Re: gssd question/patch

Steve Dickson <SteveD@xxxxxxxxxx> · Mon, 9 Dec 2019 11:09:57 -0500

Hey,

On 12/6/19 1:29 PM, Olga Kornievskaia wrote:
> Hi Steve,
> 
> Question: Is this an interesting failure scenario (bug) that should be
> fixed: client did a mount which acquired gss creds and stored in the
> credential cache. Then say it umounts at some point. Then for some
> reason the Kerberos cache is deleted (rm -f /tmp/krb5cc*). Now client
> mounts again. This currently fails. Because gssd uses internal cache
> to store creds lifetimes and thinks that tgt is still valid but then
> trying to acquire a service ticket it fails (since there is no tgt).
I'm unable reproduce the scenario.... 

(as root) mount -o sec=krb5 server:/home/tmp /mnt/tmp
(as kuser) kinit kuser
(as kuser) touch /mnt/tmp/foobar
(as root) umount /mnt/tmp/
(as root) rm -f /tmp/krb5cc*
(as root) mount -o sec=krb5 server:/home/tmp /mnt/tmp
(as kuser) touch /mnt/tmp/foobar # which succeeds

Where am I going wrong?

steved.

> 
> Here's my proposed fix (I can send as a patch if this agreed upon).
> 
> diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
> index 0474783..3678524 100644
> --- a/utils/gssd/krb5_util.c
> +++ b/utils/gssd/krb5_util.c
> @@ -121,6 +121,9 @@
>  #include <krb5.h>
>  #include <rpc/auth_gss.h>
> 
> +#include <sys/types.h>
> +#include <fcntl.h>
> +
>  #include "nfslib.h"
>  #include "gssd.h"
>  #include "err_util.h"
> @@ -314,6 +317,25 @@ gssd_find_existing_krb5_ccache(uid_t uid, char *dirname,
>         return err;
>  }
> 
> +/* check if the ticket cache exists, if not set nocache=1 so that new
> + * tgt is gotten
> + */
> +static int
> +gssd_check_if_cc_exists(struct gssd_k5_kt_princ *ple)
> +{
> +       int fd;
> +       char cc_name[BUFSIZ];
> +
> +       snprintf(cc_name, sizeof(cc_name), "%s/%s%s_%s",
> +               ccachesearch[0], GSSD_DEFAULT_CRED_PREFIX,
> +               GSSD_DEFAULT_MACHINE_CRED_SUFFIX, ple->realm);
> +       fd = open(cc_name, O_RDONLY);
> +       if (fd < 0)
> +               return 1;
> +       close(fd);
> +       return 0;
> +}
> +
>  /*
>   * Obtain credentials via a key in the keytab given
>   * a keytab handle and a gssd_k5_kt_princ structure.
> @@ -348,6 +370,8 @@ gssd_get_single_krb5_cred(krb5_context context,
> 
>         memset(&my_creds, 0, sizeof(my_creds));
> 
> +       if (!nocache && !use_memcache)
> +               nocache = gssd_check_if_cc_exists(ple);
>         /*
>          * Workaround for clock skew among NFS server, NFS client and KDC
>          * 300 because clock skew must be within 300sec for kerberos
> 