LinuxLists.cc - nfs-utils patches for nfsv4.0 callbacks

2013-09-19 20:57:22

Subject: nfs-utils patches for nfsv4.0 callbacks

NFSv4.0 callbacks over krb5 have been broken for a while. With the
following three patches I've at least witnessed a succesful null
callback.

--b.

2013-09-19 21:03:59

by J. Bruce Fields

[permalink] [raw]

Subject: [PATCHv2 1/3] gssd: fix strncmp bug causing client removals

From: "J. Bruce Fields" <[email protected]>

Both dirname and pdir are null-terminated strings, so there's no reason
I can see for the strncmp.

And this gives the wrong result when comparing the "nfsd" and "nfsd4_cb"
directories! The results were callback clients being removed
immediately after creation, when lack of a client with the corresponding
name under "nfsd" lead gssd to believe it had disappeared from
"nfsd4_cb".

Signed-off-by: J. Bruce Fields <[email protected]>
---
utils/gssd/gssd_proc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index 2d3dbec..0383883 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -525,7 +525,7 @@ update_old_clients(struct dirent **namelist, int size, char *pdir)
/* only compare entries in the global list that are from the
* same pipefs parent directory as "pdir"
*/
- if (strncmp(clp->dirname, pdir, strlen(pdir)) != 0) continue;
+ if (strcmp(clp->dirname, pdir) != 0) continue;

stillhere = 0;
for (i=0; i < size; i++) {
--
1.8.3.1

2013-09-24 19:17:07

by Steve Dickson

[permalink] [raw]

Subject: Re: [PATCHv2 2/3] gssd: don't use tgtname to find our keytab

On 19/09/13 17:03, J. Bruce Fields wrote:
> From: "J. Bruce Fields" <[email protected]>
>
> The tgtname is of the form service@hostname. It's not a hostname, and
> attempting to look it up here just causes failure of any upcall with a
> "target=" field (currently, any upcall on behalf of an nfsv4.0
> callback).
>
> I think the theory was that knowning that target= name might help pick
> the right keytab, but I don't really know if that's helpful. For now,
> just stop trying to do this.
>
> Signed-off-by: J. Bruce Fields <[email protected]>
Committed....

steved.

> ---
> utils/gssd/gssd_proc.c | 3 +--
> utils/gssd/krb5_util.c | 10 +++-------
> utils/gssd/krb5_util.h | 3 +--
> 3 files changed, 5 insertions(+), 11 deletions(-)
>
> diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
> index 0383883..7200a78 100644
> --- a/utils/gssd/gssd_proc.c
> +++ b/utils/gssd/gssd_proc.c
> @@ -1035,8 +1035,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname,
> int success = 0;
> do {
> gssd_refresh_krb5_machine_credential(clp->servername,
> - NULL, service,
> - tgtname);
> + NULL, service);
> /*
> * Get a list of credential cache names and try each
> * of them until one works or we've tried them all
> diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
> index 83b9651..c6e52fd 100644
> --- a/utils/gssd/krb5_util.c
> +++ b/utils/gssd/krb5_util.c
> @@ -1149,7 +1149,7 @@ gssd_get_krb5_machine_cred_list(char ***list)
> if (ple->ccname) {
> /* Make sure cred is up-to-date before returning it */
> retval = gssd_refresh_krb5_machine_credential(NULL, ple,
> - NULL, NULL);
> + NULL);
> if (retval)
> continue;
> if (i + 1 > listsize) {
> @@ -1240,8 +1240,7 @@ gssd_destroy_krb5_machine_creds(void)
> int
> gssd_refresh_krb5_machine_credential(char *hostname,
> struct gssd_k5_kt_princ *ple,
> - char *service,
> - char *tgtname)
> + char *service)
> {
> krb5_error_code code = 0;
> krb5_context context;
> @@ -1280,10 +1279,7 @@ gssd_refresh_krb5_machine_credential(char *hostname,
> if (ple == NULL) {
> krb5_keytab_entry kte;
>
> - if (tgtname == NULL)
> - tgtname = hostname;
> -
> - code = find_keytab_entry(context, kt, tgtname, &kte, svcnames);
> + code = find_keytab_entry(context, kt, hostname, &kte, svcnames);
> if (code) {
> printerr(0, "ERROR: %s: no usable keytab entry found "
> "in keytab %s for connection with host %s\n",
> diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h
> index eed1294..3f0723e 100644
> --- a/utils/gssd/krb5_util.h
> +++ b/utils/gssd/krb5_util.h
> @@ -31,8 +31,7 @@ void gssd_setup_krb5_machine_gss_ccache(char *servername);
> void gssd_destroy_krb5_machine_creds(void);
> int gssd_refresh_krb5_machine_credential(char *hostname,
> struct gssd_k5_kt_princ *ple,
> - char *service,
> - char *tgtname);
> + char *service);
> char *gssd_k5_err_msg(krb5_context context, krb5_error_code code);
> void gssd_k5_get_default_realm(char **def_realm);
>
>

