[PATCH 00/12] misc nfs-utils patches

[PATCH 00/12] misc nfs-utils patches

[Kevin Coffman]

Here are a few nfs-utils patches:

- Minor changes to the autotools stuff.
- Add AM_MAINTAINER_MODE (In case you decide to include it)
- Add fslocations (referrals) support to exportfs
- Sent gssapi error codes down to kernel as unsigned.
- Fix memory leak in idmapd.
- Some manpage changes from Steiner that appear to have been
  missed in the preious commit.
- When selecting a Kerberos credentials cache, compare owner
  rather than name.
- Use lucid context support in newer Heimdal release
- Factor out some code in mountd
- Add option to allow svcgssd to set libnfsidmap logging verbosity


K.C.

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

[PATCH 01/12] Touch up some of the autotools files

[Kevin Coffman]

From: Kevin Coffman <kwc@citi.umich.edu>

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>

this patch touches up the autotool code a bit in nfs-utils:
 - run autogen.sh with -e so if something fails, it'll abort properly
 - set ACLOCAL_AMFLAGS so that when running autoreconf or when
   autotools re-runs itself, the m4 files are found properly
 - make sure we include bsdsignals.m4 in the final tarball
 - add some cross-compiling fallback logic to bsdsignals.m4 so that
   when cross-compiling nfs-utils, the configure is a bit more nice
   than simply:
      checking for BSD signal semantics... configure: error: cannot run test program while cross compiling
---

 Makefile.am           |    3 +++
 aclocal/bsdsignals.m4 |    9 ++++++++-
 autogen.sh            |    2 +-
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 8298aa0..c04e9de 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -35,10 +35,13 @@ EXTRA_DIST = \
 	debian/nhfsstone.prerm \
 	debian/rules \
 	\
+	aclocal/bsdsignals.m4 \
 	aclocal/nfs-utils.m4 \
 	aclocal/kerberos5.m4 \
 	aclocal/tcp-wrappers.m4
 
+ACLOCAL_AMFLAGS = -I aclocal
+
 install-data-hook:
 	if [ ! -d $(DESTDIR)$(statedir) ]; then mkdir -p $(DESTDIR)$(statedir); fi
 	touch $(DESTDIR)$(statedir)/xtab; chmod 644 $(DESTDIR)$(statedir)/xtab
diff --git a/aclocal/bsdsignals.m4 b/aclocal/bsdsignals.m4
index e951194..24572aa 100644
--- a/aclocal/bsdsignals.m4
+++ b/aclocal/bsdsignals.m4
@@ -23,7 +23,14 @@ AC_DEFUN([AC_BSD_SIGNALS], [
 		kill(getpid(), SIGHUP); kill(getpid(), SIGHUP);
 		return (counter == 2)? 0 : 1;
 	}
-    ], knfsd_cv_bsd_signals=yes, knfsd_cv_bsd_signals=no)]) dnl
+    ], knfsd_cv_bsd_signals=yes, knfsd_cv_bsd_signals=no,
+    [
+      case "$host_os" in
+        *linux*) knfsd_cv_bsd_signals=no;;
+        *bsd*)   knfsd_cv_bsd_signals=yes;;
+        *)       AC_MSG_ERROR([unable to guess signal semantics for $host_os; please set knfsd_cv_bsd_signals]);;
+      esac
+    ])]) dnl
     AC_MSG_RESULT($knfsd_cv_bsd_signals)
     test $knfsd_cv_bsd_signals = yes && AC_DEFINE(HAVE_BSD_SIGNALS, 1, [Define this if you want to use BSD signal semantics])
 ])dnl
diff --git a/autogen.sh b/autogen.sh
index c89e674..9e8b89b 100644
--- a/autogen.sh
+++ b/autogen.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/sh -e
 
 echo -n cleaning up .
 

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

[PATCH 02/12] Add AM_MAINTAINER_MODE to configure.in

[Kevin Coffman]

From: Kevin Coffman <kwc@citi.umich.edu>

Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>

As requested by "Steinar H. Gunderson" <sgunderson@bigfoot.com>, add
AM_MAINTAINER_MODE to configure.in.  See the description of this
macro below:

  `AM_MAINTAINER_MODE' disables the so called "rebuild rules" bys
  default. If you have `AM_MAINTAINER_MODE' in `configure.ac', and
  run `./configure && make', then `make' will *never* attempt to
  rebuild `configure', `Makefile.in's, Lex or Yacc outputs, etc.
  I.e., this disables build rules for files which are usually
  distributed and that users should normally not have to update.

