On Mon, Apr 7, 2008 at 5:42 PM, Vince Busam <vbusam@xxxxxxxxxx> wrote:
> We store kerberos credentials in multiple places, and it would be nice to
> search them for a valid credential when making NFS requests. This patch
> allows that.
>
> diff -up --recursive nfs-utils-1.1.1.orig/utils/gssd/gssd.c nfs-utils-1.1.1/utils/gssd/gssd.c
> --- nfs-utils-1.1.1.orig/utils/gssd/gssd.c 2007-10-18 20:07:28.000000000 -0700
> +++ nfs-utils-1.1.1/utils/gssd/gssd.c 2008-03-17 13:35:39.000000000 -0700
> @@ -57,6 +57,7 @@ char pipefs_dir[PATH_MAX] = GSSD_PIPEFS_
> char pipefs_nfsdir[PATH_MAX] = GSSD_PIPEFS_DIR;
> char keytabfile[PATH_MAX] = GSSD_DEFAULT_KEYTAB_FILE;
> char ccachedir[PATH_MAX] = GSSD_DEFAULT_CRED_DIR;
> +char *ccachesearch[GSSD_MAX_CCACHE_SEARCH];
> int use_memcache = 0;
> int root_uses_machine_creds = 1;
>
> @@ -93,9 +94,11 @@ main(int argc, char *argv[])
> int verbosity = 0;
> int rpc_verbosity = 0;
> int opt;
> + int i;
> extern char *optarg;
> char *progname;
>
> + memset(ccachesearch, 0, sizeof(ccachesearch));
> while ((opt = getopt(argc, argv, "fvrmnMp:k:d:")) != -1) {
> switch (opt) {
> case 'f':
> @@ -130,6 +133,12 @@ main(int argc, char *argv[])
> strncpy(ccachedir, optarg, sizeof(ccachedir));
> if (ccachedir[sizeof(ccachedir)-1] != '\0')
> errx(1, "ccachedir path name too long");
> + i = 0;
> + strtok(ccachedir,":");
> + do {
> + ccachesearch[i] = strtok(NULL,":");
> + i++;
> + } while (ccachesearch[i-1] && (i<(GSSD_MAX_CCACHE_SEARCH-1)));
> break;
> default:
> usage(argv[0]);
> diff -up --recursive nfs-utils-1.1.1.orig/utils/gssd/gssd.h nfs-utils-1.1.1/utils/gssd/gssd.h
> --- nfs-utils-1.1.1.orig/utils/gssd/gssd.h 2007-10-18 20:07:28.000000000 -0700
> +++ nfs-utils-1.1.1/utils/gssd/gssd.h 2008-03-12 13:10:19.000000000 -0700
> @@ -50,6 +50,7 @@
> #define GSSD_DEFAULT_KEYTAB_FILE "/etc/krb5.keytab"
> #define GSSD_SERVICE_NAME "nfs"
> #define GSSD_SERVICE_NAME_LEN 3
> +#define GSSD_MAX_CCACHE_SEARCH 16
>
> /*
> * The gss mechanisms that we can handle
> @@ -62,6 +63,7 @@ extern char pipefs_dir[PATH_MAX];
> extern char pipefs_nfsdir[PATH_MAX];
> extern char keytabfile[PATH_MAX];
> extern char ccachedir[PATH_MAX];
> +extern char *ccachesearch[GSSD_MAX_CCACHE_SEARCH];
> extern int use_memcache;
> extern int root_uses_machine_creds;
>
> diff -up --recursive nfs-utils-1.1.1.orig/utils/gssd/gssd_proc.c nfs-utils-1.1.1/utils/gssd/gssd_proc.c
> --- nfs-utils-1.1.1.orig/utils/gssd/gssd_proc.c 2007-10-18 20:07:28.000000000 -0700
> +++ nfs-utils-1.1.1/utils/gssd/gssd_proc.c 2008-03-12 14:44:26.000000000 -0700
> @@ -691,10 +691,18 @@ handle_krb5_upcall(struct clnt_info *clp
>
> if (uid != 0 || (uid == 0 && root_uses_machine_creds == 0)) {
> /* Tell krb5 gss which credentials cache to use */
> - gssd_setup_krb5_user_gss_ccache(uid, clp->servername);
> + gssd_setup_krb5_user_gss_ccache(uid, clp->servername, ccachedir);
>
> create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid,
> AUTHTYPE_KRB5);
> + for (ccname = ccachesearch; *ccname; ccname++) {
> + gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *ccname);
> +
> + create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid,
> + AUTHTYPE_KRB5);
> + if (create_resp == 0)
> + break;
> + }
> }
Thanks for the patch, and sorry for taking so long to get to it.
If I use "-d /tmp:/tmp/ticket:/tmp/tickets", this part ignores the
fact that I've successfully created the context with credentials in
/tmp and continues to try /tmp/ticket and /tmp/tickets and eventually
fails.
I think I see why you continued to use ccachedir as well as
ccachesearch, but I'm not happy with it. I'm reworking this and will
submit upstream.
K.C.
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
