Re: [PATCH 5/5] cifs.upcall: add keytab support for unattended mounts

"Q (Igor Mammedov)" <niallain@xxxxxxxxx> · Wed, 12 Jan 2011 09:56:34 +0300



Acked-by: Igor Mammedov <niallain@xxxxxxxxx>

On Fri, Jan 7, 2011 at 5:11 PM, Jeff Layton <jlayton@xxxxxxxxx> wrote:
> Based on a patch from a few years ago by Igor Mammedov. This patch
> adds the ability for cifs.upcall to establish a TGT using the
> system-default keytab.
>
> Cc: Igor Mammedov <niallain@xxxxxxxxx>
> Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx>
> ---
> Âcifs.upcall.c | Â 78 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Â1 files changed, 78 insertions(+), 0 deletions(-)
>
> diff --git a/cifs.upcall.c b/cifs.upcall.c
> index 3dbcd6e..479517c 100644
> --- a/cifs.upcall.c
> +++ b/cifs.upcall.c
> @@ -54,6 +54,7 @@
>
> Â#define Â Â Â ÂCIFS_DEFAULT_KRB5_DIR Â Â Â Â Â "/tmp"
> Â#define Â Â Â ÂCIFS_DEFAULT_KRB5_PREFIX Â Â Â Â"krb5cc_"
> +#define CIFS_DEFAULT_KRB5_KEYTAB Â Â Â "/etc/krb5.keytab"
>
> Â#define Â Â Â ÂMAX_CCNAME_LEN Â Â Â Â Â Â Â Â ÂPATH_MAX + 5
>
> @@ -185,6 +186,78 @@ static int krb5cc_filter(const struct dirent *dirent)
> Â Â Â Â Â Â Â Âreturn 0;
> Â}
>
> +static char *
> +init_cc_from_keytab(const char *keytab_name, const char *user)
> +{
> + Â Â Â krb5_context context = NULL;
> + Â Â Â krb5_error_code ret;
> + Â Â Â krb5_creds my_creds;
> + Â Â Â krb5_keytab keytab = NULL;
> + Â Â Â krb5_principal me = NULL;
> + Â Â Â krb5_ccache cc = NULL;
> + Â Â Â char *ccname = NULL;
> +
> + Â Â Â memset((char *) &my_creds, 0, sizeof(my_creds));
> +
> + Â Â Â ret = krb5_init_context(&context);
> + Â Â Â if (ret) {
> + Â Â Â Â Â Â Â syslog(LOG_DEBUG, "krb5_init_context: %d", (int)ret);
> + Â Â Â Â Â Â Â goto icfk_cleanup;
> + Â Â Â }
> +
> + Â Â Â ret = krb5_kt_resolve(context, keytab_name, &keytab);
> + Â Â Â if (ret) {
> + Â Â Â Â Â Â Â syslog(LOG_DEBUG, "krb5_kt_resolve: %d", (int)ret);
> + Â Â Â Â Â Â Â goto icfk_cleanup;
> + Â Â Â }
> +
> + Â Â Â ret = krb5_parse_name(context, user, &me);
> + Â Â Â if (ret) {
> + Â Â Â Â Â Â Â syslog(LOG_DEBUG, "krb5_parse_name: %d", (int)ret);
> + Â Â Â Â Â Â Â goto icfk_cleanup;
> + Â Â Â }
> +
> + Â Â Â ret = krb5_get_init_creds_keytab(context, &my_creds, me,
> + Â Â Â Â Â Â Â Â Â Â Â keytab, 0, NULL, NULL);
> + Â Â Â if (ret) {
> + Â Â Â Â Â Â Â syslog(LOG_DEBUG, "krb5_get_init_creds_keytab: %d", (int)ret);
> + Â Â Â Â Â Â Â goto icfk_cleanup;
> + Â Â Â }
> +
> + Â Â Â ret = krb5_cc_default(context, &cc);
> + Â Â Â if (ret) {
> + Â Â Â Â Â Â Â syslog(LOG_DEBUG, "krb5_cc_default: %d", (int)ret);
> + Â Â Â Â Â Â Â goto icfk_cleanup;
> + Â Â Â }
> +
> + Â Â Â ret = krb5_cc_initialize(context, cc, me);
> + Â Â Â if (ret) {
> + Â Â Â Â Â Â Â syslog(LOG_DEBUG, "krb5_cc_initialize: %d", (int)ret);
> + Â Â Â Â Â Â Â goto icfk_cleanup;
> + Â Â Â }
> +
> + Â Â Â ret = krb5_cc_store_cred(context, cc, &my_creds);
> + Â Â Â if (ret)
> + Â Â Â Â Â Â Â syslog(LOG_DEBUG, "krb5_cc_store_cred: %d", (int)ret);
> +
> + Â Â Â ccname = strdup(krb5_cc_default_name(context));
> + Â Â Â if (ccname == NULL)
> + Â Â Â Â Â Â Â syslog(LOG_ERR, "Unable to allocate memory");
> +icfk_cleanup:
> + Â Â Â my_creds.client = 0;
> + Â Â Â krb5_free_cred_contents(context, &my_creds);
> +
> + Â Â Â if (me)
> + Â Â Â Â Â Â Â krb5_free_principal(context, me);
> + Â Â Â if (cc)
> + Â Â Â Â Â Â Â krb5_cc_close(context, cc);
> + Â Â Â if (keytab)
> + Â Â Â Â Â Â Â krb5_kt_close(context, keytab);
> + Â Â Â if (context)
> + Â Â Â Â Â Â Â krb5_free_context(context);
> + Â Â Â return ccname;
> +}
> +
> Â/* search for a credcache that looks like a likely candidate */
> Âstatic char *find_krb5_cc(const char *dirname, uid_t uid)
> Â{
> @@ -702,6 +775,7 @@ int main(const int argc, char *const argv[])
> Â Â Â Âstruct decoded_args arg;
> Â Â Â Âconst char *oid;
> Â Â Â Âuid_t uid;
> + Â Â Â char *keytab_name = CIFS_DEFAULT_KRB5_KEYTAB;
>
> Â Â Â Âhostbuf[0] = '\0';
> Â Â Â Âmemset(&arg, 0, sizeof(arg));
> @@ -793,6 +867,10 @@ int main(const int argc, char *const argv[])
> Â Â Â Â}
> Â Â Â Âccname = find_krb5_cc(CIFS_DEFAULT_KRB5_DIR, uid);
>
> + Â Â Â /* Couldn't find credcache? Try to use keytab */
> + Â Â Â if (ccname == NULL && arg.username != NULL)
> + Â Â Â Â Â Â Â ccname = init_cc_from_keytab(keytab_name, arg.username);
> +
> Â Â Â Âhost = arg.hostname;
>
> Â Â Â Â// do mech specific authorization
> --
> 1.7.3.4
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html