From patchwork Wed Dec 6 21:33:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Olga Kornievskaia X-Patchwork-Id: 13482305 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="XeMaQGm8" Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B34BBD4B for ; Wed, 6 Dec 2023 13:33:36 -0800 (PST) Received: by mail-qk1-x732.google.com with SMTP id af79cd13be357-77f3c8fb126so1124585a.0 for ; Wed, 06 Dec 2023 13:33:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701898416; x=1702503216; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0OGTR2attaRq9HgZ/r5yNcQl5SlG230w3Em/r6CZfd4=; b=XeMaQGm8J594oEnYq03l706YGzQAwQdS3kPR5DpDbi2triWm50r9AgU78HG+Z4AUql cfr0jiyUJYqKXUtpY1PguFYOCfsn/0U+T5Ewo1iag8Q4E1U5KRQj89A0hEoNQHK/MC7B 4ZdfcWH0dFu6XQ5VZOkQ0EBtVcI2ZrWOD0IRCwE+DYLgREfY5jzgRtPaaYC6JIGo7yTY wrXL3RuK2ttq7UKShsNWDAkHbGEtPGp/dnhLxyXIzYiYeK7r1T0JjOLblVw5lz0NXt7N dpyew92dtVfHBteO9SGvUXIyX7IRdX7BbFZYsthnC5dQBk8xw6s0NAM2gC0+P0pCoOXu pU1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701898416; x=1702503216; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0OGTR2attaRq9HgZ/r5yNcQl5SlG230w3Em/r6CZfd4=; b=CjFGy9hmxpVr4exESTl35A1wh7TunS3bbseXae8cm1+mOd9f8S3TAYtG5l4J0iMKpo DbpIwJzgsVT/2w9IvXoFhCqwjw5WHcJUT4jOAqwbwwDaNuLoT37C8UsU2LGJ5lzBX9s0 lLloFY83InuSVSlrm0Fhkff0pVj3Lh4sMu2RdtPQ5WnYIOaC9424o9u/SEGWTAQaR4fL SkXEJeQMJP4lFHY+npXZOvnj7225S63KeQQfhrALV/f7fH39fF4r3PCiqVr1rEtIfR1r QrTbTR7oTvxQHwsVXKdMdjMankkgUG0WfLktuFBNh3iF4Evc0tQPg6XiLW6Z/Z+wdrq0 +ixA== X-Gm-Message-State: AOJu0YxXAV43abfCGNEXbv4BYeIvVk+wEn6wWoJ9mZMdG1ws3f1Tl9Jg Wd538gmhoRKQ/5qjsONR3vQ= X-Google-Smtp-Source: AGHT+IGVq6je1saKrJ6OwUxEIYR/miUBiVtcqSRVey1EoEQE5X1niQ1GB8WkWL5AB5w4HMWsL72cSQ== X-Received: by 2002:a05:620a:4141:b0:77d:cf5d:1bce with SMTP id k1-20020a05620a414100b0077dcf5d1bcemr3239989qko.4.1701898415723; Wed, 06 Dec 2023 13:33:35 -0800 (PST) Received: from kolga-mac-1.attlocal.net ([2600:1700:6a10:2e90:b4ac:108b:be40:79b]) by smtp.gmail.com with ESMTPSA id ro3-20020a05620a398300b0077da601f06csm256435qkn.10.2023.12.06.13.33.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Dec 2023 13:33:34 -0800 (PST) From: Olga Kornievskaia To: steved@redhat.com Cc: linux-nfs@vger.kernel.org, chuck.lever@oracle.com Subject: [PATCH 1/6] gssd: revert commit a5f3b7ccb01c Date: Wed, 6 Dec 2023 16:33:27 -0500 Message-Id: <20231206213332.55565-2-olga.kornievskaia@gmail.com> X-Mailer: git-send-email 2.30.1 (Apple Git-130) In-Reply-To: <20231206213332.55565-1-olga.kornievskaia@gmail.com> References: <20231206213332.55565-1-olga.kornievskaia@gmail.com> Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Olga Kornievskaia In preparation for using rpc_gss_seccreate() function, revert commit a5f3b7ccb01c "gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for user credentials" Signed-off-by: Olga Kornievskaia --- utils/gssd/gssd_proc.c | 2 -- utils/gssd/krb5_util.c | 42 ------------------------------------------ utils/gssd/krb5_util.h | 1 - 3 files changed, 45 deletions(-) diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index a96647df..e5cc1d98 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -419,8 +419,6 @@ create_auth_rpc_client(struct clnt_info *clp, if (cred == GSS_C_NO_CREDENTIAL) retval = gssd_refresh_krb5_machine_credential(clp->servername, "*", NULL, 1); - else - retval = gssd_k5_remove_bad_service_cred(clp->servername); if (!retval) { auth = authgss_create_default(rpc_clnt, tgtname, &sec); diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c index 6f66ef4f..f6ce1fec 100644 --- a/utils/gssd/krb5_util.c +++ b/utils/gssd/krb5_util.c @@ -1553,48 +1553,6 @@ gssd_acquire_user_cred(gss_cred_id_t *gss_cred) return ret; } -/* Removed a service ticket for nfs/ from the ticket cache - */ -int -gssd_k5_remove_bad_service_cred(char *name) -{ - krb5_creds in_creds, out_creds; - krb5_error_code ret; - krb5_context context; - krb5_ccache cache; - krb5_principal principal; - int retflags = KRB5_TC_MATCH_SRV_NAMEONLY; - char srvname[1024]; - - ret = krb5_init_context(&context); - if (ret) - goto out_cred; - ret = krb5_cc_default(context, &cache); - if (ret) - goto out_free_context; - ret = krb5_cc_get_principal(context, cache, &principal); - if (ret) - goto out_close_cache; - memset(&in_creds, 0, sizeof(in_creds)); - in_creds.client = principal; - sprintf(srvname, "nfs/%s", name); - ret = krb5_parse_name(context, srvname, &in_creds.server); - if (ret) - goto out_free_principal; - ret = krb5_cc_retrieve_cred(context, cache, retflags, &in_creds, &out_creds); - if (ret) - goto out_free_principal; - ret = krb5_cc_remove_cred(context, cache, 0, &out_creds); -out_free_principal: - krb5_free_principal(context, principal); -out_close_cache: - krb5_cc_close(context, cache); -out_free_context: - krb5_free_context(context); -out_cred: - return ret; -} - #ifdef HAVE_SET_ALLOWABLE_ENCTYPES /* * this routine obtains a credentials handle via gss_acquire_cred() diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h index 7ef87018..62c91a0e 100644 --- a/utils/gssd/krb5_util.h +++ b/utils/gssd/krb5_util.h @@ -22,7 +22,6 @@ char *gssd_k5_err_msg(krb5_context context, krb5_error_code code); void gssd_k5_get_default_realm(char **def_realm); int gssd_acquire_user_cred(gss_cred_id_t *gss_cred); -int gssd_k5_remove_bad_service_cred(char *srvname); #ifdef HAVE_SET_ALLOWABLE_ENCTYPES extern int limit_to_legacy_enctypes; From patchwork Wed Dec 6 21:33:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Olga Kornievskaia X-Patchwork-Id: 13482306 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="UKXnxee8" Received: from mail-qv1-xf2c.google.com (mail-qv1-xf2c.google.com [IPv6:2607:f8b0:4864:20::f2c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4423ED5B for ; Wed, 6 Dec 2023 13:33:38 -0800 (PST) Received: by mail-qv1-xf2c.google.com with SMTP id 6a1803df08f44-67acc0c1a35so531816d6.0 for ; Wed, 06 Dec 2023 13:33:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701898417; x=1702503217; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=wZWSOIgKKMZd8u9zKyA1yNwvXWB4I60jQhkSqY/f7yQ=; b=UKXnxee8YfX2H3xp/WvVxnKeb0JzqWg7hA62DLURNINxsdnrNyuEPVJxibWzH5Nio3 eRC0DpOdYCXiFVghR7NgFYWSJh5PXY1C+SCwOgQaBvsK9k/iUYBJxh0Po/YaTbKP+QYW 6OB6zEUMFbkE6gsHkd5i/JNIEaVmB098DmS/wgF1DyuhNdF4Ya/3ZZ4KcSMVdLcqVAbP SgjvbZj3upMn3nBatWnOWIj7asqdGDSuqw4OdEjEi5/9jg0MXPjorucseU8Lch8SlG+e x8Gjls86KN/LSz8IVLyoCjfIDKUI9frVMfV7Qr4Pblfw8cRAYxSFR4P7YHtOtmhcD+1C CrhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701898417; x=1702503217; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wZWSOIgKKMZd8u9zKyA1yNwvXWB4I60jQhkSqY/f7yQ=; b=nwWp6AqquWL5O5/m0oP3nZ5Q/cwJgckXe8FT/jK+FS2u3DXFO/gGzM46qaYNUkcvif