Here are a few nfs-utils patches:
- Minor changes to the autotools stuff.
- Add AM_MAINTAINER_MODE (In case you decide to include it)
- Add fslocations (referrals) support to exportfs
- Sent gssapi error codes down to kernel as unsigned.
- Fix memory leak in idmapd.
- Some manpage changes from Steiner that appear to have been
missed in the preious commit.
- When selecting a Kerberos credentials cache, compare owner
rather than name.
- Use lucid context support in newer Heimdal release
- Factor out some code in mountd
- Add option to allow svcgssd to set libnfsidmap logging verbosity
K.C.
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
From: Kevin Coffman <[email protected]>
Signed-off-by: Mike Frysinger <[email protected]>
Signed-off-by: Kevin Coffman <[email protected]>
this patch touches up the autotool code a bit in nfs-utils:
- run autogen.sh with -e so if something fails, it'll abort properly
- set ACLOCAL_AMFLAGS so that when running autoreconf or when
autotools re-runs itself, the m4 files are found properly
- make sure we include bsdsignals.m4 in the final tarball
- add some cross-compiling fallback logic to bsdsignals.m4 so that
when cross-compiling nfs-utils, the configure is a bit more nice
than simply:
checking for BSD signal semantics... configure: error: cannot run test program while cross compiling
---
Makefile.am | 3 +++
aclocal/bsdsignals.m4 | 9 ++++++++-
autogen.sh | 2 +-
3 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 8298aa0..c04e9de 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -35,10 +35,13 @@ EXTRA_DIST = \
debian/nhfsstone.prerm \
debian/rules \
\
+ aclocal/bsdsignals.m4 \
aclocal/nfs-utils.m4 \
aclocal/kerberos5.m4 \
aclocal/tcp-wrappers.m4
+ACLOCAL_AMFLAGS = -I aclocal
+
install-data-hook:
if [ ! -d $(DESTDIR)$(statedir) ]; then mkdir -p $(DESTDIR)$(statedir); fi
touch $(DESTDIR)$(statedir)/xtab; chmod 644 $(DESTDIR)$(statedir)/xtab
diff --git a/aclocal/bsdsignals.m4 b/aclocal/bsdsignals.m4
index e951194..24572aa 100644
--- a/aclocal/bsdsignals.m4
+++ b/aclocal/bsdsignals.m4
@@ -23,7 +23,14 @@ AC_DEFUN([AC_BSD_SIGNALS], [
kill(getpid(), SIGHUP); kill(getpid(), SIGHUP);
return (counter == 2)? 0 : 1;
}
- ], knfsd_cv_bsd_signals=yes, knfsd_cv_bsd_signals=no)]) dnl
+ ], knfsd_cv_bsd_signals=yes, knfsd_cv_bsd_signals=no,
+ [
+ case "$host_os" in
+ *linux*) knfsd_cv_bsd_signals=no;;
+ *bsd*) knfsd_cv_bsd_signals=yes;;
+ *) AC_MSG_ERROR([unable to guess signal semantics for $host_os; please set knfsd_cv_bsd_signals]);;
+ esac
+ ])]) dnl
AC_MSG_RESULT($knfsd_cv_bsd_signals)
test $knfsd_cv_bsd_signals = yes && AC_DEFINE(HAVE_BSD_SIGNALS, 1, [Define this if you want to use BSD signal semantics])
])dnl
diff --git a/autogen.sh b/autogen.sh
index c89e674..9e8b89b 100644
--- a/autogen.sh
+++ b/autogen.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/sh -e
echo -n cleaning up .
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
From: Kevin Coffman <[email protected]>
Signed-off-by: Kevin Coffman <[email protected]>
As requested by "Steinar H. Gunderson" <[email protected]>, add
AM_MAINTAINER_MODE to configure.in. See the description of this
macro below:
`AM_MAINTAINER_MODE' disables the so called "rebuild rules" bys
default. If you have `AM_MAINTAINER_MODE' in `configure.ac', and
run `./configure && make', then `make' will *never* attempt to
rebuild `configure', `Makefile.in's, Lex or Yacc outputs, etc.
I.e., this disables build rules for files which are usually
distributed and that users should normally not have to update.
If you run `./configure --enable-maintainer-mode', then these
rebuild rules will be active.
---
configure.in | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/configure.in b/configure.in
index 757ebb8..99adee8 100644
--- a/configure.in
+++ b/configure.in
@@ -8,6 +8,7 @@ AC_CONFIG_MACRO_DIR(aclocal)
AM_INIT_AUTOMAKE
AC_PREREQ(2.59)
AC_PREFIX_DEFAULT(/usr)
+AM_MAINTAINER_MODE
dnl *************************************************************
dnl * Define the set of applicable options
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
From: Kevin Coffman <[email protected]>
Signed-off-by: Kevin Coffman <[email protected]>
GSSAPI error codes (major and minor) are defined as unsigned values.
However, we treat them as signed while passing them down to the
kernel where conversion fails if they include the minus sign.
Convert them as unsigned.
---
utils/gssd/cacheio.c | 11 +++++++++++
utils/gssd/cacheio.h | 1 +
utils/gssd/svcgssd_proc.c | 4 ++--
3 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/utils/gssd/cacheio.c b/utils/gssd/cacheio.c
index f2f2960..e24ef56 100644
--- a/utils/gssd/cacheio.c
+++ b/utils/gssd/cacheio.c
@@ -132,6 +132,17 @@ void qword_addint(char **bpp, int *lp, i
*lp -= len;
}
+void qword_adduint(char **bpp, int *lp, unsigned int n)
+{
+ int len;
+
+ len = snprintf(*bpp, *lp, "%u ", n);
+ if (len > *lp)
+ len = *lp;
+ *bpp += len;
+ *lp -= len;
+}
+
void qword_addeol(char **bpp, int *lp)
{
if (*lp <= 0)
diff --git a/utils/gssd/cacheio.h b/utils/gssd/cacheio.h
index dfff258..6585fc7 100644
--- a/utils/gssd/cacheio.h
+++ b/utils/gssd/cacheio.h
@@ -36,6 +36,7 @@ #include <stdio.h>
void qword_add(char **bpp, int *lp, char *str);
void qword_addhex(char **bpp, int *lp, char *buf, int blen);
void qword_addint(char **bpp, int *lp, int n);
+void qword_adduint(char **bpp, int *lp, unsigned int n);
void qword_addeol(char **bpp, int *lp);
void qword_print(FILE *f, char *str);
void qword_printhex(FILE *f, char *str, int slen);
diff --git a/utils/gssd/svcgssd_proc.c b/utils/gssd/svcgssd_proc.c
index 4037159..7c58f7b 100644
--- a/utils/gssd/svcgssd_proc.c
+++ b/utils/gssd/svcgssd_proc.c
@@ -125,8 +125,8 @@ send_response(FILE *f, gss_buffer_desc *
qword_addhex(&bp, &blen, in_handle->value, in_handle->length);
qword_addhex(&bp, &blen, in_token->value, in_token->length);
qword_addint(&bp, &blen, 0x7fffffff); /*XXX need a better timeout */
- qword_addint(&bp, &blen, maj_stat);
- qword_addint(&bp, &blen, min_stat);
+ qword_adduint(&bp, &blen, maj_stat);
+ qword_adduint(&bp, &blen, min_stat);
qword_addhex(&bp, &blen, out_handle->value, out_handle->length);
qword_addhex(&bp, &blen, out_token->value, out_token->length);
qword_addeol(&bp, &blen);
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
From: Kevin Coffman <[email protected]>
Signed-off-by: Jeff Layton <[email protected]>
Signed-off-by: Kevin Coffman <[email protected]>
The previous patch seems to expose a use after free bug in dirscancb. At
least, I could reliably reproduce a segfault by doing a bunch of mounts
and then unmounting them all. The code uses the following list macro:
TAILQ_FOREACH(ic, icq, ic_next) {
...to iterate over all of the ic entries and clean up any that no longer
have a corresponding directory in rpc_pipefs. This macro unrolls into:
for(ic=icq->tqh_first; ic != NULL; ic=ic->ic_next.tqe_next) {
...but within this loop, we can free ic, and then the for loop can trip
over that when it tries to do the iteration. The attached patch works
around this by not using the TAILQ_FOREACH macro and saving off the
tqe_next pointer prior to the free.
