ||
+ ret = krb5_cc_default(context, &cache); | ||
+ if (ret) | ||
+ goto out_free_context; | ||
+ ret = krb5_cc_get_principal(context, cache, &principal); | ||
+ if (ret) | ||
+ goto out_close_cache; | ||
+ memset(&in_creds, 0, sizeof(in_creds)); | ||
+ in_creds.client = principal; | ||
+ sprintf(srvname, "nfs/%s", name); | ||
+ ret = krb5_parse_name(context, srvname, &in_creds.server); | ||
+ if (ret) | ||
+ goto out_free_principal; | ||
+ ret = krb5_cc_retrieve_cred(context, cache, retflags, &in_creds, &out_creds); | ||
+ if (ret) | ||
+ goto out_free_principal; | ||
+ ret = krb5_cc_remove_cred(context, cache, 0, &out_creds); | ||
+out_free_principal: | ||
+ krb5_free_principal(context, principal); | ||
+out_close_cache: | ||
+ krb5_cc_close(context, cache); | ||
+out_free_context: | ||
+ krb5_free_context(context); | ||
+out_cred: | ||
+ return ret; | ||
+} | ||
+ | ||
#ifdef HAVE_SET_ALLOWABLE_ENCTYPES | ||
/* | ||
* this routine obtains a credentials handle via gss_acquire_cred() | ||
diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h | ||
index 62c91a0e..7ef87018 100644 | ||
--- a/utils/gssd/krb5_util.h | ||
+++ b/utils/gssd/krb5_util.h | ||
@@ -22,6 +22,7 @@ char *gssd_k5_err_msg(krb5_context context, krb5_error_code code); | ||
void gssd_k5_get_default_realm(char **def_realm); | ||
|
||
int gssd_acquire_user_cred(gss_cred_id_t *gss_cred); | ||
+int gssd_k5_remove_bad_service_cred(char *srvname); | ||
|
||
#ifdef HAVE_SET_ALLOWABLE_ENCTYPES | ||
extern int limit_to_legacy_enctypes; | ||
-- | ||
2.46.0 | ||
|
Oops, something went wrong.