     If you run `./configure --enable-maintainer-mode', then these
     rebuild rules will be active.
---

 configure.in |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/configure.in b/configure.in
index 757ebb8..99adee8 100644
--- a/configure.in
+++ b/configure.in
@@ -8,6 +8,7 @@ AC_CONFIG_MACRO_DIR(aclocal)
 AM_INIT_AUTOMAKE
 AC_PREREQ(2.59)
 AC_PREFIX_DEFAULT(/usr)
+AM_MAINTAINER_MODE
 
 dnl *************************************************************
 dnl * Define the set of applicable options

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

[PATCH 03/12] Extend the exportfs interface to pass fslocations info into the kernel.

[Kevin Coffman]

From: Kevin Coffman <kwc@citi.umich.edu>

Signed-off-by: Fred Isaman <iisaman@citi.umich.edu>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>

Extend exportfs interface to pass fslocations info into the kernel,
using syntax modelled after AIX.  Adds "--refer" and "--replicas"
options to exportfs to enable use of the kernel fslocation code.
---

 support/include/exportfs.h |    7 ++
 support/include/nfslib.h   |    2 
 support/nfs/exports.c      |   37 +++++++++
 utils/exportfs/exportfs.c  |   14 +++
 utils/exportfs/exports.man |   14 +++
 utils/mountd/Makefile.am   |    2 
 utils/mountd/cache.c       |   30 +++++++
 utils/mountd/fsloc.c       |  184 ++++++++++++++++++++++++++++++++++++++++++++
 utils/mountd/fsloc.h       |   50 ++++++++++++
 9 files changed, 336 insertions(+), 4 deletions(-)

diff --git a/support/include/exportfs.h b/support/include/exportfs.h
index 10f38c7..458611b 100644
--- a/support/include/exportfs.h
+++ b/support/include/exportfs.h
@@ -23,6 +23,13 @@ enum {
 	MCL_MAXTYPES
 };
 
+enum {
+	FSLOC_NONE = 0,
+	FSLOC_REFER,
+	FSLOC_REPLICA,
+	FSLOC_STUB
+};
+
 typedef struct mclient {
 	struct mclient *	m_next;
 	char			m_hostname[NFSCLNT_IDMAX+1];
diff --git a/support/include/nfslib.h b/support/include/nfslib.h
index aba37c2..722d47a 100644
--- a/support/include/nfslib.h
+++ b/support/include/nfslib.h
@@ -80,6 +80,8 @@ struct exportent {
 	int		e_nsqgids;
 	int		e_fsid;
 	char *		e_mountpoint;
+	int             e_fslocmethod;
+	char *          e_fslocdata;
 };
 
 struct rmtabent {
diff --git a/support/nfs/exports.c b/support/nfs/exports.c
index 9b010dc..3a07ebc 100644
--- a/support/nfs/exports.c
+++ b/support/nfs/exports.c
@@ -100,6 +100,8 @@ getexportent(int fromkernel, int fromexp
 		def_ee.e_squids = NULL;
 		def_ee.e_sqgids = NULL;
 		def_ee.e_mountpoint = NULL;
+		def_ee.e_fslocmethod = FSLOC_NONE;
+		def_ee.e_fslocdata = NULL;
 		def_ee.e_nsquids = 0;
 		def_ee.e_nsqgids = 0;
 
@@ -223,7 +225,22 @@ putexportent(struct exportent *ep)
 	if (ep->e_mountpoint)
 		fprintf(fp, "mountpoint%s%s,",
 			ep->e_mountpoint[0]?"=":"", ep->e_mountpoint);
-
+	switch (ep->e_fslocmethod) {
+	case FSLOC_NONE:
+		break;
+	case FSLOC_REFER:
+		fprintf(fp, "refer=%s,", ep->e_fslocdata);
+		break;
+	case FSLOC_REPLICA:
+		fprintf(fp, "replicas=%s,", ep->e_fslocdata);
+		break;
+	case FSLOC_STUB:
+		fprintf(fp, "fsloc=stub,");
+		break;
+	default:
+		xlog(L_ERROR, "unknown fsloc method for %s:%s",
+		     ep->e_hostname, ep->e_path);
+	}
 	fprintf(fp, "mapping=");
 	switch (ep->e_maptype) {
 	case CLE_MAP_IDENT:
@@ -286,6 +303,8 @@ dupexportent(struct exportent *dst, stru
 	}
 	if (src->e_mountpoint)
 		dst->e_mountpoint = strdup(src->e_mountpoint);
+	if (src->e_fslocdata)
+		dst->e_fslocdata = strdup(src->e_fslocdata);
 }
 
 struct exportent *
@@ -300,6 +319,8 @@ mkexportent(char *hname, char *path, cha
 	ee.e_squids = NULL;
 	ee.e_sqgids = NULL;
 	ee.e_mountpoint = NULL;
+	ee.e_fslocmethod = FSLOC_NONE;
+	ee.e_fslocdata = NULL;
 	ee.e_nsquids = 0;
 	ee.e_nsqgids = 0;
 