Again, this was tested on a patched 1.0.6, but the 1.0.10 code is very
similar, and I think the problem exists there as well.
---
utils/idmapd/idmapd.c | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/utils/idmapd/idmapd.c b/utils/idmapd/idmapd.c
index cbb0b6a..b30b69e 100644
--- a/utils/idmapd/idmapd.c
+++ b/utils/idmapd/idmapd.c
@@ -444,7 +444,7 @@ dirscancb(int fd, short which, void *dat
{
int nent, i;
struct dirent **ents;
- struct idmap_client *ic;
+ struct idmap_client *ic, *nextic;
char path[PATH_MAX];
struct idmap_clientq *icq = data;
@@ -498,7 +498,9 @@ dirscancb(int fd, short which, void *dat
}
}
- TAILQ_FOREACH(ic, icq, ic_next) {
+ ic = TAILQ_FIRST(icq);
+ while(ic != NULL) {
+ nextic=TAILQ_NEXT(ic, ic_next);
if (!ic->ic_scanned) {
event_del(&ic->ic_event);
close(ic->ic_fd);
@@ -511,6 +513,7 @@ dirscancb(int fd, short which, void *dat
free(ic);
} else
ic->ic_scanned = 0;
+ ic = nextic;
}
out:
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
From: Kevin Coffman <[email protected]>
Signed-off-by: Jeff Layton <[email protected]>
Signed-off-by: Kevin Coffman <[email protected]>
There is a pretty nasty memory leak in idmapd in dirscancb(). Some of
our customers have reported that idmapd can eat gigabytes of memory on
machines with a large number of mounts and unmounts and a long uptime.
That function uses scandir(), which malloc's an array of strings, but
dirscancb() never frees the strings or the array. The following patch
should correct this, but I've not yet tested it on 1.0.10 (only on the
RHEL4 1.0.6 version). Still, the code is very similar and I'm fairly
certain the problem exists in both versions.
---
utils/idmapd/idmapd.c | 11 ++++++++---
1 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/utils/idmapd/idmapd.c b/utils/idmapd/idmapd.c
index 19bf7a6..cbb0b6a 100644
--- a/utils/idmapd/idmapd.c
+++ b/utils/idmapd/idmapd.c
@@ -464,7 +464,7 @@ dirscancb(int fd, short which, void *dat
goto next;
if ((ic = calloc(1, sizeof(*ic))) == NULL)
- return;
+ goto out;
strlcpy(ic->ic_clid, ents[i]->d_name + 4,
sizeof(ic->ic_clid));
path[0] = '\0';
@@ -474,7 +474,7 @@ dirscancb(int fd, short which, void *dat
if ((ic->ic_dirfd = open(path, O_RDONLY, 0)) == -1) {
idmapd_warn("dirscancb: open(%s)", path);
free(ic);
- return;
+ goto out;
}
strlcat(path, "/idmap", sizeof(path));
@@ -486,7 +486,7 @@ dirscancb(int fd, short which, void *dat
if (nfsopen(ic) == -1) {
close(ic->ic_dirfd);
free(ic);
- return;
+ goto out;
}
ic->ic_id = "Client";
@@ -512,6 +512,11 @@ dirscancb(int fd, short which, void *dat
} else
ic->ic_scanned = 0;
}
+
+out:
+ for (i = 0; i < nent; i++)
+ free(ents[i]);
+ free(ents);
return;
}
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
From: Kevin Coffman <[email protected]>
Signed-off-by: Glenn Machin <[email protected]>
Signed-off-by: Kevin Coffman <[email protected]>
Some installations use different name formats for their credentials
caches. Instead of checking that the uid is part of the name, just
make sure that uid is the owner of the file.
This is a modification of the original patch from Glenn.
---
utils/gssd/krb5_util.c | 106 +++++++++++++++++++++++-------------------------
1 files changed, 50 insertions(+), 56 deletions(-)
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index c43eb36..096f6cf 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -185,72 +185,66 @@ gssd_find_existing_krb5_ccache(uid_t uid
perror("scandir looking for krb5 credentials caches");
}
else if (n > 0) {
- char substring[128];
- char fullstring[128];
char statname[1024];
- snprintf(substring, sizeof(substring), "_%d_", uid);
- snprintf(fullstring, sizeof(fullstring), "_%d", uid);
for (i = 0; i < n; i++) {
printerr(3, "CC file '%s' being considered\n",
namelist[i]->d_name);
- if (strstr(namelist[i]->d_name, substring) ||
- !strcmp(namelist[i]->d_name, fullstring)) {
- snprintf(statname, sizeof(statname),
- "%s/%s", ccachedir,
- namelist[i]->d_name);
- if (stat(statname, &tmp_stat)) {
- printerr(0, "Error doing stat "
- "on file '%s'\n",
- statname);
- continue;
- }
- if (!S_ISREG(tmp_stat.st_mode)) {
- printerr(3, "File '%s' is not "
- "a regular file\n",
- statname);
- continue;
- }
- printerr(3, "CC file '%s' matches "
- "name check and has "
- "mtime of %u\n",
- namelist[i]->d_name,
- tmp_stat.st_mtime);
- /* if more than one match is found,
- * return the most recent (the one
- * with the latest mtime),
- * and don't free the dirent */
- if (!found) {
+ snprintf(statname, sizeof(statname),
+ "%s/%s", ccachedir, namelist[i]->d_name);
+ if (stat(statname, &tmp_stat)) {
+ printerr(0, "Error doing stat on file '%s'\n",
+ statname);
+ free(namelist[i]);
+ continue;
+ }
+ /* Only pick caches owned by the user (uid) */
+ if (tmp_stat.st_uid != uid) {
+ printerr(3, "'%s' owned by %u, not %u\n",
+ statname, tmp_stat.st_uid, uid);
+ free(namelist[i]);
+ continue;
+ }
+ if (!S_ISREG(tmp_stat.st_mode)) {
+ printerr(3, "'%s' is not a regular file\n",
+ statname);
+ free(namelist[i]);
+ continue;
+ }
+ printerr(3, "CC file '%s' matches owner check and has "
+ "mtime of %u\n",
+ namelist[i]->d_name, tmp_stat.st_mtime);
+ /*
+ * if more than one match is found, return the most
+ * recent (the one with the latest mtime), and
+ * don't free the dirent
+ */
+ if (!found) {
+ best_match_dir = namelist[i];
+ best_match_stat = tmp_stat;
+ found++;
+ }
+ else {
+ /*
+ * If the current match has an mtime later
+ * than the one we are looking at, then use
+ * the current match. Otherwise, we still
+ * have the best match.
+ */
+ if (tmp_stat.st_mtime >
+ best_match_stat.st_mtime) {
+ free(best_match_dir);
best_match_dir = namelist[i];
best_match_stat = tmp_stat;
- found++;
}
else {
- /*
- * If the current match has
- * an mtime later than the
- * one we are looking at,
- * then use the current match.
- * Otherwise, we still have
- * the best match.