2013-09-19 21:03:59

by J. Bruce Fields

[permalink] [raw]

Subject: [PATCHv2 3/3] gssd: let tgtname override clp->servicename

From: "J. Bruce Fields" <[email protected]>

When the kernel provides an explicit "target=" name in the upcall, that
should override the name in clp->servicename.

Signed-off-by: J. Bruce Fields <[email protected]>
---
utils/gssd/gssd_proc.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index 7200a78..e58c341 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -822,6 +822,7 @@ set_port:
*/
static int
create_auth_rpc_client(struct clnt_info *clp,
+ char *tgtname,
CLIENT **clnt_return,
AUTH **auth_return,
uid_t uid,
@@ -926,14 +927,16 @@ create_auth_rpc_client(struct clnt_info *clp,
clnt_spcreateerror(rpc_errmsg));
goto out_fail;
}
+ if (!tgtname)
+ tgtname = clp->servicename;

- printerr(2, "creating context with server %s\n", clp->servicename);
- auth = authgss_create_default(rpc_clnt, clp->servicename, &sec);
+ printerr(2, "creating context with server %s\n", tgtname);
+ auth = authgss_create_default(rpc_clnt, tgtname, &sec);
if (!auth) {
/* Our caller should print appropriate message */
printerr(2, "WARNING: Failed to create krb5 context for "
"user with uid %d for server %s\n",
- uid, clp->servername);
+ uid, tgtname);
goto out_fail;
}

@@ -1015,7 +1018,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname,
/* Try first to acquire credentials directly via GSSAPI */
err = gssd_acquire_user_cred(uid, &gss_cred);
if (!err)
- create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid,
+ create_resp = create_auth_rpc_client(clp, tgtname, &rpc_clnt, &auth, uid,
AUTHTYPE_KRB5, gss_cred);
/* if create_auth_rplc_client fails try the traditional method of
* trolling for credentials */
@@ -1024,7 +1027,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname,
if (err == -EKEYEXPIRED)
downcall_err = -EKEYEXPIRED;
else if (!err)
- create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid,
+ create_resp = create_auth_rpc_client(clp, tgtname, &rpc_clnt, &auth, uid,
AUTHTYPE_KRB5, GSS_C_NO_CREDENTIAL);
}
}
@@ -1048,7 +1051,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname,
}
for (ccname = credlist; ccname && *ccname; ccname++) {
gssd_setup_krb5_machine_gss_ccache(*ccname);
- if ((create_auth_rpc_client(clp, &rpc_clnt,
+ if ((create_auth_rpc_client(clp, tgtname, &rpc_clnt,
&auth, uid,
AUTHTYPE_KRB5,
GSS_C_NO_CREDENTIAL)) == 0) {
--
1.8.3.1

2013-09-19 20:57:22

by J. Bruce Fields

[permalink] [raw]

Subject: [PATCH 1/3] gssd: fix strncmp bug causing client removals

From: root <[email protected]>

Both dirname and pdir are null-terminated strings, so there's no reason
I can see for the strncmp.

