| Message ID | 20231004173240.46924-1-olga.kornievskaia@gmail.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | nfs-utils: gssd support for KRB5_AP_ERR_BAD_INTEGRITY | expand |
On 10/4/23 1:32 PM, Olga Kornievskaia wrote: > From: Olga Kornievskaia <kolga@netapp.com> > > Together with libtirpc patch this series attempts to provide > support for handling KRB5_AP_ERR_BAD_INTEGRITY. > > Such error can be returned by the server when it has changed > its key material and the client is still using the service > ticket that was issues prior to the change. > > Upon calling authgss_create_default() and receiving a NULL > context, we can inspect the returned structure to see > if gss major/minor error code was set. If the client > determines that it received KRB5_AP_ERR_BAD_INTEGRITY error, > it will proceed to handle it based on what type of credentials > were used for context establishement. If machine credentials > were used, the client can call into a routine and force > credential renewal. If user credentials were used, the client > needs to remove the existing service ticket and then retry > the request. > > -- fix compile warning in libtirpc patch > > Olga Kornievskaia (3): > gssd: enable forcing cred renewal using the keytab > gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for machine credentials > gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for user credentials Committed... (tag: nfs-utils-2-6-4-rc4) steved. > > utils/gssd/gssd_proc.c | 20 ++++++++++++-- > utils/gssd/krb5_util.c | 62 ++++++++++++++++++++++++++++++++++++------ > utils/gssd/krb5_util.h | 4 ++- > 3 files changed, 75 insertions(+), 11 deletions(-) >
From: Olga Kornievskaia <kolga@netapp.com> Together with libtirpc patch this series attempts to provide support for handling KRB5_AP_ERR_BAD_INTEGRITY. Such error can be returned by the server when it has changed its key material and the client is still using the service ticket that was issues prior to the change. Upon calling authgss_create_default() and receiving a NULL context, we can inspect the returned structure to see if gss major/minor error code was set. If the client determines that it received KRB5_AP_ERR_BAD_INTEGRITY error, it will proceed to handle it based on what type of credentials were used for context establishement. If machine credentials were used, the client can call into a routine and force credential renewal. If user credentials were used, the client needs to remove the existing service ticket and then retry the request. -- fix compile warning in libtirpc patch Olga Kornievskaia (3): gssd: enable forcing cred renewal using the keytab gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for machine credentials gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for user credentials utils/gssd/gssd_proc.c | 20 ++++++++++++-- utils/gssd/krb5_util.c | 62 ++++++++++++++++++++++++++++++++++++------ utils/gssd/krb5_util.h | 4 ++- 3 files changed, 75 insertions(+), 11 deletions(-)