- */
- if (tmp_stat.st_mtime >
- best_match_stat.st_mtime) {
- free(best_match_dir);
- best_match_dir = namelist[i];
- best_match_stat = tmp_stat;
- }
- else {
- free(namelist[i]);
- }
- printerr(3, "CC file '%s' is our "
- "current best match "
- "with mtime of %u\n",
- best_match_dir->d_name,
- best_match_stat.st_mtime);
+ free(namelist[i]);
}
+ printerr(3, "CC file '%s' is our "
+ "current best match "
+ "with mtime of %u\n",
+ best_match_dir->d_name,
+ best_match_stat.st_mtime);
}
- else
- free(namelist[i]);
}
free(namelist);
}
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
From: Kevin Coffman <[email protected]>
Signed-off-by: Kevin Coffman <[email protected]>
Remove Kerberos implementation dependency from svcgssd_mech2file.c
---
utils/gssd/svcgssd_mech2file.c | 6 +-----
1 files changed, 1 insertions(+), 5 deletions(-)
diff --git a/utils/gssd/svcgssd_mech2file.c b/utils/gssd/svcgssd_mech2file.c
index f44f7c6..22c3ed8 100644
--- a/utils/gssd/svcgssd_mech2file.c
+++ b/utils/gssd/svcgssd_mech2file.c
@@ -36,11 +36,7 @@
#include "config.h"
-#ifdef HAVE_KRB5
-#include <gssapi/gssapi_generic.h>
-#elif HAVE_HEIMDAL
-#include <gssapi.h>
-#endif
+#include <gssapi/gssapi.h>
#include <string.h>
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
From: Kevin Coffman <[email protected]>
Signed-off-by: Steinar H. Gunderson <[email protected]>
Signed-off-by: Kevin Coffman <[email protected]>
This mostly takes care of the difference between - and \-; in
man pages, the former is hyphen (which indicates, among others,
that a line might be split at that point), while the latter is a
dash. For options, the latter is correct.
There's also one minor grammatical fix.
---
utils/nfsstat/nfsstat.man | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/utils/nfsstat/nfsstat.man b/utils/nfsstat/nfsstat.man
index ed7f69c..895c36b 100644
--- a/utils/nfsstat/nfsstat.man
+++ b/utils/nfsstat/nfsstat.man
@@ -113,9 +113,9 @@ interface to the mounted filesystems.
.SH BUGS
The default output has been changed. To get the old default output you must run \fBnfsstat \-\-auto \-2\fR.
.P
-The function of the \fB-v\fR and \fB-a\fR options have changed. The \fB-a\fR option
-is now reserved for future use. The \fB-v\fR does what the \fB-a\fR option used to do,
-and the new \fB-[234]\fR options replace the \fB-v\fR option.
+The function of the \fB\-v\fR and \fB\-a\fR options have changed. The \fB\-a\fR option
+is now reserved for future use. The \fB\-v\fR does what the \fB\-a\fR option used to do,
+and the new \fB\-[234]\fR options replace the \fB\-v\fR option.
.P
The \fBDisplay\fR section should be more complete.
.P
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
From: Kevin Coffman <[email protected]>
Signed-off-by: Kevin Coffman <[email protected]>
The 0.8 release of Heimdal has (will have) support for the lucid context.
The handling of lucid_sec_context can be shared between builds with MIT
or Heimdal Kerberos.
Split out the lucid_sec_context code from context_mit.c
and make a new common file, context_lucid.c.
---
utils/gssd/Makefile.am | 1
utils/gssd/context.h | 4 +
utils/gssd/context_heimdal.c | 6 +
utils/gssd/context_lucid.c | 220 ++++++++++++++++++++++++++++++++++++++++++
utils/gssd/context_mit.c | 173 +--------------------------------
5 files changed, 234 insertions(+), 170 deletions(-)
diff --git a/utils/gssd/Makefile.am b/utils/gssd/Makefile.am
index 7009d8d..7c32597 100644
--- a/utils/gssd/Makefile.am
+++ b/utils/gssd/Makefile.am
@@ -16,6 +16,7 @@ COMMON_SRCS = \
context.c \
context_mit.c \
context_heimdal.c \
+ context_lucid.c \
context_spkm3.c \
gss_util.c \
gss_oids.c \
diff --git a/utils/gssd/context.h b/utils/gssd/context.h
index 2c9396a..67ed3bb 100644
--- a/utils/gssd/context.h
+++ b/utils/gssd/context.h
@@ -33,6 +33,10 @@ #define _CONTEXT_H_
#include <rpc/rpc.h>
+/* Hopefully big enough to hold any serialized context */
+#define MAX_CTX_LEN 4096
+
+
int serialize_context_for_kernel(gss_ctx_id_t ctx, gss_buffer_desc *buf,
gss_OID mech);
int serialize_spkm3_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf);
diff --git a/utils/gssd/context_heimdal.c b/utils/gssd/context_heimdal.c
index edd4dfc..5520cbc 100644
--- a/utils/gssd/context_heimdal.c
+++ b/utils/gssd/context_heimdal.c
@@ -1,5 +1,5 @@
/*
- Copyright (c) 2004 The Regents of the University of Michigan.
+ Copyright (c) 2004-2006 The Regents of the University of Michigan.
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -30,6 +30,7 @@
#include "config.h"
+#ifndef HAVE_LUCID_CONTEXT_SUPPORT
#ifdef HAVE_HEIMDAL
#include <stdio.h>
@@ -46,8 +47,6 @@ #include "err_util.h"
#include "gss_oids.h"
#include "write_bytes.h"
-#define MAX_CTX_LEN 4096
-
int write_heimdal_keyblock(char **p, char *end, krb5_keyblock *key)
{
gss_buffer_desc tmp;
@@ -265,3 +264,4 @@ out_err:
}
#endif /* HAVE_HEIMDAL */
+#endif /* HAVE_LUCID_CONTEXT_SUPPORT */
diff --git a/utils/gssd/context_lucid.c b/utils/gssd/context_lucid.c
new file mode 100644
index 0000000..3550762
--- /dev/null
+++ b/utils/gssd/context_lucid.c
@@ -0,0 +1,220 @@
+/*
+ * COPYRIGHT (c) 2006
+ * The Regents of the University of Michigan
+ * ALL RIGHTS RESERVED
+ *
+ * Permission is granted to use, copy, create derivative works
+ * and redistribute this software and such derivative works
+ * for any purpose, so long as the name of The University of
+ * Michigan is not used in any advertising or publicity
+ * pertaining to the use of distribution of this software
+ * without specific, written prior authorization. If the
+ * above copyright notice or any other identification of the
+ * University of Michigan is included in any copy of any
+ * portion of this software, then the disclaimer below must
+ * also be included.
+ *
+ * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
+ * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
+ * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
+ * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+ * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
+ * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
+ * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
+ * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
+ * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGES.
+ */
+
+#include "config.h"
+
+#ifdef HAVE_LUCID_CONTEXT_SUPPORT
+
+/*
+ * Newer versions of MIT and Heimdal have lucid context support.
+ * We can use common code if it is supported.
+ */
+
+#include <stdio.h>
+#include <syslog.h>
+#include <string.h>
+#include "gss_util.h"
+#include "gss_oids.h"
+#include "err_util.h"
+#include "context.h"
+
+#include <krb5.h>
+#include <gssapi/gssapi.h>
+#ifndef OM_uint64
+typedef uint64_t OM_uint64;
+#endif
+#include <gssapi/gssapi_krb5.h>
+
+static int
+write_lucid_keyblock(char **p, char *end, gss_krb5_lucid_key_t *key)
+{
+ gss_buffer_desc tmp;
+
+ if (WRITE_BYTES(p, end, key->type)) return -1;
+ tmp.length = key->length;
+ tmp.value = key->data;
+ if (write_buffer(p, end, &tmp)) return -1;
+ return 0;
+}
+
+static int
+prepare_krb5_rfc1964_buffer(gss_krb5_lucid_context_v1_t *lctx,
+ gss_buffer_desc *buf)
+{
+ char *p, *end;
+ static int constant_zero = 0;
+ unsigned char fakeseed[16];
+ uint32_t word_send_seq;
+ gss_krb5_lucid_key_t enc_key;
+ int i;
+ char *skd, *dkd;
+ gss_buffer_desc fakeoid;
+
+ /*
+ * The new Kerberos interface to get the gss context
+ * does not include the seed or seed_init fields
+ * because we never really use them. But for now,
+ * send down a fake buffer so we can use the same
+ * interface to the kernel.
