Hi Steve,
This patch shouldn't be necessary.
When you say "registers with the KDC", I assume that you mean gets a
TGT. That transaction doesn't need to (and shouldn't) have encryption
types limited. When we get a service ticket to talk to an NFS server,
we need to limit the encryption types to those supported by the
kernel. The current code should be doing that. If you find that
isn't the case, let me know.
K.C.
On Tue, Nov 11, 2008 at 11:40 AM, Steve Dickson <SteveD@xxxxxxxxxx> wrote:
> Hello,
>
> It seems when rpc.gssd initially registers with the KDC, it sends
> a long list of encryption types that are not supported:
>
> Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1
> rc4-hmac des-cbc-crc des-cbc-md5 des-cbc-md4 rsa-sha1-cms
> rsa-md5-cms des-ede3-cbc-env rc2-cbc-env rsa-env
>
> Now the theory is mounts will hang if the KDC (like a Solaris KDC) returns an unsupported
> encryption type since the client will not know what to do with it. I'm currently
> trying to test this theory with people that actually have a working Solaris KDC,
> unfortunately I'm not one of those people...
>
> But to me, it just makes sense that rpc.gssd should only talk about encryption types
> it supports. It seems like it would cuts out any and all confusion.The following
> patch does just that.
>
> comments?
>
> steved.
>
>
> Author: Steve Dickson <steved@xxxxxxxxxx>
> Date: Tue Nov 11 11:08:13 EST 2008
>
> When rpc.gssd registers with the KDC, only talk
> about the supported encryption types during the
> initial registration so the KDC will only
> return supported encryption types.
>
> Signed-off-by: Steve Dickson <steved@xxxxxxxxxx>
>
> diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
> index 77814bc..7f131c9 100644
> --- a/utils/gssd/krb5_util.c
> +++ b/utils/gssd/krb5_util.c
> @@ -125,6 +125,10 @@
>
> /* Global list of principals/cache file names for machine credentials */
> struct gssd_k5_kt_princ *gssd_k5_kt_princ_list = NULL;
> +static krb5_enctype enctypes[] = { ENCTYPE_DES_CBC_CRC,
> + ENCTYPE_DES_CBC_MD5,
> + ENCTYPE_DES_CBC_MD4 };
> +static int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]);
>
> /*==========================*/
> /*=== Internal routines ===*/
> @@ -309,10 +313,6 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid)
> u_int maj_stat, min_stat;
> gss_cred_id_t credh;
> gss_OID_set_desc desired_mechs;
> - krb5_enctype enctypes[] = { ENCTYPE_DES_CBC_CRC,
> - ENCTYPE_DES_CBC_MD5,
> - ENCTYPE_DES_CBC_MD4 };
> - int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]);
>
> /* We only care about getting a krb5 cred */
> desired_mechs.count = 1;
> @@ -412,6 +412,7 @@ gssd_get_single_krb5_cred(krb5_context context,
>
> krb5_get_init_creds_opt_init(&options);
> krb5_get_init_creds_opt_set_address_list(&options, NULL);
> + krb5_get_init_creds_opt_set_etype_list(&options, enctypes, num_enctypes);
> #ifdef TEST_SHORT_LIFETIME
> /* set a short lifetime (for debugging only!) */
> printerr(0, "WARNING: Using (debug) short machine cred lifetime!\n");
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