@@ -461,6 +482,20 @@ bad_option:
 				ep->e_mountpoint = strdup(mp+1);
 			else
 				ep->e_mountpoint = strdup("");
+		} else if (strncmp(opt, "fsloc=", 6) == 0) {
+			if (strcmp(opt+6, "stub") == 0)
+				ep->e_fslocmethod = FSLOC_STUB;
+			else {
+				xlog(L_ERROR, "%s:%d: bad option %s\n",
+				     flname, flline, opt);
+				goto bad_option;
+			}
+		} else if (strncmp(opt, "refer=", 6) == 0) {
+			ep->e_fslocmethod = FSLOC_REFER;
+			ep->e_fslocdata = strdup(opt+6);
+		} else if (strncmp(opt, "replicas=", 9) == 0) {
+			ep->e_fslocmethod = FSLOC_REPLICA;
+			ep->e_fslocdata = strdup(opt+9);
 		} else {
 			xlog(L_ERROR, "%s:%d: unknown keyword \"%s\"\n",
 					flname, flline, opt);
diff --git a/utils/exportfs/exportfs.c b/utils/exportfs/exportfs.c
index cd49a3b..1a8817d 100644
--- a/utils/exportfs/exportfs.c
+++ b/utils/exportfs/exportfs.c
@@ -416,7 +416,19 @@ dump(int verbose)
 				c = dumpopt(c, "anonuid=%d", ep->e_anonuid);
 			if (ep->e_anongid != 65534)
 				c = dumpopt(c, "anongid=%d", ep->e_anongid);
-
+			switch(ep->e_fslocmethod) {
+			case FSLOC_NONE:
+				break;
+			case FSLOC_REFER:
+				c = dumpopt(c, "refer=%s", ep->e_fslocdata);
+				break;
+			case FSLOC_REPLICA:
+				c = dumpopt(c, "replicas=%s", ep->e_fslocdata);
+				break;
+			case FSLOC_STUB:
+				c = dumpopt(c, "fsloc=stub");
+				break;
+			}
 			printf("%c\n", (c != '(')? ')' : ' ');
 		}
 	}
diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man
index 892533b..eb645fc 100644
--- a/utils/exportfs/exports.man
+++ b/utils/exportfs/exports.man
@@ -327,6 +327,20 @@ The value  0 has a special meaning when 
 concept of a root of the overall exported filesystem. The export point
 exported with fsid=0 will be used as this root.
 
+.TP
+.IR refer= path@host[+host][:path@host[+host]]
+A client referencing the export point will be directed to choose from
+the given list an alternative location for the filesystem.
+(Note that the server must have a mountpoint here, though a different
+filesystem is not required; so, for example,
+.IR "mount --bind" " /path /path"
+is sufficient.)
+.TP
+.IR replicas= path@host[+host][:path@host[+host]]
+If the client asks for alternative locations for the export point, it
+will be given this list of alternatives. (Note that actual replication
+of the filesystem must be handled elsewhere.)
+
 .SS User ID Mapping
 .PP
 .I nfsd
diff --git a/utils/mountd/Makefile.am b/utils/mountd/Makefile.am
index dd400fd..1465114 100644
--- a/utils/mountd/Makefile.am
+++ b/utils/mountd/Makefile.am
@@ -8,7 +8,7 @@ KPREFIX		= @kprefix@
 sbin_PROGRAMS	= mountd
 
 mountd_SOURCES = mountd.c mount_dispatch.c auth.c rmtab.c cache.c \
-		 svc_run.c mountd.h
+		 svc_run.c fsloc.c mountd.h
 mountd_LDADD = ../../support/export/libexport.a \
 	       ../../support/nfs/libnfs.a \
 	       ../../support/misc/libmisc.a \
diff --git a/utils/mountd/cache.c b/utils/mountd/cache.c
index e8d42ae..89dc642 100644
--- a/utils/mountd/cache.c
+++ b/utils/mountd/cache.c
@@ -26,6 +26,7 @@ #include "nfslib.h"
 #include "exportfs.h"
 #include "mountd.h"
 #include "xmalloc.h"
+#include "fsloc.h"
 