dkzHUjkh4tacb8PZFl1DUOzIkGdGSG9QYN+GWcF2x618QvXDhXGIDuGCBZg7kZtL+LFu 3NET0++/QZfK2ADkUPTapDNCeLisoOrPtwNgT1kLQDSMRjaSaug1JJl6uCU9A1U6Zeyq mDoRdM3F/PFoKFFK4YvcVQNa+wb11PVn91YD1FrnyKAbxvfAaRi5uOKG7eNnhaSnegB0 8aiJNmeRzTR43/aIOh4gGfQhhrV8lOBTF5l4pLCa39y2rHynalkvB75i+t+tacYCJMHE IEBA== X-Gm-Message-State: AOJu0YzQ3vGIZUjHROqsixcBllL1yjlz5rDKgUo5zfW1l+DD1NWbwUHi 0PVwBwtJjoaAJpM7sHgGIs0= X-Google-Smtp-Source: AGHT+IEc2hAT+VbsdIdhZfImpKHnEYW+Gs7kMSvpLUF9Ua86CP0UEqkPW1lXtcyoSO9sy5l5PtI/0w== X-Received: by 2002:a05:620a:4146:b0:77d:8c81:ea2d with SMTP id k6-20020a05620a414600b0077d8c81ea2dmr3245298qko.0.1701898417362; Wed, 06 Dec 2023 13:33:37 -0800 (PST) Received: from kolga-mac-1.attlocal.net ([2600:1700:6a10:2e90:b4ac:108b:be40:79b]) by smtp.gmail.com with ESMTPSA id ro3-20020a05620a398300b0077da601f06csm256435qkn.10.2023.12.06.13.33.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Dec 2023 13:33:36 -0800 (PST) From: Olga Kornievskaia To: steved@redhat.com Cc: linux-nfs@vger.kernel.org, chuck.lever@oracle.com Subject: [PATCH 2/6] gssd: revert commit 513630d720bd Date: Wed, 6 Dec 2023 16:33:28 -0500 Message-Id: <20231206213332.55565-3-olga.kornievskaia@gmail.com> X-Mailer: git-send-email 2.30.1 (Apple Git-130) In-Reply-To: <20231206213332.55565-1-olga.kornievskaia@gmail.com> References: <20231206213332.55565-1-olga.kornievskaia@gmail.com> Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Olga Kornievskaia In preparation for using rpc_gss_seccreate(), revert commit 513630d720bd "gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for machine credentials" Signed-off-by: Olga Kornievskaia --- utils/gssd/gssd_proc.c | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index e5cc1d98..4fb6b72d 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -412,27 +412,13 @@ create_auth_rpc_client(struct clnt_info *clp, tid, tgtname); auth = authgss_create_default(rpc_clnt, tgtname, &sec); if (!auth) { - if (sec.minor_status == KRB5KRB_AP_ERR_BAD_INTEGRITY) { - printerr(2, "WARNING: server=%s failed context " - "creation with KRB5_AP_ERR_BAD_INTEGRITY\n", - clp->servername); - if (cred == GSS_C_NO_CREDENTIAL) - retval = gssd_refresh_krb5_machine_credential(clp->servername, - "*", NULL, 1); - if (!retval) { - auth = authgss_create_default(rpc_clnt, tgtname, - &sec); - if (auth) - goto success; - } - } /* Our caller should print appropriate message */ printerr(2, "WARNING: Failed to create krb5 context for " "user with uid %d for server %s\n", uid, tgtname); goto out_fail; } -success: + /* Success !!! */ rpc_clnt->cl_auth = auth; *clnt_return = rpc_clnt; From patchwork Wed Dec 6 21:33:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Olga Kornievskaia X-Patchwork-Id: 13482307 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="YSg3uRtv" Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 590CCD5C for ; Wed, 6 Dec 2023 13:33:39 -0800 (PST) Received: by mail-qk1-x733.google.com with SMTP id af79cd13be357-77f3c8fb126so1124985a.0 for ; Wed, 06 Dec 2023 13:33:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701898418; x=1702503218; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=KDBBkNVLVNjZb1IaiGSr+kR7X/bG36A548ZQUO4n/6I=; b=YSg3uRtvVfNPzO0zouUCOUchYWtIjY5CIk+FwHkLUoM4Tt3Hm4aTyUmQHFUXjvgTi/ B9efrB+JaOQkL1yH5rP619ABih/+xmrcF4DR53PPFoBzJWtapVxkeN+/GRH30djyDNxe