On Wed, 15 Jan 2014 16:41:34 -0500 Simo Sorce <simo@xxxxxxxxxx> wrote: > From 421f66b1cd0b031ef843f7680f463027904b93ca Mon Sep 17 00:00:00 2001 > From: Simo Sorce <simo@xxxxxxxxxx> > Date: Wed, 15 Jan 2014 16:01:49 -0500 > Subject: [PATCH] Improve first attempt at acquiring GSS credentials > > Since now rpc.gssd is swithing uid before attempting to acquire > credentials, we do not need to pass in the special uid-as-a-string name > to gssapi, because the process is already running under the user's > credentials. > > By making this optional we can fix a class of false negatives where the > user name does not match the actual ccache credentials and the ccache > type used is not one of the only 2 supported explicitly by rpc.gssd by the > fallback trolling done later. > > Signed-off-by: Simo Sorce <simo@xxxxxxxxxx> > --- > utils/gssd/krb5_util.c | 32 ++++++++++++++++++-------------- > 1 file changed, 18 insertions(+), 14 deletions(-) > > diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c > index 697d1d2e79db0cc38160ea4772d3af3a9b7d6c21..7db5baf4e4bea75ed7beebd2103afbc291efb641 100644 > --- a/utils/gssd/krb5_util.c > +++ b/utils/gssd/krb5_util.c > @@ -1383,24 +1383,28 @@ gssd_acquire_user_cred(uid_t uid, gss_cred_id_t *gss_cred) > { > OM_uint32 maj_stat, min_stat; > gss_buffer_desc name_buf; > - gss_name_t name; > + gss_name_t name = GSS_C_NO_NAME; > char buf[11]; > int ret; > > - ret = snprintf(buf, 11, "%u", uid); > - if (ret < 1 || ret > 10) { > - return -1; > - } > - name_buf.value = buf; > - name_buf.length = ret + 1; > + /* the follwing is useful only if change_identity() in > + * process_krb5_upcall() failed to change uids */ > + if (getuid() == 0) { > + ret = snprintf(buf, 11, "%u", uid); > + if (ret < 1 || ret > 10) { > + return -1; > + } > + name_buf.value = buf; > + name_buf.length = ret + 1; > If change_identity() fails, then process_krb5_upcall should just give up and do an error downcall, so falling back to using GSS_C_NT_STRING_UID_NAME in that case seems unnecessary. Also, we can end up in here legitimately with uid == 0 if root_uses_machine_creds == 0. So I wonder if we even need the stuff inside this "if (getuid() == 0)" block at all... > - maj_stat = gss_import_name(&min_stat, &name_buf, > - GSS_C_NT_STRING_UID_NAME, &name); > - if (maj_stat != GSS_S_COMPLETE) { > - if (get_verbosity() > 0) > - pgsserr("gss_import_name", > - maj_stat, min_stat, &krb5oid); > - return -1; > + maj_stat = gss_import_name(&min_stat, &name_buf, > + GSS_C_NT_STRING_UID_NAME, &name); > + if (maj_stat != GSS_S_COMPLETE) { > + if (get_verbosity() > 0) > + pgsserr("gss_import_name", > + maj_stat, min_stat, &krb5oid); > + return -1; > + } > } > > ret = gssd_acquire_krb5_cred(name, gss_cred); Other than that, I'm fine with ripping that junk out. -- Jeff Layton <jlayton@xxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html