Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp3576339pxb; Mon, 1 Mar 2021 13:54:32 -0800 (PST) X-Google-Smtp-Source: ABdhPJzYHXbMcmj7qtL8R/d8wLDqlkbLfigDdUCMQkCs5l+CLPyAH+dTXljnZszx0olL56MlV3Kw X-Received: by 2002:a17:906:6487:: with SMTP id e7mr17847876ejm.181.1614635672445; Mon, 01 Mar 2021 13:54:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614635672; cv=none; d=google.com; s=arc-20160816; b=hV82956wuyBTkd3fkxZBwXWJmUpeVc4UtQ3YFl0bcE6f1ODxaNpyNYxR1BUzQKjRa3 Dm572GM2eC3AiP+O1LQK8C/bXe7Geqi3Zsl5S4CeVgMGlfIcDRIJpL0RfKJjCp7588nj MdIZg5h6S7I45BN45YHKbiJqvg94W6h20uuaJN1bUgqpHszm4BCmIPsj1LggbG5BX0AW CYb+X6IYdspEDBKu1yrawPcuT1J+3E17y89qNWkwxSS/4G+XDVGYZBH0qFJBsr2Yxlms Ymj9G6wTE1luVf9HkM+GOWfGVysIcxJHx67BsNrHH669zJJ7Lj7wWax/QHNGrsf7QyGv Vj2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=V4kUlcdleUCnikJH/ag3CU8Dy+sIQ0U8ZWJhEdV4KkM=; b=JQoS+TpGzwV8s60Yj5zTJS4Gw8tcQBKl8nVUkQypSmG7PL+CILGBFY9uqWfNo6m6IH rXlCEgggscsRGygDfC0DRitpPmSps0R+gVnSTsrHU3UyH4iUkKdLZbOFKAnNOEgEdw5w AG5u2Debc03evvS+eSPZEMKWA0iLkNPwwnN+Wc+Fv892uHoS8/TDdAEXNIcMZf2dOasB RiwgPEb9jZUnfK6Hdqj30N57RfPcqtYcB8ChUyXEMOUtXebdGlvjzRBOIwOKESMOEL3w XL/ZwwF6xylnd1eI67wsrMOLtmotGgn/34NckKLVMP1XHRjbXXpqJ1fWa4Awi6GwPK7I zA9Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=QDiwMD9f; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a7si11657218edy.54.2021.03.01.13.53.59; Mon, 01 Mar 2021 13:54:32 -0800 (PST) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=QDiwMD9f; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238167AbhCAVuH (ORCPT + 99 others); Mon, 1 Mar 2021 16:50:07 -0500 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:28744 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244113AbhCAVrx (ORCPT ); Mon, 1 Mar 2021 16:47:53 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1614635185; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=V4kUlcdleUCnikJH/ag3CU8Dy+sIQ0U8ZWJhEdV4KkM=; b=QDiwMD9fGrErEQ/AwqisFzZvCXWpI6oVXRktsQAdq5C9YUYOO/+L2F1gNamrGdK9yz9znn Ui+6Us+pW1rmU7gYZh5MhLxsE4hpWVz/d7Ne8BpcFOU0GqgaVmbXlS6jwW/sO155obxNhh oV6wLrxpKvxHoU7aFamdYcZ7cTVTUeQ= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-9-rDBUg2GnNjm-_M8J0JZHtg-1; Mon, 01 Mar 2021 16:46:24 -0500 X-MC-Unique: rDBUg2GnNjm-_M8J0JZHtg-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A1D781936B61 for ; Mon, 1 Mar 2021 21:46:23 +0000 (UTC) Received: from farnsworth.lan (ovpn-112-73.rdu2.redhat.com [10.10.112.73]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4D2085D9E4; Mon, 1 Mar 2021 21:46:23 +0000 (UTC) From: Jacob Shivers To: SteveD@redhat.com Cc: linux-nfs@vger.kernel.org Subject: [PATCH 1/1] gssd: Add options to rpc.gssd to allow for the use of $HOME/.k5identity files Date: Mon, 1 Mar 2021 16:46:22 -0500 Message-Id: <20210301214622.829462-2-jshivers@redhat.com> In-Reply-To: <20210301214622.829462-1-jshivers@redhat.com> References: <20210301214622.829462-1-jshivers@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org Since commit 2f682f25c642fcfe7c511d04bc9d67e732282348 $HOME has been set to '/' to avoid a deadlock when accessing Kerberized NFS shares. While this works for most use cases, users who depend on the use of $HOME/.k5identity files are negatively impacted by this commit. This patch allows for users to use their $HOME/.k5identity to access subsequent Kerberized resources based on the credentials in said file. The default set by commit 2f682f25c642fcfe7c511d04bc9d67e732282348 still remains the same, but a user can pass '-H' to change rpc.gssd behavior to not set $HOME to '/'. Setting 'set-home=0' in /etc/nfs.conf has the same effect as passing '-H' directly to rpc.gssd. Signed-off-by: Jacob Shivers --- nfs.conf | 1 + systemd/nfs.conf.man | 3 ++- utils/gssd/gssd.c | 28 ++++++++++++++++++++-------- utils/gssd/gssd.man | 19 ++++++++++++++++++- 4 files changed, 41 insertions(+), 10 deletions(-) diff --git a/nfs.conf b/nfs.conf index bebb2e3d1e68..eabe8c7c34c4 100644 --- a/nfs.conf +++ b/nfs.conf @@ -24,6 +24,7 @@ # keytab-file=/etc/krb5.keytab # cred-cache-directory= # preferred-realm= +# set-home=1 # [lockd] # port=0 diff --git a/systemd/nfs.conf.man b/systemd/nfs.conf.man index d2187f8aca1a..7fa35d441eca 100644 --- a/systemd/nfs.conf.man +++ b/systemd/nfs.conf.man @@ -253,7 +253,8 @@ Recognized values: .BR rpc-timeout , .BR keytab-file , .BR cred-cache-directory , -.BR preferred-realm . +.BR preferred-realm , +.BR set-home . See .BR rpc.gssd (8) diff --git a/utils/gssd/gssd.c b/utils/gssd/gssd.c index 85bc4b07bebd..1541d3710b24 100644 --- a/utils/gssd/gssd.c +++ b/utils/gssd/gssd.c @@ -87,6 +87,8 @@ unsigned int context_timeout = 0; unsigned int rpc_timeout = 5; char *preferred_realm = NULL; char *ccachedir = NULL; +/* set $HOME to "/" by default */ +static bool set_home = true; /* Avoid DNS reverse lookups on server names */ static bool avoid_dns = true; static bool use_gssproxy = false; @@ -900,7 +902,7 @@ sig_die(int signal) static void usage(char *progname) { - fprintf(stderr, "usage: %s [-f] [-l] [-M] [-n] [-v] [-r] [-p pipefsdir] [-k keytab] [-d ccachedir] [-t timeout] [-R preferred realm] [-D]\n", + fprintf(stderr, "usage: %s [-f] [-l] [-M] [-n] [-v] [-r] [-p pipefsdir] [-k keytab] [-d ccachedir] [-t timeout] [-R preferred realm] [-D] [-H]\n", progname); exit(1); } @@ -941,6 +943,7 @@ read_gss_conf(void) preferred_realm = s; use_gssproxy = conf_get_bool("gssd", "use-gss-proxy", use_gssproxy); + set_home = conf_get_bool("gssd", "set-home", set_home); } int @@ -961,7 +964,7 @@ main(int argc, char *argv[]) verbosity = conf_get_num("gssd", "verbosity", verbosity); rpc_verbosity = conf_get_num("gssd", "rpc-verbosity", rpc_verbosity); - while ((opt = getopt(argc, argv, "DfvrlmnMp:k:d:t:T:R:")) != -1) { + while ((opt = getopt(argc, argv, "HDfvrlmnMp:k:d:t:T:R:")) != -1) { switch (opt) { case 'f': fg = 1; @@ -1009,6 +1012,9 @@ main(int argc, char *argv[]) case 'D': avoid_dns = false; break; + case 'H': + set_home = false; + break; default: usage(argv[0]); break; @@ -1018,13 +1024,19 @@ main(int argc, char *argv[]) /* * Some krb5 routines try to scrape info out of files in the user's * home directory. This can easily deadlock when that homedir is on a - * kerberized NFS mount. By setting $HOME unconditionally to "/", we - * prevent this behavior in routines that use $HOME in preference to - * the results of getpw*. + * kerberized NFS mount. By setting $HOME to "/" by default, we prevent + * this behavior in routines that use $HOME in preference to the results + * of getpw*. + * + * Some users do not use Kerberized home dirs and need $HOME to remain + * unchanged. Those users can leave $HOME unchanged by setting set_home + * to false. */ - if (setenv("HOME", "/", 1)) { - printerr(0, "gssd: Unable to set $HOME: %s\n", strerror(errno)); - exit(1); + if (set_home) { + if (setenv("HOME", "/", 1)) { + printerr(0, "gssd: Unable to set $HOME: %s\n", strerror(errno)); + exit(1); + } } if (use_gssproxy) { diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man index 26095a898293..c93cde6a66e5 100644 --- a/utils/gssd/gssd.man +++ b/utils/gssd/gssd.man @@ -8,7 +8,7 @@ rpc.gssd \- RPCSEC_GSS daemon .SH SYNOPSIS .B rpc.gssd -.RB [ \-DfMnlvr ] +.RB [ \-DfMnlvrH ] .RB [ \-k .IR keytab ] .RB [ \-p @@ -282,6 +282,16 @@ The default timeout is set to 5 seconds. If you get messages like "WARNING: can't create tcp rpc_clnt to server %servername% for user with uid %uid%: RPC: Remote system error - Connection timed out", you should consider an increase of this timeout. +.TP +.B -H +Avoids setting $HOME to "/". This allows rpc.gssd to read per user k5identity +files versus trying to read /.k5identity for each user. + +If +.B \-H +is not set, rpc.gssd will use the first match found in +/var/kerberos/krb5/user/$EUID/client.keytab and will not use a principal based on +host and/or service parameters listed in $HOME/.k5identity. .SH CONFIGURATION FILE Many of the options that can be set on the command line can also be controlled through values set in the @@ -347,6 +357,13 @@ section: .B pipefs-directory Equivalent to .BR -p . +.TP +.B set-home +Setting to +.B false +is equivalent to providing the +.B -H +flag. .SH SEE ALSO .BR rpc.svcgssd (8), -- 2.29.2