 /*
  * Support routines for text-based upcalls.
@@ -236,6 +237,29 @@ void nfsd_fh(FILE *f)
 	return;		
 }
 
+static void write_fsloc(FILE *f, struct exportent *ep, char *path)
+{
+	struct servers *servers;
+
+	if (ep->e_fslocmethod == FSLOC_NONE)
+		return;
+
+	servers = replicas_lookup(ep->e_fslocmethod, ep->e_fslocdata, path);
+	if (!servers)
+		return;
+	qword_print(f, "fsloc");
+	qword_printint(f, servers->h_num);
+	if (servers->h_num >= 0) {
+		int i;
+		for (i=0; i<servers->h_num; i++) {
+			qword_print(f, servers->h_mp[i]->h_host);
+			qword_print(f, servers->h_mp[i]->h_path);
+		}
+	}
+	qword_printint(f, servers->h_referral);
+	release_replicas(servers);
+}
+
 void nfsd_export(FILE *f)
 {
 	/* requests are:
@@ -292,6 +316,8 @@ void nfsd_export(FILE *f)
 		qword_printint(f, found->m_export.e_anonuid);
 		qword_printint(f, found->m_export.e_anongid);
 		qword_printint(f, found->m_export.e_fsid);
+		write_fsloc(f, &found->m_export, path);
+		mountlist_add(dom, path);
 	}
 	qword_eol(f);
  out:
@@ -366,7 +392,9 @@ int cache_export_ent(char *domain, struc
 	qword_printint(f, exp->e_anonuid);
 	qword_printint(f, exp->e_anongid);
 	qword_printint(f, exp->e_fsid);
-	err = qword_eol(f);
+	write_fsloc(f, exp, exp->e_path);
+	mountlist_add(domain, exp->e_path);
+	qword_eol(f);
 