dCuMjIYVYPsaIiA4geAHf+RBTnumswjZ80ZlCzbwS+SdcgvPVExKtM6LUtWYngwVQg6g 7D88iNRi8xh70Fou5ixaQYoOWE+6HF4mzzZuk0QZY6KwKvRlZhWhaQFLUDi5ZO131wgZ AzOt6RsxGCPKsyvvbdf5PvFD0n6AiVyJF2YL/TaCbclUILD1knptj4ApQ3Eq2pt1zgNR o1EA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701898418; x=1702503218; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KDBBkNVLVNjZb1IaiGSr+kR7X/bG36A548ZQUO4n/6I=; b=SnaXFd653+4R8z2Pyd8fOISmJ0E/GHibOOaaLMTCt9j3q0occ4Xmj9mtylGxbJYO3k NY9cuuz7ljkbrm1yGUJlrl5Hc0I8DxyUvsHYMP7HHrKK5//j9GZqNIk4kqZ8QNhjuNTJ MUVQn7lYaL0WEATy1gYUulnl2KYs2Lnzf4v3rwHFEhy32wbvV1GL22bPol5FBnV4eeKm 6Gkxjy9lZhxseGbM4Abwzjn7AYY5LGRkxc2Uxphpw8twWKYdJ/DhfgnaqPuLcQaB1T4b 3IoTa09JQVlWsVYoWMpGMG4Ui6e9u/lJ48GoFIknu1qttldjziCpL2GdtoxJ6hhOCGip 3hQQ== X-Gm-Message-State: AOJu0YzEkmY5b9cnCodJtkiRzoGqGOoIGWKJj4F0NSgqODDPpnoJoc5R wiCrcBA0DE1pmYk+1FbV2tWGF5r0kfc= X-Google-Smtp-Source: AGHT+IHLF751oFdPFWQGkXFFtFYcWG02ueD2A3KSdn0QSTWqBAl/2Ia8V2DQeXDSRjA7gWtyy2ugxQ== X-Received: by 2002:a05:620a:468a:b0:77d:c4eb:3d99 with SMTP id bq10-20020a05620a468a00b0077dc4eb3d99mr3261212qkb.0.1701898418410; Wed, 06 Dec 2023 13:33:38 -0800 (PST) Received: from kolga-mac-1.attlocal.net ([2600:1700:6a10:2e90:b4ac:108b:be40:79b]) by smtp.gmail.com with ESMTPSA id ro3-20020a05620a398300b0077da601f06csm256435qkn.10.2023.12.06.13.33.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Dec 2023 13:33:37 -0800 (PST) From: Olga Kornievskaia To: steved@redhat.com Cc: linux-nfs@vger.kernel.org, chuck.lever@oracle.com Subject: [PATCH 3/6] gssd: switch to using rpc_gss_seccreate() Date: Wed, 6 Dec 2023 16:33:29 -0500 Message-Id: <20231206213332.55565-4-olga.kornievskaia@gmail.com> X-Mailer: git-send-email 2.30.1 (Apple Git-130) In-Reply-To: <20231206213332.55565-1-olga.kornievskaia@gmail.com> References: <20231206213332.55565-1-olga.kornievskaia@gmail.com> Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Olga Kornievskaia If available from the libtirpc library, switch to using rpc_gss_seccreate() instead of authgss_create_default() which does not expose gss error codes. Signed-off-by: Olga Kornievskaia --- utils/gssd/gssd_proc.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index 4fb6b72d..99761157 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -70,6 +70,9 @@ #include #include #include +#ifdef HAVE_TIRPC_GSS_SECCREATE +#include +#endif #include "gssd.h" #include "err_util.h" @@ -330,6 +333,11 @@ create_auth_rpc_client(struct clnt_info *clp, struct timeval timeout; struct sockaddr *addr = (struct sockaddr *) &clp->addr; socklen_t salen; +#ifdef HAVE_TIRPC_GSS_SECCREATE + rpc_gss_options_req_t req; + rpc_gss_options_ret_t ret; + char mechanism[] = "kerberos_v5"; +#endif pthread_t tid = pthread_self(); sec.qop = GSS_C_QOP_DEFAULT; @@ -410,7 +418,14 @@ create_auth_rpc_client(struct clnt_info *clp, printerr(3, "create_auth_rpc_client(0x%lx): creating context with server %s\n", tid, tgtname); +#ifdef HAVE_TIRPC_GSS_SECCREATE + memset(&req, 0, sizeof(req)); + req.my_cred = sec.cred; + auth = rpc_gss_seccreate(rpc_clnt, tgtname, mechanism, + rpcsec_gss_svc_none, NULL, &req, &ret); +#else auth = authgss_create_default(rpc_clnt, tgtname, &sec); +#endif if (!auth) { /* Our caller should print appropriate message */ printerr(2, "WARNING: Failed to create krb5 context for " From patchwork Wed Dec 6 21:33:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Olga Kornievskaia X-Patchwork-Id: 13482308 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="WTwqu/BQ" Received: from mail-qv1-xf31.google.com (mail-qv1-xf31.google.com [IPv6:2607:f8b0:4864:20::f31]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1100718D for ; Wed, 6 Dec 2023 13:33:41 -0800 (PST) Received: by mail-qv1-xf31.google.com with SMTP id 6a1803df08f44-67a9a51663fso446486d6.1 for ; Wed, 06 Dec 2023 13:33:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701898420; x=1702503220; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=MqoSXgMUeBsvluQmJvVDbjL5heCUMNwImuhygB9ZAbk=; b=WTwqu/BQOym/hxujgGodZxI1bn/PQgyFsIZtuWSVvh97ofRgM/mW9Kz7G+YknksJI4 i2wdQIc7oZgWay8FeF7KIFmcWqLJaDLNgH2eB7oZnF+ns+a2XrsojwjGsKUFwCPnVcP4 RvD6aSKXNfgpmALEUkgfn7yoQjmuxj0QoCzpOwZ4ygLOlmdma1nrbFE+Dj2O8GdGM93p r+1oE4i1FjEbn9775UZwNO9y/pEaWHJODrQVyZc5ecyA78F1VEdECAjkW2XuQVE/YC3h T6sSNogdpHovdhIC2ssTdlySSH4zHBJK+wDdbQVP0F8ZSitcixomQzjcLjUSlY+ycsM5 2f0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701898420; x=1702503220; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MqoSXgMUeBsvluQmJvVDbjL5heCUMNwImuhygB9ZAbk=; b=iwaW4nKY6OsTBdLmErf99xybUByOqsJW1OLd6SVx/pelyZihqHgNPYyIjPallcW+VX rZ/X0+gua40J/n+U76kwN6imQHQWn4tcfFBID1zAyzgWv+Voz7+ql/fY8M5xRw3uYQtq 5e897Ts87F5zANsp/nPuprXU3wnZtELCxvyzLSZRvituAUbg/e1QK7PNj88YVHcTiUIa 8FV7Lk0NamLb3QuJEhs/4gXByvvQHhZ41mJuhuafiKnVEUTQLIdkuRZrfDK3qLkbXQwN WjA+xUr/jUXyL5ChLNbRx1J9ampFyb1nYa/Z/2QyPFLApt2GeQpoYbZjFhvUt/wHR2ne wBFg== X-Gm-Message-State: AOJu0YwGdDmCy4BCg7OvETBVpqy9M0zxC8oSVbXW9F9m0AGsXfMjlUfK ymgYD9axuPIyNY8bd4hEdSc= X-Google-Smtp-Source: AGHT+IFQMCUpK/rWCuZt7zkfVRgqTiwGN0gINiDplupHoXwXLD7yS/ooa4s6ziiZthtsRgfWQ2FM7w== X-Received: by 2002:a05:620a:4485:b0:774:17d6:31dc with SMTP id x5-20020a05620a448500b0077417d631dcmr3033638qkp.4.1701898420013; Wed, 06 Dec 2023 13:33:40 -0800 (PST) Received: from kolga-mac-1.attlocal.net ([2600:1700:6a10:2e90:b4ac:108b:be40:79b]) by smtp.gmail.com with ESMTPSA id ro3-20020a05620a398300b0077da601f06csm256435qkn.10.2023.12.06.13.33.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Dec 2023 13:33:38 -0800 (PST) From: Olga Kornievskaia To: steved@redhat.com Cc: linux-nfs@vger.kernel.org, chuck.lever@oracle.com Subject: [PATCH 4/6] gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for machine credentials Date: Wed, 6 Dec 2023 16:33:30 -0500 Message-Id: <20231206213332.55565-5-olga.kornievskaia@gmail.com> X-Mailer: git-send-email 2.30.1 (Apple Git-130) In-Reply-To: <20231206213332.55565-1-olga.kornievskaia@gmail.com> References: <20231206213332.55565-1-olga.kornievskaia@gmail.com> Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Olga Kornievskaia During context establishment, when the client received KRB5_AP_ERR_BAD_INTEGRITY error, it might be due to the server updating its key material. To handle such error, get a new service ticket and re-try the AP_REQ. This functionality relies on the new API in libtirpc that exposes the gss errors. Signed-off-by: Olga Kornievskaia --- utils/gssd/gssd_proc.