+ */
+ memset(&enc_key, 0, sizeof(enc_key));
+ memset(&fakeoid, 0, sizeof(fakeoid));
+
+ if (!(buf->value = calloc(1, MAX_CTX_LEN)))
+ goto out_err;
+ p = buf->value;
+ end = buf->value + MAX_CTX_LEN;
+
+ if (WRITE_BYTES(&p, end, lctx->initiate)) goto out_err;
+
+ /* seed_init and seed not used by kernel anyway */
+ if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
+ if (write_bytes(&p, end, &fakeseed, 16)) goto out_err;
+
+ if (WRITE_BYTES(&p, end, lctx->rfc1964_kd.sign_alg)) goto out_err;
+ if (WRITE_BYTES(&p, end, lctx->rfc1964_kd.seal_alg)) goto out_err;
+ if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err;
+ word_send_seq = lctx->send_seq; /* XXX send_seq is 64-bit */
+ if (WRITE_BYTES(&p, end, word_send_seq)) goto out_err;
+ if (write_oid(&p, end, &krb5oid)) goto out_err;
+
+#ifdef HAVE_HEIMDAL
+ /*
+ * The kernel gss code expects des-cbc-raw for all flavors of des.
+ * The keytype from MIT has this type, but Heimdal does not.
+ * Force the Heimdal keytype to 4 (des-cbc-raw).
+ * Note that the rfc1964 version only supports DES enctypes.
+ */
+ if (lctx->rfc1964_kd.ctx_key.type != 4) {
+ printerr(1, "prepare_krb5_rfc1964_buffer: "
+ "overriding heimdal keytype (%d => %d)\n",
+ lctx->rfc1964_kd.ctx_key.type, 4);
+ lctx->rfc1964_kd.ctx_key.type = 4;
+ }
+#endif
+ printerr(2, "prepare_krb5_rfc1964_buffer: serializing keys with "
+ "enctype %d and length %d\n",
+ lctx->rfc1964_kd.ctx_key.type,
+ lctx->rfc1964_kd.ctx_key.length);
+
+ /* derive the encryption key and copy it into buffer */
+ enc_key.type = lctx->rfc1964_kd.ctx_key.type;
+ enc_key.length = lctx->rfc1964_kd.ctx_key.length;
+ if ((enc_key.data = calloc(1, enc_key.length)) == NULL)
+ goto out_err;
+ skd = (char *) lctx->rfc1964_kd.ctx_key.data;
+ dkd = (char *) enc_key.data;
+ for (i = 0; i < enc_key.length; i++)
+ dkd[i] = skd[i] ^ 0xf0;
+ if (write_lucid_keyblock(&p, end, &enc_key)) {
+ free(enc_key.data);
+ goto out_err;
+ }
+ free(enc_key.data);
+
+ if (write_lucid_keyblock(&p, end, &lctx->rfc1964_kd.ctx_key))
+ goto out_err;
+
+ buf->length = p - (char *)buf->value;
+ return 0;
+out_err:
+ printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
+ if (buf->value) free(buf->value);
+ buf->length = 0;
+ if (enc_key.data) free(enc_key.data);
+ return -1;
+}
+
+static int
+prepare_krb5_rfc_cfx_buffer(gss_krb5_lucid_context_v1_t *lctx,
+ gss_buffer_desc *buf)
+{
+ printerr(0, "ERROR: prepare_krb5_rfc_cfx_buffer: not implemented\n");
+ return -1;
+}
+
+
+int
+serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf)
+{
+ OM_uint32 maj_stat, min_stat;
+ void *return_ctx = 0;
+ OM_uint32 vers;
+ gss_krb5_lucid_context_v1_t *lctx = 0;
+ int retcode = 0;
+
+ printerr(2, "DEBUG: serialize_krb5_ctx: lucid version!\n");
+ maj_stat = gss_export_lucid_sec_context(&min_stat, &ctx,
+ 1, &return_ctx);
+ if (maj_stat != GSS_S_COMPLETE) {
+ pgsserr("gss_export_lucid_sec_context",
+ maj_stat, min_stat, &krb5oid);
+ goto out_err;
+ }
+
+ /* Check the version returned, we only support v1 right now */
+ vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version;
+ switch (vers) {
+ case 1:
+ lctx = (gss_krb5_lucid_context_v1_t *) return_ctx;
+ break;
+ default:
+ printerr(0, "ERROR: unsupported lucid sec context version %d\n",
+ vers);
+ goto out_err;
+ break;
+ }
+
+ /* Now lctx points to a lucid context that we can send down to kernel */
+ if (lctx->protocol == 0)
+ retcode = prepare_krb5_rfc1964_buffer(lctx, buf);
+ else
+ retcode = prepare_krb5_rfc_cfx_buffer(lctx, buf);
+
+ maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx);
+ if (maj_stat != GSS_S_COMPLETE) {
+ pgsserr("gss_export_lucid_sec_context",
+ maj_stat, min_stat, &krb5oid);
+ printerr(0, "WARN: failed to free lucid sec context\n");
+ }
+
+ if (retcode) {
+ printerr(1, "serialize_krb5_ctx: prepare_krb5_*_buffer "
+ "failed (retcode = %d)\n", retcode);
+ goto out_err;
+ }
+
+ return 0;
+
+out_err:
+ printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
+ return -1;
+}
+#endif /* HAVE_LUCID_CONTEXT_SUPPORT */
diff --git a/utils/gssd/context_mit.c b/utils/gssd/context_mit.c
index 5eb900f..94b2266 100644
--- a/utils/gssd/context_mit.c
+++ b/utils/gssd/context_mit.c
@@ -29,6 +29,10 @@
*/
#include "config.h"
+
+#ifndef HAVE_LUCID_CONTEXT_SUPPORT
+#ifdef HAVE_KRB5
+
#include <stdio.h>
#include <syslog.h>
#include <string.h>
@@ -40,18 +44,9 @@ #include "gss_oids.h"
#include "err_util.h"
#include "context.h"
-#ifdef HAVE_KRB5
#include <krb5.h>
-/* XXX spkm3 seems to actually want it this big, yipes. */
-#define MAX_CTX_LEN 4096
-
-#ifdef HAVE_LUCID_CONTEXT_SUPPORT
-
-/* Don't use the private structure, use the exported lucid structure */
-#include <gssapi/gssapi_krb5.h>
-
-#elif (KRB5_VERSION > 131)
+#if (KRB5_VERSION > 131)
/* XXX argggg, there's gotta be a better way than just duplicating this
* whole struct. Unfortunately, this is in a "private" header file,
* so this is our best choice at this point :-/
@@ -131,162 +126,6 @@ typedef struct _krb5_gss_ctx_id_rec {
#endif /* KRB5_VERSION */
-#ifdef HAVE_LUCID_CONTEXT_SUPPORT /* Lucid context support */
-static int
-write_lucid_keyblock(char **p, char *end, gss_krb5_lucid_key_t *key)
-{
- gss_buffer_desc tmp;
-
- if (WRITE_BYTES(p, end, key->type)) return -1;
- tmp.length = key->length;
- tmp.value = key->data;
- if (write_buffer(p, end, &tmp)) return -1;
- return 0;
-}
-
-static int
-prepare_krb5_rfc1964_buffer(gss_krb5_lucid_context_v1_t *lctx,
- gss_buffer_desc *buf)
-{
- char *p, *end;
- static int constant_zero = 0;
- unsigned char fakeseed[16];
- uint32_t word_send_seq;
- gss_krb5_lucid_key_t enc_key;
- int i;
- char *skd, *dkd;
- gss_buffer_desc fakeoid;
-
- /*
- * The new Kerberos interface to get the gss context
- * does not include the seed or seed_init fields
- * because we never really use them. But for now,
- * send down a fake buffer so we can use the same
- * interface to the kernel.
