Since now rpc.gssd is swithing uid before attempting to acquire
credentials, we do not need to pass in the special uid-as-a-string name
to gssapi, because the process is already running under the user's
credentials.
By removing this code we can fix a class of false negatives where the
user name does not match the actual ccache credentials and the ccache
type used is not one of the only 2 supported explicitly by rpc.gssd by the
fallback trolling done later.
Signed-off-by: Simo Sorce <simo@xxxxxxxxxx>
---
utils/gssd/krb5_util.c | 24 ++----------------------
1 files changed, 2 insertions(+), 22 deletions(-)
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 697d1d2e79db0cc38160ea4772d3af3a9b7d6c21..230b909b14d244f832c0b5dd62e600cf8db4f80b 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -1381,29 +1381,10 @@ gssd_acquire_krb5_cred(gss_name_t name, gss_cred_id_t *gss_cred)
int
gssd_acquire_user_cred(uid_t uid, gss_cred_id_t *gss_cred)
{
- OM_uint32 maj_stat, min_stat;
- gss_buffer_desc name_buf;
- gss_name_t name;
- char buf[11];
+ OM_uint32 min_stat;
int ret;
- ret = snprintf(buf, 11, "%u", uid);
- if (ret < 1 || ret > 10) {
- return -1;
- }
- name_buf.value = buf;
- name_buf.length = ret + 1;
-
- maj_stat = gss_import_name(&min_stat, &name_buf,
- GSS_C_NT_STRING_UID_NAME, &name);
- if (maj_stat != GSS_S_COMPLETE) {
- if (get_verbosity() > 0)
- pgsserr("gss_import_name",
- maj_stat, min_stat, &krb5oid);
- return -1;
- }
-
- ret = gssd_acquire_krb5_cred(name, gss_cred);
+ ret = gssd_acquire_krb5_cred(GSS_C_NO_NAME, gss_cred);
/* force validation of cred to check for expiry */
if (ret == 0) {
@@ -1412,7 +1393,6 @@ gssd_acquire_user_cred(uid_t uid, gss_cred_id_t *gss_cred)
ret = -1;
}
- maj_stat = gss_release_name(&min_stat, &name);
return ret;
}
--
1.7.1
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