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index 99761157..29600a3f 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -427,13 +427,32 @@ create_auth_rpc_client(struct clnt_info *clp, auth = authgss_create_default(rpc_clnt, tgtname, &sec); #endif if (!auth) { +#ifdef HAVE_TIRPC_GSS_SECCREATE + if (ret.minor_status == KRB5KRB_AP_ERR_BAD_INTEGRITY) { + printerr(2, "WARNING: server=%s failed context " + "creation with KRB5_AP_ERR_BAD_INTEGRITY\n", + clp->servername); + if (cred == GSS_C_NO_CREDENTIAL) + retval = gssd_refresh_krb5_machine_credential(clp->servername, + "*", NULL, 1); + if (!retval) { + auth = rpc_gss_seccreate(rpc_clnt, tgtname, + mechanism, rpcsec_gss_svc_none, + NULL, &req, &ret); + if (auth) + goto success; + } + } +#endif /* Our caller should print appropriate message */ printerr(2, "WARNING: Failed to create krb5 context for " "user with uid %d for server %s\n", uid, tgtname); goto out_fail; } - +#ifdef HAVE_TIRPC_GSS_SECCREATE +success: +#endif /* Success !!! */ rpc_clnt->cl_auth = auth; *clnt_return = rpc_clnt; From patchwork Wed Dec 6 21:33:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Olga Kornievskaia X-Patchwork-Id: 13482309 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Use2PMQu" Received: from mail-qv1-xf32.google.com (mail-qv1-xf32.google.com [IPv6:2607:f8b0:4864:20::f32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A23DBD4B for ; Wed, 6 Dec 2023 13:33:42 -0800 (PST) Received: by mail-qv1-xf32.google.com with SMTP id 6a1803df08f44-67a9a51663fso446586d6.1 for ; Wed, 06 Dec 2023 13:33:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701898422; x=1702503222; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=KQXA9vl98I9LBhtCOa0q1mlMwf+h5U4kRSy7ybOBDhw=; b=Use2PMQuCR0KE1iJlK1X0dCU+RgbC2vQS8lVxdTIgWBRk7o+0jcJXCWiG+yFUAHx5u lgqoPaDnp/2CwnRdfjePxc5TyxkI0QIzmaRSlzcGZo5xgAandAA2dveaJODyXGJIa0uC v9ALVv1LptNiqFPrISoHtdPbYDxLoyDcb2RW15QOmv5z6uWdzF46gI6ZSrIPmEXavRZk jDkKV6PUuf2zHcVtVgxblStVr4Ln/rDm9NZBdq3G/qhY4Ukj7WSjk2Y7QfRhqFDqK+5J NauIsUnhBpEeBnDAdyCRXJ4aY3BpRdUd5hq+qI4zcVkUwOYd0cZlTQmLk62BA8UDP8/j 7qmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701898422; x=1702503222; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KQXA9vl98I9LBhtCOa0q1mlMwf+h5U4kRSy7ybOBDhw=; b=r7Gnd5IFu9J6yK+xx/pCjILQlnOoHV4eoOKIEDfaIstVEjlRazzgf1SOOiLNqyFTdE MMsd4HJKIgVZo/bY0YthVkilmMXcFOSJXsnIGhW8ARC3v4UXupJywhzqMSbEEx54JrNB eZLaIislPbw0Pdjw8nOt33jBVRK+QQSFYGB7vgRktoKb4hBme68sK5m6b3giki2cLY7E O84aZS3MaHI12MGORl41y+lFXm2gvy0Ivmds0p7n9kvQng9ixvQOAQarZ1hjbWDxCWu+ Mvq1lAP13L9QC1HS7eMpbW00DUU4cuxky//63P7ecvbRfVoMIycaVeq0sNgLH1RUxthK I8VA== X-Gm-Message-State: AOJu0YzcM/BhnMVufpn7Qo1PSu4G2sLUz0jrtuttkb51b6lpoON4QdWK MzNjaWzxIjTkXEsPdt0r3Nc= X-Google-Smtp-Source: AGHT+IH8d636+oRZE92e/BStqQKx44Nnl9KPptQpxNtY2VT6uaaw7e/BuQQcGgwbUxNpXTSKokgoLQ== X-Received: by 2002:a05:620a:172c:b0:77d:a5d0:edb3 with SMTP id az44-20020a05620a172c00b0077da5d0edb3mr3342618qkb.6.1701898421701; Wed, 06 Dec 2023 13:33:41 -0800 (PST) Received: from kolga-mac-1.attlocal.net ([2600:1700:6a10:2e90:b4ac:108b:be40:79b]) by smtp.gmail.com with ESMTPSA id ro3-20020a05620a398300b0077da601f06csm256435qkn.10.2023.12.06.13.33.