- */
- memset(&enc_key, 0, sizeof(enc_key));
- memset(&fakeoid, 0, sizeof(fakeoid));
-
- if (!(buf->value = calloc(1, MAX_CTX_LEN)))
- goto out_err;
- p = buf->value;
- end = buf->value + MAX_CTX_LEN;
-
- if (WRITE_BYTES(&p, end, lctx->initiate)) goto out_err;
-
- /* seed_init and seed not used by kernel anyway */
- if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
- if (write_bytes(&p, end, &fakeseed, 16)) goto out_err;
-
- if (WRITE_BYTES(&p, end, lctx->rfc1964_kd.sign_alg)) goto out_err;
- if (WRITE_BYTES(&p, end, lctx->rfc1964_kd.seal_alg)) goto out_err;
- if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err;
- word_send_seq = lctx->send_seq; /* XXX send_seq is 64-bit */
- if (WRITE_BYTES(&p, end, word_send_seq)) goto out_err;
- if (write_oid(&p, end, &krb5oid)) goto out_err;
-
- printerr(2, "prepare_krb5_rfc1964_buffer: serializing keys with "
- "enctype %d and length %d\n",
- lctx->rfc1964_kd.ctx_key.type,
- lctx->rfc1964_kd.ctx_key.length);
-
- /* derive the encryption key and copy it into buffer */
- enc_key.type = lctx->rfc1964_kd.ctx_key.type;
- enc_key.length = lctx->rfc1964_kd.ctx_key.length;
- if ((enc_key.data = calloc(1, enc_key.length)) == NULL)
- goto out_err;
- skd = (char *) lctx->rfc1964_kd.ctx_key.data;
- dkd = (char *) enc_key.data;
- for (i = 0; i < enc_key.length; i++)
- dkd[i] = skd[i] ^ 0xf0;
- if (write_lucid_keyblock(&p, end, &enc_key)) {
- free(enc_key.data);
- goto out_err;
- }
- free(enc_key.data);
-
- if (write_lucid_keyblock(&p, end, &lctx->rfc1964_kd.ctx_key))
- goto out_err;
-
- buf->length = p - (char *)buf->value;
- return 0;
-out_err:
- printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
- if (buf->value) free(buf->value);
- buf->length = 0;
- if (enc_key.data) free(enc_key.data);
- return -1;
-}
-
-static int
-prepare_krb5_rfc_cfx_buffer(gss_krb5_lucid_context_v1_t *lctx,
- gss_buffer_desc *buf)
-{
- printerr(0, "ERROR: prepare_krb5_rfc_cfx_buffer: not implemented\n");
- return -1;
-}
-
-
-int
-serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf)
-{
- OM_uint32 maj_stat, min_stat;
- void *return_ctx = 0;
- OM_uint32 vers;
- gss_krb5_lucid_context_v1_t *lctx = 0;
- int retcode = 0;
-
- printerr(2, "DEBUG: serialize_krb5_ctx: lucid version!\n");
- maj_stat = gss_export_lucid_sec_context(&min_stat, &ctx,
- 1, &return_ctx);
- if (maj_stat != GSS_S_COMPLETE) {
- pgsserr("gss_export_lucid_sec_context",
- maj_stat, min_stat, &krb5oid);
- goto out_err;
- }
-
- /* Check the version returned, we only support v1 right now */
- vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version;
- switch (vers) {
- case 1:
- lctx = (gss_krb5_lucid_context_v1_t *) return_ctx;
- break;
- default:
- printerr(0, "ERROR: unsupported lucid sec context version %d\n",
- vers);
- goto out_err;
- break;
- }
-
- /* Now lctx points to a lucid context that we can send down to kernel */
- if (lctx->protocol == 0)
- retcode = prepare_krb5_rfc1964_buffer(lctx, buf);
- else
- retcode = prepare_krb5_rfc_cfx_buffer(lctx, buf);
-
- maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx);
- if (maj_stat != GSS_S_COMPLETE) {
- pgsserr("gss_export_lucid_sec_context",
- maj_stat, min_stat, &krb5oid);
- printerr(0, "WARN: failed to free lucid sec context\n");
- }
-
- if (retcode) {
- printerr(1, "serialize_krb5_ctx: prepare_krb5_*_buffer "
- "failed (retcode = %d)\n", retcode);
- goto out_err;
- }
-
- return 0;
-
-out_err:
- printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
- return -1;
-}
-
-
-#else /* HAVE_LUCID_CONTEXT_SUPPORT */
-
static int
write_keyblock(char **p, char *end, struct _krb5_keyblock *arg)
{
@@ -360,6 +199,6 @@ out_err:
buf->length = 0;
return -1;
}
-#endif /* HAVE_LUCID_CONTEXT_SUPPORT */
#endif /* HAVE_KRB5 */
+#endif /* HAVE_LUCID_CONTEXT_SUPPORT */
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
From: Kevin Coffman <[email protected]>
Signed-off-by: Kevin Coffman <[email protected]>
As suggested by Glenn Machin <[email protected]>. Allow svcgssd
to turn on libnfsidmap debugging. This uses a new command-line
parameter so that it can be enabled independently from other
debugging.
---
utils/gssd/svcgssd.c | 16 ++++++++++++++--
utils/gssd/svcgssd.man | 8 ++++++--
2 files changed, 20 insertions(+), 4 deletions(-)
diff --git a/utils/gssd/svcgssd.c b/utils/gssd/svcgssd.c
index 0db3762..37e0407 100644
--- a/utils/gssd/svcgssd.c
+++ b/utils/gssd/svcgssd.c
@@ -54,6 +54,7 @@ #include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
+#include <nfsidmap.h>
#include "nfslib.h"
#include "svcgssd.h"
#include "gss_util.h"
@@ -154,7 +155,7 @@ sig_hup(int signal)
static void
usage(char *progname)
{
- fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r]\n",
+ fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r] [-i]\n",
progname);
exit(1);
}
@@ -166,15 +167,19 @@ main(int argc, char *argv[])
int fg = 0;
int verbosity = 0;
int rpc_verbosity = 0;
+ int idmap_verbosity = 0;
int opt;
extern char *optarg;
char *progname;
- while ((opt = getopt(argc, argv, "fvrnp:")) != -1) {
+ while ((opt = getopt(argc, argv, "fivrnp:")) != -1) {
switch (opt) {
case 'f':
fg = 1;
break;
+ case 'i':
+ idmap_verbosity++;
+ break;
case 'n':
get_creds = 0;
break;
@@ -203,6 +208,13 @@ #else
printerr(0, "Warning: rpcsec_gss library does not "
"support setting debug level\n");
#endif
+#ifdef HAVE_NFS4_SET_DEBUG
+ nfs4_set_debug(idmap_verbosity, NULL);
+#else
+ if (idmap_verbosity > 0)
+ printerr(0, "Warning: your nfsidmap library does not "
+ "support setting debug level\n");
+#endif
if (gssd_check_mechs() != 0) {
printerr(0, "ERROR: Problem with gssapi library\n");
diff --git a/utils/gssd/svcgssd.man b/utils/gssd/svcgssd.man
index a770662..1a015e1 100644
--- a/utils/gssd/svcgssd.man
+++ b/utils/gssd/svcgssd.man
@@ -2,11 +2,11 @@
.\" rpc.svcgssd(8)
.\"
.\" Copyright (C) 2003 J. Bruce Fields <[email protected]>
-.TH rpc.svcgssd 8 "17 Mar 2003"
+.TH rpc.svcgssd 8 "12 Jan 2007"
.SH NAME
rpc.svcgssd \- server-side rpcsec_gss daemon
.SH SYNOPSIS
-.B "rpc.svcgssd [-v] [-r] [-f] [-p pipefsdir]"
+.B "rpc.svcgssd [-v] [-r] [-i] [-f] [-p pipefsdir]"
.SH DESCRIPTION
The rpcsec_gss protocol gives a means of using the gss-api generic security
api to provide security for protocols using rpc (in particular, nfs). Before
@@ -31,6 +31,10 @@ Increases the verbosity of the output (c
.B -r
If the rpcsec_gss library supports setting debug level,
increases the verbosity of the output (can be specified multiple times).
+.TP
+.B -i
+If the nfsidmap library supports setting debug level,
+increases the verbosity of the output (can be specified multiple times).
.SH SEE ALSO
.BR rpc.gssd(8),
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
From: Kevin Coffman <[email protected]>
Signed-off-by: Fred Isaman <[email protected]>
Signed-off-by: Kevin Coffman <[email protected]>
Extend exportfs interface to pass fslocations info into the kernel,
using syntax modelled after AIX. Adds "--refer" and "--replicas"
options to exportfs to enable use of the kernel fslocation code.
