On Mon, 17 Apr 2023, Wang Yugui wrote:
> Hi,
>
> >
> > If /etc/krb5.keytab does not exist, then krb5 cannot work, so
> > advertising it as an option for v4root is pointless.
> > Since linux commit 676e4ebd5f2c ("NFSD: SECINFO doesn't handle
> > unsupported pseudoflavors correctly") this can result in an unhelpful
> > warning if the krb5 code is not built, or built as a module which is not
> > installed.
> >
> > [ 161.668635] NFS: SECINFO: security flavor 390003 is not supported
> > [ 161.668655] NFS: SECINFO: security flavor 390004 is not supported
> > [ 161.668670] NFS: SECINFO: security flavor 390005 is not supported
> >
> > So avoid advertising krb5 security options when krb5.keytab cannot be
> > found.
> >
> > Link: https://lore.kernel.org/linux-nfs/20170104190327.v3wbpcbqtfa5jy7d@xxxxxxxxxxxxxxxxx/
> > Signed-off-by: NeilBrown <neilb@xxxxxxx>
> > ---
> > support/export/v4root.c | 2 ++
> > support/include/pseudoflavors.h | 1 +
> > support/nfs/exports.c | 14 +++++++-------
> > 3 files changed, 10 insertions(+), 7 deletions(-)
> >
> > diff --git a/support/export/v4root.c b/support/export/v4root.c
> > index fbb0ad5f5b81..3e049582d7c1 100644
> > --- a/support/export/v4root.c
> > +++ b/support/export/v4root.c
> > @@ -66,6 +66,8 @@ set_pseudofs_security(struct exportent *pseudo)
> >
> > if (!flav->fnum)
> > continue;
> > + if (flav->need_krb5 && !access("/etc/krb5.keytab", F_OK))
> > + continue;
>
> Could we replace "/etc/krb5.keytab" with krb5_kt_default_name()?
Maybe? Why would we want to?
The presence of /etc/krb5.keytab is what we already use in a couple of
systemd unit files to determine if krb5 is configured. Why not just use
the same here?
NeilBrown