And this gives the wrong result when comparing the "nfsd" and "nfsd4_cb"
directories! The results were callback clients being removed
immediately after creation, when lack of a client with the corresponding
name under "nfsd" lead gssd to believe it had disappeared from
"nfsd4_cb".

Signed-off-by: J. Bruce Fields <[email protected]>
---
utils/gssd/gssd_proc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index 2d3dbec..0383883 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -525,7 +525,7 @@ update_old_clients(struct dirent **namelist, int size, char *pdir)
/* only compare entries in the global list that are from the
* same pipefs parent directory as "pdir"
*/
- if (strncmp(clp->dirname, pdir, strlen(pdir)) != 0) continue;
+ if (strcmp(clp->dirname, pdir) != 0) continue;

stillhere = 0;
for (i=0; i < size; i++) {
--
1.8.3.1

2013-09-19 20:57:23

by J. Bruce Fields

[permalink] [raw]

Subject: [PATCH 3/3] gssd: let tgtname override clp->servicename

From: root <[email protected]>

When the kernel provides an explicit "target=" name in the upcall, that
should override the name in clp->servicename.

Signed-off-by: J. Bruce Fields <[email protected]>
---
utils/gssd/gssd_proc.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index 7200a78..e58c341 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -822,6 +822,7 @@ set_port:
*/
static int
create_auth_rpc_client(struct clnt_info *clp,
+ char *tgtname,
CLIENT **clnt_return,
AUTH **auth_return,
uid_t uid,
@@ -926,14 +927,16 @@ create_auth_rpc_client(struct clnt_info *clp,
clnt_spcreateerror(rpc_errmsg));
goto out_fail;
}
+ if (!tgtname)
+ tgtname = clp->servicename;

- printerr(2, "creating context with server %s\n", clp->servicename);
- auth = authgss_create_default(rpc_clnt, clp->servicename, &sec);
+ printerr(2, "creating context with server %s\n", tgtname);
+ auth = authgss_create_default(rpc_clnt, tgtname, &sec);
if (!auth) {
/* Our caller should print appropriate message */
printerr(2, "WARNING: Failed to create krb5 context for "
"user with uid %d for server %s\n",
- uid, clp->servername);
+ uid, tgtname);
goto out_fail;
}

@@ -1015,7 +1018,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname,
/* Try first to acquire credentials directly via GSSAPI */
err = gssd_acquire_user_cred(uid, &gss_cred);
if (!err)
- create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid,
+ create_resp = create_auth_rpc_client(clp, tgtname, &rpc_clnt, &auth, uid,
AUTHTYPE_KRB5, gss_cred);
/* if create_auth_rplc_client fails try the traditional method of
* trolling for credentials */
@@ -1024,7 +1027,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname,
if (err == -EKEYEXPIRED)
downcall_err = -EKEYEXPIRED;
else if (!err)
- create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid,
+ create_resp = create_auth_rpc_client(clp, tgtname, &rpc_clnt, &auth, uid,
AUTHTYPE_KRB5, GSS_C_NO_CREDENTIAL);
}
}
@@ -1048,7 +1051,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname,
}
for (ccname = credlist; ccname && *ccname; ccname++) {
gssd_setup_krb5_machine_gss_ccache(*ccname);
- if ((create_auth_rpc_client(clp, &rpc_clnt,
+ if ((create_auth_rpc_client(clp, tgtname, &rpc_clnt,
&auth, uid,
AUTHTYPE_KRB5,
GSS_C_NO_CREDENTIAL)) == 0) {
--
1.8.3.1

2013-09-24 19:17:26

by Steve Dickson

[permalink] [raw]

Subject: Re: [PATCHv2 3/3] gssd: let tgtname override clp->servicename

On 19/09/13 17:03, J. Bruce Fields wrote:
> From: "J. Bruce Fields" <[email protected]>
>
> When the kernel provides an explicit "target=" name in the upcall, that
> should override the name in clp->servicename.
>
> Signed-off-by: J. Bruce Fields <[email protected]>
Committed...

steved.

> ---
> utils/gssd/gssd_proc.c | 15 +++++++++------
> 1 file changed, 9 insertions(+), 6 deletions(-)
>
> diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
> index 7200a78..e58c341 100644
> --- a/utils/gssd/gssd_proc.c
> +++ b/utils/gssd/gssd_proc.c
> @@ -822,6 +822,7 @@ set_port:
> */
> static int
> create_auth_rpc_client(struct clnt_info *clp,
> + char *tgtname,
> CLIENT **clnt_return,
> AUTH **auth_return,
> uid_t uid,
> @@ -926,14 +927,16 @@ create_auth_rpc_client(struct clnt_info *clp,
> clnt_spcreateerror(rpc_errmsg));
> goto out_fail;
> }
> + if (!tgtname)
> + tgtname = clp->servicename;
>
> - printerr(2, "creating context with server %s\n", clp->servicename);
> - auth = authgss_create_default(rpc_clnt, clp->servicename, &sec);
> + printerr(2, "creating context with server %s\n", tgtname);
> + auth = authgss_create_default(rpc_clnt, tgtname, &sec);
> if (!auth) {
> /* Our caller should print appropriate message */
> printerr(2, "WARNING: Failed to create krb5 context for "
> "user with uid %d for server %s\n",
> - uid, clp->servername);
> + uid, tgtname);
> goto out_fail;
> }
>
> @@ -1015,7 +1018,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname,
> /* Try first to acquire credentials directly via GSSAPI */
> err = gssd_acquire_user_cred(uid, &gss_cred);
> if (!err)
> - create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid,
> + create_resp = create_auth_rpc_client(clp, tgtname, &rpc_clnt, &auth, uid,
> AUTHTYPE_KRB5, gss_cred);
> /* if create_auth_rplc_client fails try the traditional method of
> * trolling for credentials */
> @@ -1024,7 +1027,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname,
> if (err == -EKEYEXPIRED)
> downcall_err = -EKEYEXPIRED;
> else if (!err)
> - create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid,
> + create_resp = create_auth_rpc_client(clp, tgtname, &rpc_clnt, &auth, uid,
> AUTHTYPE_KRB5, GSS_C_NO_CREDENTIAL);
> }
> }
> @@ -1048,7 +1051,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname,
> }
> for (ccname = credlist; ccname && *ccname; ccname++) {
> gssd_setup_krb5_machine_gss_ccache(*ccname);
> - if ((create_auth_rpc_client(clp, &rpc_clnt,
> + if ((create_auth_rpc_client(clp, tgtname, &rpc_clnt,
> &auth, uid,
> AUTHTYPE_KRB5,
> GSS_C_NO_CREDENTIAL)) == 0) {
>

2013-09-24 19:16:52

by Steve Dickson

[permalink] [raw]

Subject: Re: [PATCHv2 1/3] gssd: fix strncmp bug causing client removals

On 19/09/13 17:03, J. Bruce Fields wrote:
> From: "J. Bruce Fields" <[email protected]>
>
> Both dirname and pdir are null-terminated strings, so there's no reason
> I can see for the strncmp.
>
> And this gives the wrong result when comparing the "nfsd" and "nfsd4_cb"
> directories! The results were callback clients being removed
> immediately after creation, when lack of a client with the corresponding
> name under "nfsd" lead gssd to believe it had disappeared from
> "nfsd4_cb".
>
> Signed-off-by: J. Bruce Fields <[email protected]>
Committed...

steved.

> ---
> utils/gssd/gssd_proc.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
> index 2d3dbec..0383883 100644
> --- a/utils/gssd/gssd_proc.c
> +++ b/utils/gssd/gssd_proc.c
> @@ -525,7 +525,7 @@ update_old_clients(struct dirent **namelist, int size, char *pdir)
> /* only compare entries in the global list that are from the
> * same pipefs parent directory as "pdir"
> */
> - if (strncmp(clp->dirname, pdir, strlen(pdir)) != 0) continue;
> + if (strcmp(clp->dirname, pdir) != 0) continue;
>
> stillhere = 0;
> for (i=0; i < size; i++) {
>

2013-09-19 20:57:22

by J. Bruce Fields

[permalink] [raw]

Subject: [PATCH 2/3] gssd: don't use tgtname to find our keytab

From: "J. Bruce Fields" <[email protected]>

The tgtname is of the form service@hostname. It's not a hostname, and
attempting to look it up here just causes failure of any upcall with a
"target=" field (currently, any upcall on behalf of an nfsv4.0
callback).

I think the theory was that knowning that target= name might help pick
the right keytab, but I don't really know if that's helpful. For now,
just stop trying to do this.

Signed-off-by: J. Bruce Fields <[email protected]>
---
utils/gssd/gssd_proc.c | 3 +--
utils/gssd/krb5_util.c | 10 +++-------
utils/gssd/krb5_util.h | 3 +--
3 files changed, 5 insertions(+), 11 deletions(-)

diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index 0383883..7200a78 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -1035,8 +1035,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname,
int success = 0;
do {
gssd_refresh_krb5_machine_credential(clp->servername,
- NULL, service,
- tgtname);
+ NULL, service);
/*
* Get a list of credential cache names and try each
* of them until one works or we've tried them all
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 83b9651..c6e52fd 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -1149,7 +1149,7 @@ gssd_get_krb5_machine_cred_list(char ***list)
if (ple->ccname) {
/* Make sure cred is up-to-date before returning it */
retval = gssd_refresh_krb5_machine_credential(NULL, ple,
- NULL, NULL);
+ NULL);
if (retval)
continue;
if (i + 1 > listsize) {
@@ -1240,8 +1240,7 @@ gssd_destroy_krb5_machine_creds(void)
int
gssd_refresh_krb5_machine_credential(char *hostname,
struct gssd_k5_kt_princ *ple,
- char *service,
- char *tgtname)
+ char *service)
{
krb5_error_code code = 0;
krb5_context context;
@@ -1280,10 +1279,7 @@ gssd_refresh_krb5_machine_credential(char *hostname,
if (ple == NULL) {
krb5_keytab_entry kte;

- if (tgtname == NULL)
- tgtname = hostname;
-
- code = find_keytab_entry(context, kt, tgtname, &kte, svcnames);
+ code = find_keytab_entry(context, kt, hostname, &kte, svcnames);
if (code) {
printerr(0, "ERROR: %s: no usable keytab entry found "
"in keytab %s for connection with host %s\n",
diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h
index eed1294..3f0723e 100644
--- a/utils/gssd/krb5_util.h
+++ b/utils/gssd/krb5_util.h
@@ -31,8 +31,7 @@ void gssd_setup_krb5_machine_gss_ccache(char *servername);
void gssd_destroy_krb5_machine_creds(void);
int gssd_refresh_krb5_machine_credential(char *hostname,
struct gssd_k5_kt_princ *ple,
- char *service,
- char *tgtname);
+ char *service);
char *gssd_k5_err_msg(krb5_context context, krb5_error_code code);
void gssd_k5_get_default_realm(char **def_realm);

--
1.8.3.1

2013-09-19 21:03:58

by J. Bruce Fields

[permalink] [raw]

Subject: [PATCHv2 2/3] gssd: don't use tgtname to find our keytab

2013-09-19 21:00:32

by J. Bruce Fields

[permalink] [raw]

Subject: Re: [PATCH 1/3] gssd: fix strncmp bug causing client removals

On Thu, Sep 19, 2013 at 04:57:17PM -0400, J. Bruce Fields wrote:
> From: root <[email protected]>

Ugh, sorry. I'll just resend all three of these with the authors fixed.

--b.