---
support/include/exportfs.h | 7 ++
support/include/nfslib.h | 2
support/nfs/exports.c | 37 +++++++++
utils/exportfs/exportfs.c | 14 +++
utils/exportfs/exports.man | 14 +++
utils/mountd/Makefile.am | 2
utils/mountd/cache.c | 30 +++++++
utils/mountd/fsloc.c | 184 ++++++++++++++++++++++++++++++++++++++++++++
utils/mountd/fsloc.h | 50 ++++++++++++
9 files changed, 336 insertions(+), 4 deletions(-)
diff --git a/support/include/exportfs.h b/support/include/exportfs.h
index 10f38c7..458611b 100644
--- a/support/include/exportfs.h
+++ b/support/include/exportfs.h
@@ -23,6 +23,13 @@ enum {
MCL_MAXTYPES
};
+enum {
+ FSLOC_NONE = 0,
+ FSLOC_REFER,
+ FSLOC_REPLICA,
+ FSLOC_STUB
+};
+
typedef struct mclient {
struct mclient * m_next;
char m_hostname[NFSCLNT_IDMAX+1];
diff --git a/support/include/nfslib.h b/support/include/nfslib.h
index aba37c2..722d47a 100644
--- a/support/include/nfslib.h
+++ b/support/include/nfslib.h
@@ -80,6 +80,8 @@ struct exportent {
int e_nsqgids;
int e_fsid;
char * e_mountpoint;
+ int e_fslocmethod;
+ char * e_fslocdata;
};
struct rmtabent {
diff --git a/support/nfs/exports.c b/support/nfs/exports.c
index 9b010dc..3a07ebc 100644
--- a/support/nfs/exports.c
+++ b/support/nfs/exports.c
@@ -100,6 +100,8 @@ getexportent(int fromkernel, int fromexp
def_ee.e_squids = NULL;
def_ee.e_sqgids = NULL;
def_ee.e_mountpoint = NULL;
+ def_ee.e_fslocmethod = FSLOC_NONE;
+ def_ee.e_fslocdata = NULL;
def_ee.e_nsquids = 0;
def_ee.e_nsqgids = 0;
@@ -223,7 +225,22 @@ putexportent(struct exportent *ep)
if (ep->e_mountpoint)
fprintf(fp, "mountpoint%s%s,",
ep->e_mountpoint[0]?"=":"", ep->e_mountpoint);
-
+ switch (ep->e_fslocmethod) {
+ case FSLOC_NONE:
+ break;
+ case FSLOC_REFER:
+ fprintf(fp, "refer=%s,", ep->e_fslocdata);
+ break;
+ case FSLOC_REPLICA:
+ fprintf(fp, "replicas=%s,", ep->e_fslocdata);
+ break;
+ case FSLOC_STUB:
+ fprintf(fp, "fsloc=stub,");
+ break;
+ default:
+ xlog(L_ERROR, "unknown fsloc method for %s:%s",
+ ep->e_hostname, ep->e_path);
+ }
fprintf(fp, "mapping=");
switch (ep->e_maptype) {
case CLE_MAP_IDENT:
@@ -286,6 +303,8 @@ dupexportent(struct exportent *dst, stru
}
if (src->e_mountpoint)
dst->e_mountpoint = strdup(src->e_mountpoint);
+ if (src->e_fslocdata)
+ dst->e_fslocdata = strdup(src->e_fslocdata);
}
struct exportent *
@@ -300,6 +319,8 @@ mkexportent(char *hname, char *path, cha
ee.e_squids = NULL;
ee.e_sqgids = NULL;
ee.e_mountpoint = NULL;
+ ee.e_fslocmethod = FSLOC_NONE;
+ ee.e_fslocdata = NULL;
ee.e_nsquids = 0;
ee.e_nsqgids = 0;
@@ -461,6 +482,20 @@ bad_option:
ep->e_mountpoint = strdup(mp+1);
else
ep->e_mountpoint = strdup("");
+ } else if (strncmp(opt, "fsloc=", 6) == 0) {
+ if (strcmp(opt+6, "stub") == 0)
+ ep->e_fslocmethod = FSLOC_STUB;
+ else {
+ xlog(L_ERROR, "%s:%d: bad option %s\n",
+ flname, flline, opt);
+ goto bad_option;
+ }
+ } else if (strncmp(opt, "refer=", 6) == 0) {
+ ep->e_fslocmethod = FSLOC_REFER;
+ ep->e_fslocdata = strdup(opt+6);
+ } else if (strncmp(opt, "replicas=", 9) == 0) {
+ ep->e_fslocmethod = FSLOC_REPLICA;
+ ep->e_fslocdata = strdup(opt+9);
} else {
xlog(L_ERROR, "%s:%d: unknown keyword \"%s\"\n",
flname, flline, opt);
diff --git a/utils/exportfs/exportfs.c b/utils/exportfs/exportfs.c
index cd49a3b..1a8817d 100644
--- a/utils/exportfs/exportfs.c
+++ b/utils/exportfs/exportfs.c
@@ -416,7 +416,19 @@ dump(int verbose)
c = dumpopt(c, "anonuid=%d", ep->e_anonuid);
if (ep->e_anongid != 65534)
c = dumpopt(c, "anongid=%d", ep->e_anongid);
-
+ switch(ep->e_fslocmethod) {
+ case FSLOC_NONE:
+ break;
+ case FSLOC_REFER:
+ c = dumpopt(c, "refer=%s", ep->e_fslocdata);
+ break;
+ case FSLOC_REPLICA:
+ c = dumpopt(c, "replicas=%s", ep->e_fslocdata);
+ break;
+ case FSLOC_STUB:
+ c = dumpopt(c, "fsloc=stub");
+ break;
+ }
printf("%c\n", (c != '(')? ')' : ' ');
}
}
diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man
index 892533b..eb645fc 100644
--- a/utils/exportfs/exports.man
+++ b/utils/exportfs/exports.man
@@ -327,6 +327,20 @@ The value 0 has a special meaning when
concept of a root of the overall exported filesystem. The export point
exported with fsid=0 will be used as this root.
+.TP
+.IR refer= path@host[+host][:path@host[+host]]
+A client referencing the export point will be directed to choose from
+the given list an alternative location for the filesystem.
+(Note that the server must have a mountpoint here, though a different
+filesystem is not required; so, for example,
+.IR "mount --bind" " /path /path"
+is sufficient.)
+.TP
+.IR replicas= path@host[+host][:path@host[+host]]
+If the client asks for alternative locations for the export point, it
+will be given this list of alternatives. (Note that actual replication
+of the filesystem must be handled elsewhere.)
+
.SS User ID Mapping
.PP
.I nfsd
diff --git a/utils/mountd/Makefile.am b/utils/mountd/Makefile.am
index dd400fd..1465114 100644
--- a/utils/mountd/Makefile.am
+++ b/utils/mountd/Makefile.am
@@ -8,7 +8,7 @@ KPREFIX = @kprefix@
sbin_PROGRAMS = mountd
mountd_SOURCES = mountd.c mount_dispatch.c auth.c rmtab.c cache.c \
- svc_run.c mountd.h
+ svc_run.c fsloc.c mountd.h
mountd_LDADD = ../../support/export/libexport.a \
../../support/nfs/libnfs.a \
../../support/misc/libmisc.a \
diff --git a/utils/mountd/cache.c b/utils/mountd/cache.c
index e8d42ae..89dc642 100644
--- a/utils/mountd/cache.c
+++ b/utils/mountd/cache.c
@@ -26,6 +26,7 @@ #include "nfslib.h"
#include "exportfs.h"
#include "mountd.h"
#include "xmalloc.h"
+#include "fsloc.h"
/*
* Support routines for text-based upcalls.