 	fclose(f);
 	return err;
diff --git a/utils/mountd/fsloc.c b/utils/mountd/fsloc.c
new file mode 100644
index 0000000..44b5b97
--- /dev/null
+++ b/utils/mountd/fsloc.c
@@ -0,0 +1,184 @@
+/*
+ * COPYRIGHT (c) 2006
+ * THE REGENTS OF THE UNIVERSITY OF MICHIGAN
+ * ALL RIGHTS RESERVED
+ *
+ * Permission is granted to use, copy, create derivative works
+ * and redistribute this software and such derivative works
+ * for any purpose, so long as the name of The University of
+ * Michigan is not used in any advertising or publicity
+ * pertaining to the use of distribution of this software
+ * without specific, written prior authorization.  If the
+ * above copyright notice or any other identification of the
+ * University of Michigan is included in any copy of any
+ * portion of this software, then the disclaimer below must
+ * also be included.
+ *
+ * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
+ * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
+ * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
+ * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+ * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
+ * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
+ * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
+ * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
+ * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGES.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+
+#include "fsloc.h"
+#include "exportfs.h"
+
+/* Debugging tool: prints out @servers info to syslog */
+static void replicas_print(struct servers *sp)
+{
+	int i;
+	if (!sp) {
+		syslog(LOG_INFO, "NULL replicas pointer");
+		return;
+	}
+	syslog(LOG_INFO, "replicas listsize=%i", sp->h_num);
+	for (i=0; i<sp->h_num; i++) {
+		syslog(LOG_INFO, "%s:%s",
+		       sp->h_mp[i]->h_host, sp->h_mp[i]->h_path);
+	}
+}
+
+/* Called by setting 'Method = stub' in config file.  Just returns
+ * some syntactically correct gibberish for testing purposes.
+ */
+static struct servers *method_stub(char *key)
+{
+	struct servers *sp;
+	struct mount_point *mp;
+
+	syslog(LOG_INFO, "called method_stub");
+	sp = malloc(sizeof(struct servers));
+	if (!sp)
+		return NULL;
+	mp = calloc(1, sizeof(struct mount_point));
+	if (!mp) {
+		free(sp);
+		return NULL;
+	}
+	sp->h_num = 1;
+	sp->h_mp[0] = mp;
+	mp->h_host = strdup("stub_server");
+	mp->h_path = strdup("/my/test/path");
+	sp->h_referral = 1;
+	return sp;
+}
+
+/* Scan @list, which is a NULL-terminated array of strings of the
+ * form path@host[+host], and return corresponding servers structure.
+ */
+static struct servers *parse_list(char **list)
+{
+	int i;
+	struct servers *res;
+	struct mount_point *mp;
+	char *cp;
+
+	res = malloc(sizeof(struct servers));
+	if (!res)
+		return NULL;
+	res->h_num = 0;
+
+	/* parse each of the answers in sucession. */
+	for (i=0; list[i] && i<FSLOC_MAX_LIST; i++) {
+		mp = calloc(1, sizeof(struct mount_point));
+		if (!mp) {
+			release_replicas(res);
+			return NULL;
+		}
+		cp = strchr(list[i], '@');
+		if ((!cp) || list[i][0] != '/') {
+			syslog(LOG_WARNING, "invalid entry '%s'", list[i]);
+			continue; /* XXX Need better error handling */
+		}
+		res->h_mp[i] = mp;
+		res->h_num++;
+		mp->h_path = strndup(list[i], cp - list[i]);
+		cp++;
+		mp->h_host = strdup(cp);
+		/* hosts are '+' separated, kernel expects ':' separated */
+		while ( (cp = strchr(mp->h_host, '+')) )
+		       *cp = ':';
+	}
+	return res;
+}
+
+/* @data is a string of form path@host[+host][:path@host[+host]]
+ */
+static struct servers *method_list(char *data)
+{
+	char *copy, *ptr=data;
+	char **list;
+	int i, listsize;
+	struct servers *rv=NULL;
+
+	syslog(LOG_INFO, "method_list(%s)\n", data);
+	for (ptr--, listsize=1; ptr; ptr=index(ptr, ':'), listsize++)
+		ptr++;
+	list = malloc(listsize * sizeof(char *));
+	copy = strdup(data);
+	if (copy)
+		syslog(LOG_INFO, "converted to %s\n", copy);
+	if (list && copy) {
+		ptr = copy;
+		for (i=0; i<listsize; i++) {
+			list[i] = strsep(&ptr, ":");
+		}
+		rv = parse_list(list);
+	}
+	free(copy);
+	free(list);
+	replicas_print(rv);
+	return rv;
+}
+
+/* Returns appropriately filled struct servers, or NULL if had a problem */
+struct servers *replicas_lookup(int method, char *data, char *key)
+{
+	struct servers *sp=NULL;
+	switch(method) {
+	case FSLOC_NONE:
+		break;
+	case FSLOC_REFER:
+		sp = method_list(data);
+		if (sp)
+			sp->h_referral = 1;
+		break;
+	case FSLOC_REPLICA:
+		sp = method_list(data);
+		if (sp)
+			sp->h_referral = 0;
+		break;
+	case FSLOC_STUB:
+		sp = method_stub(data);
+		break;
+	default:
+		syslog(LOG_WARNING, "Unknown method = %i", method);
+	}
+	replicas_print(sp);
+	return sp;
+}
+
+void release_replicas(struct servers *server)
+{
+	int i;
+
+	if (!server) return;
+	for (i = 0; i < server->h_num; i++) {
+		free(server->h_mp[i]->h_host);
+		free(server->h_mp[i]->h_path);
+		free(server->h_mp[i]);
+	}
+	free(server);
+}
diff --git a/utils/mountd/fsloc.h b/utils/mountd/fsloc.h
new file mode 100644
index 0000000..8296d1c
--- /dev/null
+++ b/utils/mountd/fsloc.h
@@ -0,0 +1,50 @@
+/*
+ * COPYRIGHT (c) 2006
+ * THE REGENTS OF THE UNIVERSITY OF MICHIGAN
+ * ALL RIGHTS RESERVED
+ *
+ * Permission is granted to use, copy, create derivative works
+ * and redistribute this software and such derivative works
+ * for any purpose, so long as the name of The University of
+ * Michigan is not used in any advertising or publicity
+ * pertaining to the use of distribution of this software
+ * without specific, written prior authorization.  If the
+ * above copyright notice or any other identification of the
+ * University of Michigan is included in any copy of any
+ * portion of this software, then the disclaimer below must
+ * also be included.
+ *
+ * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
+ * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
+ * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
+ * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+ * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
+ * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
+ * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
+ * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
+ * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGES.
+ */
+
+#ifndef FSLOC_H
+#define FSLOC_H
+
+#define FSLOC_MAX_LIST 40
+
+struct mount_point {
+	char *h_host;
+	char *h_path;
+};
+
+struct servers {
+	int h_num;
+	struct mount_point *h_mp[FSLOC_MAX_LIST];
+	int h_referral;		/* 0=replica, 1=referral */
+};
+
+struct servers *replicas_lookup(int method, char *data, char *key);
+void release_replicas(struct servers *server);
+
+#endif /* FSLOC_H */

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

[PATCH 04/12] Treat GSSAPI error codes as unsigned.