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Dec 2023 13:33:40 -0800 (PST) From: Olga Kornievskaia To: steved@redhat.com Cc: linux-nfs@vger.kernel.org, chuck.lever@oracle.com Subject: [PATCH 5/6] gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for user credentials Date: Wed, 6 Dec 2023 16:33:31 -0500 Message-Id: <20231206213332.55565-6-olga.kornievskaia@gmail.com> X-Mailer: git-send-email 2.30.1 (Apple Git-130) In-Reply-To: <20231206213332.55565-1-olga.kornievskaia@gmail.com> References: <20231206213332.55565-1-olga.kornievskaia@gmail.com> Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Olga Kornievskaia Unlike the machine credential case, we can't throw away the ticket cache and use the keytab to renew the credentials. Instead, we need to remove the service ticket for the server that returned KRB5_AP_ERR_BAD_INTEGRITY and try again. Signed-off-by: Olga Kornievskaia --- utils/gssd/gssd_proc.c | 2 ++ utils/gssd/krb5_util.c | 42 ++++++++++++++++++++++++++++++++++++++++++ utils/gssd/krb5_util.h | 1 + 3 files changed, 45 insertions(+) diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index 29600a3f..7629de0b 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -435,6 +435,8 @@ create_auth_rpc_client(struct clnt_info *clp, if (cred == GSS_C_NO_CREDENTIAL) retval = gssd_refresh_krb5_machine_credential(clp->servername, "*", NULL, 1); + else + retval = gssd_k5_remove_bad_service_cred(clp->servername); if (!retval) { auth = rpc_gss_seccreate(rpc_clnt, tgtname, mechanism, rpcsec_gss_svc_none, diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c index f6ce1fec..6f66ef4f 100644 --- a/utils/gssd/krb5_util.c +++ b/utils/gssd/krb5_util.c @@ -1553,6 +1553,48 @@ gssd_acquire_user_cred(gss_cred_id_t *gss_cred) return ret; } +/* Removed a service ticket for nfs/ from the ticket cache + */ +int +gssd_k5_remove_bad_service_cred(char *name) +{ + krb5_creds in_creds, out_creds; + krb5_error_code ret; + krb5_context context; + krb5_ccache cache; + krb5_principal principal; + int retflags = KRB5_TC_MATCH_SRV_NAMEONLY; + char srvname[1024]; + + ret = krb5_init_context(&context); + if (ret) + goto out_cred; + ret = krb5_cc_default(context, &cache); + if (ret) + goto out_free_context; + ret = krb5_cc_get_principal(context, cache, &principal); + if (ret) + goto out_close_cache; + memset(&in_creds, 0, sizeof(in_creds)); + in_creds.client = principal; + sprintf(srvname, "nfs/%s", name); + ret = krb5_parse_name(context, srvname, &in_creds.server); + if (ret) + goto out_free_principal; + ret = krb5_cc_retrieve_cred(context, cache, retflags, &in_creds, &out_creds); + if (ret) + goto out_free_principal; + ret = krb5_cc_remove_cred(context, cache, 0, &out_creds); +out_free_principal: + krb5_free_principal(context, principal); +out_close_cache: + krb5_cc_close(context, cache); +out_free_context: + krb5_free_context(context); +out_cred: + return ret; +} + #ifdef HAVE_SET_ALLOWABLE_ENCTYPES /* * this routine obtains a credentials handle via gss_acquire_cred() diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h index 62c91a0e..7ef87018 100644 --- a/utils/gssd/krb5_util.h +++ b/utils/gssd/krb5_util.h @@ -22,6 +22,7 @@ char *gssd_k5_err_msg(krb5_context context, krb5_error_code code); void gssd_k5_get_default_realm(char **def_realm); int gssd_acquire_user_cred(gss_cred_id_t *gss_cred); +int gssd_k5_remove_bad_service_cred(char *srvname); #ifdef HAVE_SET_ALLOWABLE_ENCTYPES extern int limit_to_legacy_enctypes; From patchwork Wed Dec 6 21:33:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Olga Kornievskaia X-Patchwork-Id: 13482310 