@@ -236,6 +237,29 @@ void nfsd_fh(FILE *f)
return;
}
+static void write_fsloc(FILE *f, struct exportent *ep, char *path)
+{
+ struct servers *servers;
+
+ if (ep->e_fslocmethod == FSLOC_NONE)
+ return;
+
+ servers = replicas_lookup(ep->e_fslocmethod, ep->e_fslocdata, path);
+ if (!servers)
+ return;
+ qword_print(f, "fsloc");
+ qword_printint(f, servers->h_num);
+ if (servers->h_num >= 0) {
+ int i;
+ for (i=0; i<servers->h_num; i++) {
+ qword_print(f, servers->h_mp[i]->h_host);
+ qword_print(f, servers->h_mp[i]->h_path);
+ }
+ }
+ qword_printint(f, servers->h_referral);
+ release_replicas(servers);
+}
+
void nfsd_export(FILE *f)
{
/* requests are:
@@ -292,6 +316,8 @@ void nfsd_export(FILE *f)
qword_printint(f, found->m_export.e_anonuid);
qword_printint(f, found->m_export.e_anongid);
qword_printint(f, found->m_export.e_fsid);
+ write_fsloc(f, &found->m_export, path);
+ mountlist_add(dom, path);
}
qword_eol(f);
out:
@@ -366,7 +392,9 @@ int cache_export_ent(char *domain, struc
qword_printint(f, exp->e_anonuid);
qword_printint(f, exp->e_anongid);
qword_printint(f, exp->e_fsid);
- err = qword_eol(f);
+ write_fsloc(f, exp, exp->e_path);
+ mountlist_add(domain, exp->e_path);
+ qword_eol(f);
fclose(f);
return err;
diff --git a/utils/mountd/fsloc.c b/utils/mountd/fsloc.c
new file mode 100644
index 0000000..44b5b97
--- /dev/null
+++ b/utils/mountd/fsloc.c
@@ -0,0 +1,184 @@
+/*
+ * COPYRIGHT (c) 2006
+ * THE REGENTS OF THE UNIVERSITY OF MICHIGAN
+ * ALL RIGHTS RESERVED
+ *
+ * Permission is granted to use, copy, create derivative works
+ * and redistribute this software and such derivative works
+ * for any purpose, so long as the name of The University of
+ * Michigan is not used in any advertising or publicity
+ * pertaining to the use of distribution of this software
+ * without specific, written prior authorization. If the
+ * above copyright notice or any other identification of the
+ * University of Michigan is included in any copy of any
+ * portion of this software, then the disclaimer below must
+ * also be included.
+ *
+ * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
+ * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
+ * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
+ * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+ * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
+ * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
+ * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
+ * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
+ * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGES.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+
+#include "fsloc.h"
+#include "exportfs.h"
+
+/* Debugging tool: prints out @servers info to syslog */
+static void replicas_print(struct servers *sp)
+{
+ int i;
+ if (!sp) {
+ syslog(LOG_INFO, "NULL replicas pointer");
+ return;
+ }
+ syslog(LOG_INFO, "replicas listsize=%i", sp->h_num);
+ for (i=0; i<sp->h_num; i++) {
+ syslog(LOG_INFO, "%s:%s",
+ sp->h_mp[i]->h_host, sp->h_mp[i]->h_path);
+ }
+}
+
+/* Called by setting 'Method = stub' in config file. Just returns
+ * some syntactically correct gibberish for testing purposes.
+ */
+static struct servers *method_stub(char *key)
+{
+ struct servers *sp;
+ struct mount_point *mp;
+
+ syslog(LOG_INFO, "called method_stub");
+ sp = malloc(sizeof(struct servers));
+ if (!sp)
+ return NULL;
+ mp = calloc(1, sizeof(struct mount_point));
+ if (!mp) {
+ free(sp);
+ return NULL;
+ }
+ sp->h_num = 1;
+ sp->h_mp[0] = mp;
+ mp->h_host = strdup("stub_server");
+ mp->h_path = strdup("/my/test/path");
+ sp->h_referral = 1;
+ return sp;
+}
+
+/* Scan @list, which is a NULL-terminated array of strings of the
+ * form path@host[+host], and return corresponding servers structure.
+ */
+static struct servers *parse_list(char **list)
+{
+ int i;
+ struct servers *res;
+ struct mount_point *mp;
+ char *cp;
+
+ res = malloc(sizeof(struct servers));
+ if (!res)
+ return NULL;
+ res->h_num = 0;
+
+ /* parse each of the answers in sucession. */
+ for (i=0; list[i] && i<FSLOC_MAX_LIST; i++) {
+ mp = calloc(1, sizeof(struct mount_point));
+ if (!mp) {
+ release_replicas(res);
+ return NULL;
+ }
+ cp = strchr(list[i], '@');
+ if ((!cp) || list[i][0] != '/') {
+ syslog(LOG_WARNING, "invalid entry '%s'", list[i]);
+ continue; /* XXX Need better error handling */
+ }
+ res->h_mp[i] = mp;
+ res->h_num++;
+ mp->h_path = strndup(list[i], cp - list[i]);
+ cp++;
+ mp->h_host = strdup(cp);
+ /* hosts are '+' separated, kernel expects ':' separated */
+ while ( (cp = strchr(mp->h_host, '+')) )
+ *cp = ':';
+ }
+ return res;
+}
+
+/* @data is a string of form path@host[+host][:path@host[+host]]
+ */
+static struct servers *method_list(char *data)
+{
+ char *copy, *ptr=data;
+ char **list;
+ int i, listsize;
+ struct servers *rv=NULL;
+
+ syslog(LOG_INFO, "method_list(%s)\n", data);
+ for (ptr--, listsize=1; ptr; ptr=index(ptr, ':'), listsize++)
+ ptr++;
+ list = malloc(listsize * sizeof(char *));
+ copy = strdup(data);
+ if (copy)
+ syslog(LOG_INFO, "converted to %s\n", copy);
+ if (list && copy) {
+ ptr = copy;
+ for (i=0; i<listsize; i++) {
+ list[i] = strsep(&ptr, ":");
+ }
+ rv = parse_list(list);
+ }
+ free(copy);
+ free(list);
+ replicas_print(rv);
+ return rv;
+}
+
+/* Returns appropriately filled struct servers, or NULL if had a problem */
+struct servers *replicas_lookup(int method, char *data, char *key)
+{
+ struct servers *sp=NULL;
+ switch(method) {
+ case FSLOC_NONE:
+ break;
+ case FSLOC_REFER:
+ sp = method_list(data);
+ if (sp)
+ sp->h_referral = 1;
+ break;
+ case FSLOC_REPLICA:
+ sp = method_list(data);
+ if (sp)
+ sp->h_referral = 0;
+ break;
+ case FSLOC_STUB:
+ sp = method_stub(data);
+ break;
+ default:
+ syslog(LOG_WARNING, "Unknown method = %i", method);
+ }
+ replicas_print(sp);
+ return sp;
+}
+
+void release_replicas(struct servers *server)
+{
+ int i;
+
+ if (!server) return;
+ for (i = 0; i < server->h_num; i++) {
+ free(server->h_mp[i]->h_host);
+ free(server->h_mp[i]->h_path);
+ free(server->h_mp[i]);
+ }
+ free(server);
+}
diff --git a/utils/mountd/fsloc.h b/utils/mountd/fsloc.h
new file mode 100644
index 0000000..8296d1c
--- /dev/null
+++ b/utils/mountd/fsloc.h
@@ -0,0 +1,50 @@
+/*
+ * COPYRIGHT (c) 2006
+ * THE REGENTS OF THE UNIVERSITY OF MICHIGAN
+ * ALL RIGHTS RESERVED
+ *
+ * Permission is granted to use, copy, create derivative works
+ * and redistribute this software and such derivative works
+ * for any purpose, so long as the name of The University of
+ * Michigan is not used in any advertising or publicity
+ * pertaining to the use of distribution of this software
+ * without specific, written prior authorization. If the
+ * above copyright notice or any other identification of the
+ * University of Michigan is included in any copy of any
+ * portion of this software, then the disclaimer below must
+ * also be included.
+ *
+ * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
+ * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
+ * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
+ * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+ * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
+ * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
+ * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
+ * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
+ * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGES.