[Kevin Coffman]

From: Kevin Coffman <kwc@citi.umich.edu>

Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>

GSSAPI error codes (major and minor) are defined as unsigned values.
However, we treat them as signed while passing them down to the
kernel where conversion fails if they include the minus sign.
Convert them as unsigned.
---

 utils/gssd/cacheio.c      |   11 +++++++++++
 utils/gssd/cacheio.h      |    1 +
 utils/gssd/svcgssd_proc.c |    4 ++--
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/utils/gssd/cacheio.c b/utils/gssd/cacheio.c
index f2f2960..e24ef56 100644
--- a/utils/gssd/cacheio.c
+++ b/utils/gssd/cacheio.c
@@ -132,6 +132,17 @@ void qword_addint(char **bpp, int *lp, i
 	*lp -= len;
 }
 
+void qword_adduint(char **bpp, int *lp, unsigned int n)
+{
+	int len;
+
+	len = snprintf(*bpp, *lp, "%u ", n);
+	if (len > *lp)
+		len = *lp;
+	*bpp += len;
+	*lp -= len;
+}
+
 void qword_addeol(char **bpp, int *lp)
 {
 	if (*lp <= 0)
diff --git a/utils/gssd/cacheio.h b/utils/gssd/cacheio.h
index dfff258..6585fc7 100644
--- a/utils/gssd/cacheio.h
+++ b/utils/gssd/cacheio.h
@@ -36,6 +36,7 @@ #include <stdio.h>
 void qword_add(char **bpp, int *lp, char *str);
 void qword_addhex(char **bpp, int *lp, char *buf, int blen);
 void qword_addint(char **bpp, int *lp, int n);
+void qword_adduint(char **bpp, int *lp, unsigned int n);
 void qword_addeol(char **bpp, int *lp);
 void qword_print(FILE *f, char *str);
 void qword_printhex(FILE *f, char *str, int slen);
diff --git a/utils/gssd/svcgssd_proc.c b/utils/gssd/svcgssd_proc.c
index 4037159..7c58f7b 100644
--- a/utils/gssd/svcgssd_proc.c
+++ b/utils/gssd/svcgssd_proc.c
@@ -125,8 +125,8 @@ send_response(FILE *f, gss_buffer_desc *
 	qword_addhex(&bp, &blen, in_handle->value, in_handle->length);
 	qword_addhex(&bp, &blen, in_token->value, in_token->length);
 	qword_addint(&bp, &blen, 0x7fffffff); /*XXX need a better timeout */
-	qword_addint(&bp, &blen, maj_stat);
-	qword_addint(&bp, &blen, min_stat);
+	qword_adduint(&bp, &blen, maj_stat);
+	qword_adduint(&bp, &blen, min_stat);
 	qword_addhex(&bp, &blen, out_handle->value, out_handle->length);
 	qword_addhex(&bp, &blen, out_token->value, out_token->length);
 	qword_addeol(&bp, &blen);

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

[PATCH 05/12] Fix memory leak in idmapd.

[Kevin Coffman]

From: Kevin Coffman <kwc@citi.umich.edu>

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>

There is a pretty nasty memory leak in idmapd in dirscancb(). Some of
our customers have reported that idmapd can eat gigabytes of memory on
machines with a large number of mounts and unmounts and a long uptime.

That function uses scandir(), which malloc's an array of strings, but
dirscancb() never frees the strings or the array. The following patch
should correct this, but I've not yet tested it on 1.0.10 (only on the
RHEL4 1.0.6 version). Still, the code is very similar and I'm fairly
certain the problem exists in both versions.
---

 utils/idmapd/idmapd.c |   11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/utils/idmapd/idmapd.c b/utils/idmapd/idmapd.c
index 19bf7a6..cbb0b6a 100644
--- a/utils/idmapd/idmapd.c
+++ b/utils/idmapd/idmapd.c
@@ -464,7 +464,7 @@ dirscancb(int fd, short which, void *dat
 				goto next;
 
 			if ((ic = calloc(1, sizeof(*ic))) == NULL)
-				return;
+				goto out;
 			strlcpy(ic->ic_clid, ents[i]->d_name + 4,
 			    sizeof(ic->ic_clid));
 			path[0] = '\0';
@@ -474,7 +474,7 @@ dirscancb(int fd, short which, void *dat
 			if ((ic->ic_dirfd = open(path, O_RDONLY, 0)) == -1) {
 				idmapd_warn("dirscancb: open(%s)", path);
 				free(ic);
-				return;
+				goto out;
 			}
 
 			strlcat(path, "/idmap", sizeof(path));
@@ -486,7 +486,7 @@ dirscancb(int fd, short which, void *dat
 			if (nfsopen(ic) == -1) {
 				close(ic->ic_dirfd);
 				free(ic);
-				return;
+				goto out;
 			}
 
 			ic->ic_id = "Client";
@@ -512,6 +512,11 @@ dirscancb(int fd, short which, void *dat
 		} else
 			ic->ic_scanned = 0;
 	}
+
+out:
+	for (i = 0;  i < nent; i++)
+		free(ents[i]);
+	free(ents);
 	return;
 }
 