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="WVY9/Iwd" Received: from mail-oo1-xc34.google.com (mail-oo1-xc34.google.com [IPv6:2607:f8b0:4864:20::c34]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 85F02F7 for ; Wed, 6 Dec 2023 13:33:43 -0800 (PST) Received: by mail-oo1-xc34.google.com with SMTP id 006d021491bc7-590638ff680so41537eaf.1 for ; Wed, 06 Dec 2023 13:33:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701898423; x=1702503223; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=5USLAotu/Ir6n/IBLfon1cOlR9qpajMvoZiPWq4vufA=; b=WVY9/IwdIDEiKGByu2Yy09RfTLnFiJeIBvXDj7u4HhGTGYhOYdxhaSOCWWcro/GKUj 6BXtFJ5Ij3fzGFqGAXBVp3CQMfPWjAHKH0AH9r0Oltvd0ZSp0U3KCFc1ULscGpPsDkMK PwNF8sjX8lhj6D9QdO0gxJBBMgVTFW/JfX9Ni+uCd4I7jzOjklNsv4qPsvyrmV5hXS2G tn6GjAURWXG2w3BkJkjubfKHxJEbX7Dv1HwR9z8BePbsoSQUXiT0yZoRH4b+aL6gdX1a 7uYZML+uuCuV+ZQYVOh5HBu4OtdAVt0Qf1hNbEw8pnZES0kg6Ga83JW/+K72e221Fm1X xXhw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701898423; x=1702503223; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5USLAotu/Ir6n/IBLfon1cOlR9qpajMvoZiPWq4vufA=; b=dMum13R32fQiuM8kMnnjCgn4TanZg1CIRRaG+bqj7pbgsY/PNYBWxrHUjGRBMiotww oLbdaF7Ob7NdD7PvbYdnPenfgMtU2d9QRH758EtCaiQ5JLRQCb2yIwDAOQnvx1BEniI4 thDJ9f5+J85p87HsmUkhQrKBTsSS+byxU1cKB8LLLQUF6SHHXyfXkudgFoaRPgrXRUXc FgnxCJvtUqvmYRYitWKHd4gHi1irtLtaiVReUquERDfYWSbjYDF+cw+70wpQMtbUb72P oxfQZOpd1YS5iogZ4GmxMPu030lcYjF0f/9bxzmYtDucsFYn1hjG9bCfPLIhPJNvvrd3 OF6w== X-Gm-Message-State: AOJu0YyW0si1iobS8O1yhN2XTNQC+HTOatDfIwlpT4wUBrCbeP1ix9ZO rGybcrgi6SeatmcW11opLD7ehEb4WJU= X-Google-Smtp-Source: AGHT+IFSrCEeFIBQ69y9NDr1HcQMDcjKzr6wnEy2EvbPQsg3s+KWldWYMJJWSfYiRjq5tzs6FIN3HQ== X-Received: by 2002:a4a:dc43:0:b0:58d:5302:5b18 with SMTP id q3-20020a4adc43000000b0058d53025b18mr2908281oov.1.1701898422814; Wed, 06 Dec 2023 13:33:42 -0800 (PST) Received: from kolga-mac-1.attlocal.net ([2600:1700:6a10:2e90:b4ac:108b:be40:79b]) by smtp.gmail.com with ESMTPSA id ro3-20020a05620a398300b0077da601f06csm256435qkn.10.2023.12.06.13.33.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Dec 2023 13:33:42 -0800 (PST) From: Olga Kornievskaia To: steved@redhat.com Cc: linux-nfs@vger.kernel.org, chuck.lever@oracle.com Subject: [PATCH 6/6] configure: check for rpc_gss_seccreate Date: Wed, 6 Dec 2023 16:33:32 -0500 Message-Id: <20231206213332.55565-7-olga.kornievskaia@gmail.com> X-Mailer: git-send-email 2.30.1 (Apple Git-130) In-Reply-To: <20231206213332.55565-1-olga.kornievskaia@gmail.com> References: <20231206213332.55565-1-olga.kornievskaia@gmail.com> Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Olga Kornievskaia If we have rpc_gss_sccreate in tirpc library define HAVE_TIRPC_GSS_SECCREATE, which would allow us to handle bad_integrity errors. Signed-off-by: Olga Kornievskaia --- aclocal/libtirpc.m4 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/aclocal/libtirpc.m4 b/aclocal/libtirpc.m4 index bddae022..ef48a2ae 100644 --- a/aclocal/libtirpc.m4 +++ b/aclocal/libtirpc.m4 @@ -26,6 +26,11 @@ AC_DEFUN([AC_LIBTIRPC], [ [Define to 1 if your tirpc library provides libtirpc_set_debug])],, [${LIBS}])]) + AS_IF([test -n "${LIBTIRPC}"], + [AC_CHECK_LIB([tirpc], [rpc_gss_seccreate], + [AC_DEFINE([HAVE_TIRPC_GSS_SECCREATE], [1], + [Define to 1 if your tirpc library provides rpc_gss_seccreate])],, + [${LIBS}])]) AC_SUBST([AM_CPPFLAGS]) AC_SUBST(LIBTIRPC)