+ */
+
+#ifndef FSLOC_H
+#define FSLOC_H
+
+#define FSLOC_MAX_LIST 40
+
+struct mount_point {
+ char *h_host;
+ char *h_path;
+};
+
+struct servers {
+ int h_num;
+ struct mount_point *h_mp[FSLOC_MAX_LIST];
+ int h_referral; /* 0=replica, 1=referral */
+};
+
+struct servers *replicas_lookup(int method, char *data, char *key);
+void release_replicas(struct servers *server);
+
+#endif /* FSLOC_H */
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
From: Kevin Coffman <[email protected]>
Signed-off-by: Fred Isaman <[email protected]>
Signed-off-by: Kevin Coffman <[email protected]>
Remove duplicated code.
---
utils/mountd/cache.c | 41 +++++++++++++++++++++--------------------
1 files changed, 21 insertions(+), 20 deletions(-)
diff --git a/utils/mountd/cache.c b/utils/mountd/cache.c
index 89dc642..1da13db 100644
--- a/utils/mountd/cache.c
+++ b/utils/mountd/cache.c
@@ -260,6 +260,21 @@ static void write_fsloc(FILE *f, struct
release_replicas(servers);
}
+static int dump_to_cache(FILE *f, char *domain, char *path, struct exportent *exp)
+{
+ qword_print(f, domain);
+ qword_print(f, path);
+ qword_printint(f, time(0)+30*60);
+ if (exp) {
+ qword_printint(f, exp->e_flags);
+ qword_printint(f, exp->e_anonuid);
+ qword_printint(f, exp->e_anongid);
+ qword_printint(f, exp->e_fsid);
+ write_fsloc(f, exp, exp->e_path);
+ }
+ return qword_eol(f);
+}
+
void nfsd_export(FILE *f)
{
/* requests are:
@@ -308,18 +323,13 @@ void nfsd_export(FILE *f)
}
}
- qword_print(f, dom);
- qword_print(f, path);
- qword_printint(f, time(0)+30*60);
if (found) {
- qword_printint(f, found->m_export.e_flags);
- qword_printint(f, found->m_export.e_anonuid);
- qword_printint(f, found->m_export.e_anongid);
- qword_printint(f, found->m_export.e_fsid);
- write_fsloc(f, &found->m_export, path);
+ dump_to_cache(f, dom, path, &found->m_export);
mountlist_add(dom, path);
}
- qword_eol(f);
+ else {
+ dump_to_cache(f, dom, path, NULL);
+ }
out:
if (dom) free(dom);
if (path) free(path);
@@ -385,18 +395,9 @@ int cache_export_ent(char *domain, struc
if (!f)
return -1;
- qword_print(f, domain);
- qword_print(f, exp->e_path);
- qword_printint(f, time(0)+30*60);
- qword_printint(f, exp->e_flags);
- qword_printint(f, exp->e_anonuid);
- qword_printint(f, exp->e_anongid);
- qword_printint(f, exp->e_fsid);
- write_fsloc(f, exp, exp->e_path);
- mountlist_add(domain, exp->e_path);
- qword_eol(f);
-
+ err = dump_to_cache(f, domain, exp->e_path, exp);
fclose(f);
+ mountlist_add(domain, exp->e_path);
return err;
}
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
I've been trying to get NFSv3 home directory mounts with sec=krb5
working between a Netapp filer running OnTap 7.0.5 and a Fedora Core 6
client with the latest nfs-* RPMs installed and kernel version
2.6.18-1.2869.fc6. Our KDCs run FreeBSD 6.1 with the MIT Kerberos
port installed. Authentication seems to work okay,
Script started on Thu Feb 8 15:31:23 2007
bsod$ /bin/su - testacct
Password:
but the home directory isn't usable.
/bin/su: warning: cannot change directory to /home/testacct: Permission
denied
-bash: /home/testacct/.bash_profile: Permission denied
The mount though did succeed:
-bash-3.1$ mount | grep testacct
sinagua:/vol/vol0/home/testacct on /home/testacct type nfs
(rw,nfsvers=3,tcp,timeo=600,rsize=32768,wsize=32768,hard,intr,sec=krb5,addr=172.16.1.252)
-bash-3.1$ grep testacct /etc/auto.home
testacct
-rw,bg,vers=3,tcp,timeo=600,rsize=32768,wsize=32768,hard,intr,sec=krb5
sinagua:/vol/vol0/home/testacct
But
-bash-3.1$ klist -e
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500_vZWPDb)
Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
Okay, I thought the PAM stack would provide the credentials. But even
after running kinit...
-bash-3.1$ kinit
Password for [email protected]:
-bash-3.1$ cd
-bash: cd: /home/testacct: Permission denied
-bash-3.1$ klist -e
Ticket cache: FILE:/tmp/krb5cc_500_vZWPDb
Default principal: [email protected]
Valid starting Expires Service principal
02/08/07 15:32:03 02/09/07 15:32:03 krbtgt/[email protected]
renew until 02/08/07 15:32:03, Etype (skey, tkt): Triple DES
cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
-bash-3.1$ exit
logout
...the directory isn't usable
-bash: /home/testacct/.bash_logout: Permission denied
bsod$ exit
exit
Script done on Thu Feb 8 15:32:39 2007
Running rpc.gssd in verbose mode produced
Script started on Thu Feb 8 15:30:29 2007
bsod$ /sbin/lsmod | grep sunrpc
sunrpc 158333 6
nfs,lockd,nfs_acl,rpcsec_gss_krb5,auth_rpcgss
bsod$ mount | grep rpc_pipe
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
bsod$ sudo strace -o /tmp/rpc.gssd -f /usr/sbin/rpc.gssd -f -vvv
Using keytab file '/etc/krb5.keytab'
Processing keytab entry for principal
'nfs/[email protected]'
We will use this entry (nfs/[email protected])
Using (machine) credentials cache:
'MEMORY:/tmp/krb5cc_machine_CS.ARIZONA.EDU'
That's the extent of output while the commands above ran.
And the (enormous) strace output file seems mostly to consist of polling
loops something like
2720 poll([{fd=6, events=POLLIN, revents=POLLERR|POLLHUP}, {fd=0,
events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0,
events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0,
events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0,
events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0,
events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0,
events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0,
events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0,
events=0}, {fd=0, events=0}, {fd=0, events=0}], 32, 500) = 1
2720 chdir("/var/lib/nfs/rpc_pipefs/nfs") = 0
2720 open("/var/lib/nfs/rpc_pipefs/nfs",
O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 7
2720 fstat64(7, {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
2720 fcntl64(7, F_SETFD, FD_CLOEXEC) = 0
2720 getdents64(7, /* 3 entries */, 4096) = 80
2720 getdents64(7, /* 0 entries */, 4096) = 0
2720 close(7) = 0
Any ideas?
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
On 2/8/07, Jim Davis <[email protected]> wrote:
> I've been trying to get NFSv3 home directory mounts with sec=krb5
> working between a Netapp filer running OnTap 7.0.5 and a Fedora Core 6
> client with the latest nfs-* RPMs installed and kernel version
> 2.6.18-1.2869.fc6. Our KDCs run FreeBSD 6.1 with the MIT Kerberos
> port installed. Authentication seems to work okay,
>
> Running rpc.gssd in verbose mode produced
>
> Script started on Thu Feb 8 15:30:29 2007
> bsod$ /sbin/lsmod | grep sunrpc
> sunrpc 158333 6
> nfs,lockd,nfs_acl,rpcsec_gss_krb5,auth_rpcgss
> bsod$ mount | grep rpc_pipe
> sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
> bsod$ sudo strace -o /tmp/rpc.gssd -f /usr/sbin/rpc.gssd -f -vvv
> Using keytab file '/etc/krb5.keytab'
> Processing keytab entry for principal
> 'nfs/[email protected]'
> We will use this entry (nfs/[email protected])
> Using (machine) credentials cache:
> 'MEMORY:/tmp/krb5cc_machine_CS.ARIZONA.EDU'
>
> That's the extent of output while the commands above ran.
So there is never an upcall to request a context for testacct. That
seems like a kernel issue. Any chance you have a different kernel
still on that machine you could try?
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs