Received: by 2002:a05:7412:3784:b0:e2:908c:2ebd with SMTP id jk4csp2761065rdb; Wed, 4 Oct 2023 10:33:05 -0700 (PDT) X-Google-Smtp-Source: AGHT+IERlY5DONq5bQmCdlf/3KIrVk4+Yj4esk07gr9Qp7PG3/flB/kvHpohMbaOUjnx7xbSVUZF X-Received: by 2002:a05:6a20:1593:b0:155:5c28:ea74 with SMTP id h19-20020a056a20159300b001555c28ea74mr3548378pzj.12.1696440784848; Wed, 04 Oct 2023 10:33:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696440784; cv=none; d=google.com; s=arc-20160816; b=1F21InTUSTHvk34Z5CX7LFMeYMc7hyaPvOvCmxoKpcljFpRfz7GIpHjJJAVJfnT88q 2jwKF516754H94UeHFv8r51eJjEmLcqOI1QZkPTOQNaVrIbEwc6UzMSOWzA4fLFbBRoJ SDiWAX5JIp6NyhXSHguzbIx31i4CidU9L1CNdwWBHsJN7o7RDodjy3O1aUbKEAB0rwjr jzY2QDTRVnTG6NJ4lSg6eDTzENa5D3pb7YtjjG+uPjnFcbhEEabdoAHEjnxMHf1OVljY RfeZxZZ5AK1vj0fSa576whYa0aEP4ENEghts3pdiCfENBzXnMz7cl2rRfVqRRsEW7s3n NLpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=5D5Kvm1BHqxw7OkRLtU/qxcvETM83IthKpPkvjPcRF4=; fh=uNRrSD0XciptfTJwyKJ3Qz1AkNjyaoXT9yPd2pM8S/o=; b=ug8Q96ruvytS4D7r+H6vm9KZP4d5PzyTatCBwgSqQomthMrlTx1ZXT/xYkYEYbzVG9 vFA5ADXWwn/lkFjrM0vyLmraM6dk8kHB2QCB/rrrhLRhpI/AM1IRu1zZtYk+VsISfdS7 343eQZiBlHDBT/WiWODfiVpPLPjq5i52m1ra0TvrHszbLnEt2seHcbC+/DeQTNCjrQVl cZPOD2FYZkfLkASQTAnUQ0H/eoLxuU2t1jCDa7J3iXuzLUJZpQbzdUkuWWwGEq7h9/L2 Eew4YM15KFI7SIWeRPaXlm7WHK+L/Kqfw+dOEF3DBol09MZmBDwja2PVJvIcswqFqvcJ wK/A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=WiFKTPaC; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5]) by mx.google.com with ESMTPS id l2-20020a170903244200b001bb0ba81053si4713478pls.50.2023.10.04.10.33.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Oct 2023 10:33:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=WiFKTPaC; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 76A8180BB222; Wed, 4 Oct 2023 10:33:01 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243630AbjJDRcw (ORCPT + 99 others); Wed, 4 Oct 2023 13:32:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46688 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243498AbjJDRcw (ORCPT ); Wed, 4 Oct 2023 13:32:52 -0400 Received: from mail-il1-x12c.google.com (mail-il1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1A82CA7 for ; Wed, 4 Oct 2023 10:32:49 -0700 (PDT) Received: by mail-il1-x12c.google.com with SMTP id e9e14a558f8ab-34f69780037so101805ab.1 for ; Wed, 04 Oct 2023 10:32:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696440768; x=1697045568; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=5D5Kvm1BHqxw7OkRLtU/qxcvETM83IthKpPkvjPcRF4=; b=WiFKTPaCvJrB09Ff32MaSqomuUibmLr5dRxW8ODodnt4MKn+lBYNMIrfWdY6g2tp22 ZdJ9wLPI9dFQsqf8N7bP5WcBbZAkxqpoaHyokvIAViFmpSukPpSrZNGAEj0QnxvS5a1S 4DkH9ixsRiURCoCXgv+xcz+3ok5jJBHKmo4Ay8Sh/AY0jed1F3L6VSWJ3GbJbklZfgDw +57xyMtLjPCMaf/oVWr3azZcVgR+HtUEcmA7m81eXpUzzGDV73rMURpd/jpbwoS0BGKg mEFfH2VWZnEfBR/uV17orMhFbSGsmKhzReDZtMCpxPzJAENBWfHPKoUV3kmysBzUQts8 XF8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696440768; x=1697045568; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5D5Kvm1BHqxw7OkRLtU/qxcvETM83IthKpPkvjPcRF4=; b=uPRTMPnBHlq4+bgYzaPdDMstsYJAFUmeR9XkXVYBt4WtkUBbvo82s+w7ZF9LyRH35Y 36GJ7ILOfyAewU8UXWIHHNFPoINJJAhd+27alG4aCwb95WP0CfZprxXkYHAq7QV21U6X kLD71AbFY63EobkWLKb+SW7M7k+aFjc2bOKQZ6C9GAMyuj6Dt21dfegQamnRu6q4U51J RSuuIQLGUNCO9MhocFmb98n1EH5WnSr8XhQObI1u8stzdU71Y1Ez3bHf5shWjSZbkl7U bHnjwyP3jT62ZlQEJxBnj5IqNi4dfwe1oolzQzonVPQUBi2Edkp/7VBc7rJ+ZniXhf1n DmEA== X-Gm-Message-State: AOJu0YzfxWC8ovG9A8W4mTJO8q09WxLYE52a8quiEX7sjQkQ7edxGk3G KfrzBlxLuAXQPXZF2/VMuCLEx7f62pQ= X-Received: by 2002:a05:6602:368c:b0:792:7c78:55be with SMTP id bf12-20020a056602368c00b007927c7855bemr2906412iob.0.1696440768408; Wed, 04 Oct 2023 10:32:48 -0700 (PDT) Received: from kolga-mac-1.attlocal.net ([2600:1700:6a10:2e90:d99c:94dd:ccd6:fb22]) by smtp.gmail.com with ESMTPSA id u23-20020a6be417000000b007870289f4fdsm1066598iog.51.2023.10.04.10.32.