On 03/21/2012 05:00 PM, Steve Dickson wrote:
> The user credential cache currently is kept in /tmp.
> In upcoming Kerberos release that will be moved to
> /run/user/<username>/. This patch enables gssd to
> look in both the old and new caches
>
> Signed-off-by: Steve Dickson <steved@xxxxxxxxxx>
Committed....
steved.
> ---
> utils/gssd/gssd.c | 2 +-
> utils/gssd/gssd.h | 1 +
> utils/gssd/gssd_proc.c | 36 ++++++++++++++++++++++++++++++++++--
> 3 files changed, 36 insertions(+), 3 deletions(-)
>
> diff --git a/utils/gssd/gssd.c b/utils/gssd/gssd.c
> index ccadb07..d53795e 100644
> --- a/utils/gssd/gssd.c
> +++ b/utils/gssd/gssd.c
> @@ -57,7 +57,7 @@
>
> char pipefs_dir[PATH_MAX] = GSSD_PIPEFS_DIR;
> char keytabfile[PATH_MAX] = GSSD_DEFAULT_KEYTAB_FILE;
> -char ccachedir[PATH_MAX] = GSSD_DEFAULT_CRED_DIR;
> +char ccachedir[PATH_MAX] = GSSD_DEFAULT_CRED_DIR ":" GSSD_USER_CRED_DIR;
> char *ccachesearch[GSSD_MAX_CCACHE_SEARCH + 1];
> int use_memcache = 0;
> int root_uses_machine_creds = 1;
> diff --git a/utils/gssd/gssd.h b/utils/gssd/gssd.h
> index 40f824c..28a8206 100644
> --- a/utils/gssd/gssd.h
> +++ b/utils/gssd/gssd.h
> @@ -45,6 +45,7 @@
> #define DNOTIFY_SIGNAL (SIGRTMIN + 3)
>
> #define GSSD_DEFAULT_CRED_DIR "/tmp"
> +#define GSSD_USER_CRED_DIR "/run/user"
> #define GSSD_DEFAULT_CRED_PREFIX "krb5cc_"
> #define GSSD_DEFAULT_MACHINE_CRED_SUFFIX "machine"
> #define GSSD_DEFAULT_KEYTAB_FILE "/etc/krb5.keytab"
> diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
> index a51dbae..aa39435 100644
> --- a/utils/gssd/gssd_proc.c
> +++ b/utils/gssd/gssd_proc.c
> @@ -918,6 +918,23 @@ int create_auth_rpc_client(struct clnt_info *clp,
> goto out;
> }
>
> +static char *
> +user_cachedir(char *dirname, uid_t uid)
> +{
> + struct passwd *pw;
> + char *ptr;
> +
> + if ((pw = getpwuid(uid)) == NULL) {
> + printerr(0, "user_cachedir: Failed to find '%d' uid"
> + " for cache directory\n");
> + return NULL;
> + }
> + ptr = malloc(strlen(dirname)+strlen(pw->pw_name)+2);
> + if (ptr)
> + sprintf(ptr, "%s/%s", dirname, pw->pw_name);
> +
> + return ptr;
> +}
> /*
> * this code uses the userland rpcsec gss library to create a krb5
> * context on behalf of the kernel
> @@ -932,7 +949,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname,
> gss_buffer_desc token;
> char **credlist = NULL;
> char **ccname;
> - char **dirname;
> + char **dirname, *dir, *userdir;
> int create_resp = -1;
> int err, downcall_err = -EACCES;
>
> @@ -975,7 +992,22 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname,
> service == NULL)) {
> /* Tell krb5 gss which credentials cache to use */
> for (dirname = ccachesearch; *dirname != NULL; dirname++) {
> - err = gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *dirname);
> + /* See if the user name is needed */
> + if (strncmp(*dirname, GSSD_USER_CRED_DIR,
> + strlen(GSSD_USER_CRED_DIR)) == 0) {
> + userdir = user_cachedir(*dirname, uid);
> + if (userdir == NULL)
> + continue;
> + dir = userdir;
> + } else
> + dir = *dirname;
> +
> + err = gssd_setup_krb5_user_gss_ccache(uid, clp->servername, dir);
> +
> + if (userdir) {
> + free(userdir);
> + userdir = NULL;
> + }
> if (err == -EKEYEXPIRED)
> downcall_err = -EKEYEXPIRED;
> else if (!err)
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
