On Mon, Apr 7, 2008 at 5:42 PM, Vince Busam <vbusam@xxxxxxxxxx> wrote: > We store kerberos credentials in multiple places, and it would be nice to > search them for a valid credential when making NFS requests. This patch > allows that. > > diff -up --recursive nfs-utils-1.1.1.orig/utils/gssd/gssd.c nfs-utils-1.1.1/utils/gssd/gssd.c > --- nfs-utils-1.1.1.orig/utils/gssd/gssd.c 2007-10-18 20:07:28.000000000 -0700 > +++ nfs-utils-1.1.1/utils/gssd/gssd.c 2008-03-17 13:35:39.000000000 -0700 > @@ -57,6 +57,7 @@ char pipefs_dir[PATH_MAX] = GSSD_PIPEFS_ > char pipefs_nfsdir[PATH_MAX] = GSSD_PIPEFS_DIR; > char keytabfile[PATH_MAX] = GSSD_DEFAULT_KEYTAB_FILE; > char ccachedir[PATH_MAX] = GSSD_DEFAULT_CRED_DIR; > +char *ccachesearch[GSSD_MAX_CCACHE_SEARCH]; > int use_memcache = 0; > int root_uses_machine_creds = 1; > > @@ -93,9 +94,11 @@ main(int argc, char *argv[]) > int verbosity = 0; > int rpc_verbosity = 0; > int opt; > + int i; > extern char *optarg; > char *progname; > > + memset(ccachesearch, 0, sizeof(ccachesearch)); > while ((opt = getopt(argc, argv, "fvrmnMp:k:d:")) != -1) { > switch (opt) { > case 'f': > @@ -130,6 +133,12 @@ main(int argc, char *argv[]) > strncpy(ccachedir, optarg, sizeof(ccachedir)); > if (ccachedir[sizeof(ccachedir)-1] != '\0') > errx(1, "ccachedir path name too long"); > + i = 0; > + strtok(ccachedir,":"); > + do { > + ccachesearch[i] = strtok(NULL,":"); > + i++; > + } while (ccachesearch[i-1] && (i<(GSSD_MAX_CCACHE_SEARCH-1))); > break; > default: > usage(argv[0]); > diff -up --recursive nfs-utils-1.1.1.orig/utils/gssd/gssd.h nfs-utils-1.1.1/utils/gssd/gssd.h > --- nfs-utils-1.1.1.orig/utils/gssd/gssd.h 2007-10-18 20:07:28.000000000 -0700 > +++ nfs-utils-1.1.1/utils/gssd/gssd.h 2008-03-12 13:10:19.000000000 -0700 > @@ -50,6 +50,7 @@ > #define GSSD_DEFAULT_KEYTAB_FILE "/etc/krb5.keytab" > #define GSSD_SERVICE_NAME "nfs" > #define GSSD_SERVICE_NAME_LEN 3 > +#define GSSD_MAX_CCACHE_SEARCH 16 > > /* > * The gss mechanisms that we can handle > @@ -62,6 +63,7 @@ extern char pipefs_dir[PATH_MAX]; > extern char pipefs_nfsdir[PATH_MAX]; > extern char keytabfile[PATH_MAX]; > extern char ccachedir[PATH_MAX]; > +extern char *ccachesearch[GSSD_MAX_CCACHE_SEARCH]; > extern int use_memcache; > extern int root_uses_machine_creds; > > diff -up --recursive nfs-utils-1.1.1.orig/utils/gssd/gssd_proc.c nfs-utils-1.1.1/utils/gssd/gssd_proc.c > --- nfs-utils-1.1.1.orig/utils/gssd/gssd_proc.c 2007-10-18 20:07:28.000000000 -0700 > +++ nfs-utils-1.1.1/utils/gssd/gssd_proc.c 2008-03-12 14:44:26.000000000 -0700 > @@ -691,10 +691,18 @@ handle_krb5_upcall(struct clnt_info *clp > > if (uid != 0 || (uid == 0 && root_uses_machine_creds == 0)) { > /* Tell krb5 gss which credentials cache to use */ > - gssd_setup_krb5_user_gss_ccache(uid, clp->servername); > + gssd_setup_krb5_user_gss_ccache(uid, clp->servername, ccachedir); > > create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid, > AUTHTYPE_KRB5); > + for (ccname = ccachesearch; *ccname; ccname++) { > + gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *ccname); > + > + create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid, > + AUTHTYPE_KRB5); > + if (create_resp == 0) > + break; > + } > } Thanks for the patch, and sorry for taking so long to get to it. If I use "-d /tmp:/tmp/ticket:/tmp/tickets", this part ignores the fact that I've successfully created the context with credentials in /tmp and continues to try /tmp/ticket and /tmp/tickets and eventually fails. I think I see why you continued to use ccachedir as well as ccachesearch, but I'm not happy with it. I'm reworking this and will submit upstream. K.C. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html