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Oct 2023 10:32:47 -0700 (PDT) From: Olga Kornievskaia To: steved@redhat.com Cc: linux-nfs@vger.kernel.org Subject: [PATCH 3/3] nfs-utils: gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for user credentials Date: Wed, 4 Oct 2023 13:32:40 -0400 Message-Id: <20231004173240.46924-6-olga.kornievskaia@gmail.com> X-Mailer: git-send-email 2.30.1 (Apple Git-130) In-Reply-To: <20231004173240.46924-1-olga.kornievskaia@gmail.com> References: <20231004173240.46924-1-olga.kornievskaia@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Wed, 04 Oct 2023 10:33:01 -0700 (PDT) From: Olga Kornievskaia Unlike the machine credential case, we can't throw away the ticket cache and use the keytab to renew the credentials. Instead, we need to remove the service ticket for the server that returned KRB5_AP_ERR_BAD_INTEGRITY and try again. Signed-off-by: Olga Kornievskaia --- utils/gssd/gssd_proc.c | 2 ++ utils/gssd/krb5_util.c | 42 ++++++++++++++++++++++++++++++++++++++++++ utils/gssd/krb5_util.h | 1 + 3 files changed, 45 insertions(+) diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index e5cc1d98..a96647df 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -419,6 +419,8 @@ create_auth_rpc_client(struct clnt_info *clp, if (cred == GSS_C_NO_CREDENTIAL) retval = gssd_refresh_krb5_machine_credential(clp->servername, "*", NULL, 1); + else + retval = gssd_k5_remove_bad_service_cred(clp->servername); if (!retval) { auth = authgss_create_default(rpc_clnt, tgtname, &sec); diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c index f6ce1fec..6f66ef4f 100644 --- a/utils/gssd/krb5_util.c +++ b/utils/gssd/krb5_util.c @@ -1553,6 +1553,48 @@ gssd_acquire_user_cred(gss_cred_id_t *gss_cred) return ret; } +/* Removed a service ticket for nfs/ from the ticket cache + */ +int +gssd_k5_remove_bad_service_cred(char *name) +{ + krb5_creds in_creds, out_creds; + krb5_error_code ret; + krb5_context context; + krb5_ccache cache; + krb5_principal principal; + int retflags = KRB5_TC_MATCH_SRV_NAMEONLY; + char srvname[1024]; + + ret = krb5_init_context(&context); + if (ret) + goto out_cred; + ret = krb5_cc_default(context, &cache); + if (ret) + goto out_free_context; + ret = krb5_cc_get_principal(context, cache, &principal); + if (ret) + goto out_close_cache; + memset(&in_creds, 0, sizeof(in_creds)); + in_creds.client = principal; + sprintf(srvname, "nfs/%s", name); + ret = krb5_parse_name(context, srvname, &in_creds.server); + if (ret) + goto out_free_principal; + ret = krb5_cc_retrieve_cred(context, cache, retflags, &in_creds, &out_creds); + if (ret) + goto out_free_principal; + ret = krb5_cc_remove_cred(context, cache, 0, &out_creds); +out_free_principal: + krb5_free_principal(context, principal); +out_close_cache: + krb5_cc_close(context, cache); +out_free_context: + krb5_free_context(context); +out_cred: + return ret; +} + #ifdef HAVE_SET_ALLOWABLE_ENCTYPES /* * this routine obtains a credentials handle via gss_acquire_cred() diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h index 62c91a0e..7ef87018 100644 --- a/utils/gssd/krb5_util.h +++ b/utils/gssd/krb5_util.h @@ -22,6 +22,7 @@ char *gssd_k5_err_msg(krb5_context context, krb5_error_code code); void gssd_k5_get_default_realm(char **def_realm); int gssd_acquire_user_cred(gss_cred_id_t *gss_cred); +int gssd_k5_remove_bad_service_cred(char *srvname); #ifdef HAVE_SET_ALLOWABLE_ENCTYPES extern int limit_to_legacy_enctypes; -- 2.39.1