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

[PATCH 06/12] Stop using storage after free

[Kevin Coffman]

From: Kevin Coffman <kwc@citi.umich.edu>

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>

The previous patch seems to expose a use after free bug in dirscancb. At
least, I could reliably reproduce a segfault by doing a bunch of mounts
and then unmounting them all. The code uses the following list macro:

      TAILQ_FOREACH(ic, icq, ic_next) {

...to iterate over all of the ic entries and clean up any that no longer
have a corresponding directory in rpc_pipefs. This macro unrolls into:

      for(ic=icq->tqh_first; ic != NULL; ic=ic->ic_next.tqe_next) {

...but within this loop, we can free ic, and then the for loop can trip
over that when it tries to do the iteration. The attached patch works
around this by not using the TAILQ_FOREACH macro and saving off the
tqe_next pointer prior to the free.

Again, this was tested on a patched 1.0.6, but the 1.0.10 code is very
similar, and I think the problem exists there as well.
---

 utils/idmapd/idmapd.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/utils/idmapd/idmapd.c b/utils/idmapd/idmapd.c
index cbb0b6a..b30b69e 100644
--- a/utils/idmapd/idmapd.c
+++ b/utils/idmapd/idmapd.c
@@ -444,7 +444,7 @@ dirscancb(int fd, short which, void *dat
 {
 	int nent, i;
 	struct dirent **ents;
-	struct idmap_client *ic;
+	struct idmap_client *ic, *nextic;
 	char path[PATH_MAX];
 	struct idmap_clientq *icq = data;
 
@@ -498,7 +498,9 @@ dirscancb(int fd, short which, void *dat
 		}
 	}
 
-	TAILQ_FOREACH(ic, icq, ic_next) {
+	ic = TAILQ_FIRST(icq);
+	while(ic != NULL) {
+		nextic=TAILQ_NEXT(ic, ic_next);
 		if (!ic->ic_scanned) {
 			event_del(&ic->ic_event);
 			close(ic->ic_fd);
@@ -511,6 +513,7 @@ dirscancb(int fd, short which, void *dat
 			free(ic);
 		} else
 			ic->ic_scanned = 0;
+		ic = nextic;
 	}
 
 out:

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

[PATCH 07/12] Use the gssglue version of gssapi.h for svcgssd_mech2file.c

[Kevin Coffman]

From: Kevin Coffman <kwc@citi.umich.edu>

Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>

Remove Kerberos implementation dependency from svcgssd_mech2file.c
---

 utils/gssd/svcgssd_mech2file.c |    6 +-----
 1 files changed, 1 insertions(+), 5 deletions(-)

diff --git a/utils/gssd/svcgssd_mech2file.c b/utils/gssd/svcgssd_mech2file.c
index f44f7c6..22c3ed8 100644
--- a/utils/gssd/svcgssd_mech2file.c
+++ b/utils/gssd/svcgssd_mech2file.c
@@ -36,11 +36,7 @@
 
 #include "config.h"
 
-#ifdef HAVE_KRB5
-#include <gssapi/gssapi_generic.h>
-#elif HAVE_HEIMDAL
-#include <gssapi.h>
-#endif
+#include <gssapi/gssapi.h>
 #include <string.h>
 
 

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

[PATCH 08/12] Various minor manpage fixes.

[Kevin Coffman]

From: Kevin Coffman <kwc@citi.umich.edu>

Signed-off-by: Steinar H. Gunderson <sgunderson@bigfoot.com>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>

  This mostly takes care of the difference between - and \-; in
  man pages, the former is hyphen (which indicates, among others,
  that a line might be split at that point), while the latter is a
  dash. For options, the latter is correct.

