On 08/07/2014 01:47 PM, Steve Dickson wrote:
>
> On 08/06/2014 10:59 AM, Jurjen Bokma wrote:
>> HiAll,
>>
>> I have a patch to utils/gssd/krb5_util.c that enables kerberized NFS
>> mounts to succeed even if the principal is not <HOSTNAME>$.
>>
>> It works by reading another principal name from the [appdefaults]
>> section of krb5.conf:
>>
>> [appdefaults]
>> nfs = {
>> ad_principal_name = 129.125.39.115$
>> }
>>
>> Patch is attached. Would you please incorporate it in the source if you
>> find it useful?
>> Sorry if I'm asking in the wrong place.
> A couple things....
>
> One please inline your patche in your email, not attach them
> as suggested in https://www.kernel.org/doc/Documentation/SubmittingPatches
> Inlining makes it easier to review...
I'm sorry. Also for not using the proper command, not choosing the
proper subsystem, and a couple more mistakes.
> <snip 1st version of patch>
> + krb5_appdefault_string(context, "nfs", NULL, "ad_principal_name", notsetstr, &adhostoverride);
> Secondly, where does them memory for adhostoverride get freed??
Thank you for reviewing. <shame>Leaking memory in just a dozen
LOC.</shame> Wrong assumption on my part.
With the free(adhostoverride) added, the patch becomes:
--- utils/gssd/krb5_util.c.orig 2014-08-06 10:54:18.806414170 +0200
+++ utils/gssd/krb5_util.c 2014-08-07 14:21:51.795949903 +0200
@@ -801,7 +801,8 @@ find_keytab_entry(krb5_context context,
char *k5err = NULL;
int tried_all = 0, tried_default = 0;
krb5_principal princ;
-
+ const char *notsetstr = "not set";
+ char *adhostoverride;
/* Get full target hostname */
retval = get_full_hostname(tgtname, targethostname,
@@ -818,11 +819,19 @@ find_keytab_entry(krb5_context context,
}
/* Compute the active directory machine name HOST$ */
- strcpy(myhostad, myhostname);
- for (i = 0; myhostad[i] != 0; ++i)
- myhostad[i] = toupper(myhostad[i]);
- myhostad[i] = '$';
- myhostad[i+1] = 0;
+ krb5_appdefault_string(context, "nfs", NULL,
"ad_principal_name", notsetstr, &adhostoverride);
+ if (strcmp(adhostoverride, notsetstr) != 0) {
+ printerr (0, "AD host string overridden with \"%s\" from
appdefaults\n", adhostoverride);
+ /* No overflow: Windows cannot handle strings longer
than 19 chars */
+ strcpy(myhostad, adhostoverride);
+ free(adhostoverride);
+ } else {
+ strcpy(myhostad, myhostname);
+ for (i = 0; myhostad[i] != 0; ++i)
+ myhostad[i] = toupper(myhostad[i]);
+ myhostad[i] = '$';
+ myhostad[i+1] = 0;
+ }
retval = get_full_hostname(myhostname, myhostname,
sizeof(myhostname));
if (retval)
And another one for the man page, if you like:
--- a/utils/gssd/gssd.man
+++ b/utils/gssd/gssd.man
@@ -140,7 +140,23 @@
that enables Kerberized NFS when the local system is joined
to an Active Directory domain using Samba.
A password for this principal must be provided in the local system's
keytab.
-.P
+If the host is joined to an AD domain, but not with a principal
<HOSTNAME>$,
+then another principal name can be configured in
+.B /etc/krb5.conf
+in a
+.B appdefaults
+stanza:
+.sp
+ [appdefaults]
+.br
+ nfs = {
+.br
+ # This name should reflect a principal that has a key in the keytab
+.br
+ ad_principal_name = 192.168.3.19$
+.br
+ }
+.sp
You can specify another keytab by using the
.B -k
option if
Thanks!
Jurjen
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