  There's also one minor grammatical fix.
---

 utils/nfsstat/nfsstat.man |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/utils/nfsstat/nfsstat.man b/utils/nfsstat/nfsstat.man
index ed7f69c..895c36b 100644
--- a/utils/nfsstat/nfsstat.man
+++ b/utils/nfsstat/nfsstat.man
@@ -113,9 +113,9 @@ interface to the mounted filesystems.
 .SH BUGS
 The default output has been changed.  To get the old default output you must run \fBnfsstat \-\-auto \-2\fR.
 .P
-The function of the \fB-v\fR and \fB-a\fR options have changed. The \fB-a\fR option
-is now reserved for future use. The \fB-v\fR does what the \fB-a\fR option used to do,
-and the new \fB-[234]\fR options replace the \fB-v\fR option.
+The function of the \fB\-v\fR and \fB\-a\fR options have changed. The \fB\-a\fR option
+is now reserved for future use. The \fB\-v\fR does what the \fB\-a\fR option used to do,
+and the new \fB\-[234]\fR options replace the \fB\-v\fR option.
 .P
 The \fBDisplay\fR section should be more complete.
 .P

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

[PATCH 09/12] Use owner rather than filename format in choosing cred cache files

[Kevin Coffman]

From: Kevin Coffman <kwc@citi.umich.edu>

Signed-off-by: Glenn Machin <gmachin@sandia.gov>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>

Some installations use different name formats for their credentials
caches.  Instead of checking that the uid is part of the name, just
make sure that uid is the owner of the file.
This is a modification of the original patch from Glenn.
---

 utils/gssd/krb5_util.c |  106 +++++++++++++++++++++++-------------------------
 1 files changed, 50 insertions(+), 56 deletions(-)

diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index c43eb36..096f6cf 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -185,72 +185,66 @@ gssd_find_existing_krb5_ccache(uid_t uid
 		perror("scandir looking for krb5 credentials caches");
 	}
 	else if (n > 0) {
-		char substring[128];
-		char fullstring[128];
 		char statname[1024];
-		snprintf(substring, sizeof(substring), "_%d_", uid);
-		snprintf(fullstring, sizeof(fullstring), "_%d", uid);
 		for (i = 0; i < n; i++) {
 			printerr(3, "CC file '%s' being considered\n",
 				 namelist[i]->d_name);
-			if (strstr(namelist[i]->d_name, substring) ||
-			    !strcmp(namelist[i]->d_name, fullstring)) {
-				snprintf(statname, sizeof(statname),
-					 "%s/%s", ccachedir,
-					 namelist[i]->d_name);
-				if (stat(statname, &tmp_stat)) {
-					printerr(0, "Error doing stat "
-						    "on file '%s'\n",
-						 statname);
-					continue;
-				}
-				if (!S_ISREG(tmp_stat.st_mode)) {
-					printerr(3, "File '%s' is not "
-						    "a regular file\n",
-						 statname);
-					continue;
-				}
-				printerr(3, "CC file '%s' matches "
-					    "name check and has "
-					    "mtime of %u\n",
-					 namelist[i]->d_name,
-					 tmp_stat.st_mtime);
-				/* if more than one match is found,
-				 * return the most recent (the one
-				 * with the latest mtime),
-				 * and don't free the dirent */
-				if (!found) {
+			snprintf(statname, sizeof(statname),
+				 "%s/%s", ccachedir, namelist[i]->d_name);
+			if (stat(statname, &tmp_stat)) {
+				printerr(0, "Error doing stat on file '%s'\n",
+					 statname);
+				free(namelist[i]);
+				continue;
+			}
+			/* Only pick caches owned by the user (uid) */
+			if (tmp_stat.st_uid != uid) {
+				printerr(3, "'%s' owned by %u, not %u\n",
+					 statname, tmp_stat.st_uid, uid);
+				free(namelist[i]);
+				continue;
+			}
+			if (!S_ISREG(tmp_stat.st_mode)) {
+				printerr(3, "'%s' is not a regular file\n",
+					 statname);
+				free(namelist[i]);
+				continue;
+			}
+			printerr(3, "CC file '%s' matches owner check and has "
+				 "mtime of %u\n",
+				 namelist[i]->d_name, tmp_stat.st_mtime);
+			/*
+			 * if more than one match is found, return the most
+			 * recent (the one with the latest mtime), and
+			 * don't free the dirent
+			 */
+			if (!found) {
+				best_match_dir = namelist[i];
+				best_match_stat = tmp_stat;
+				found++;
+			}
+			else {
+				/*
+				 * If the current match has an mtime later
+				 * than the one we are looking at, then use
+				 * the current match.  Otherwise, we still
+				 * have the best match.
+				 */
+				if (tmp_stat.st_mtime >
+					    best_match_stat.st_mtime) {
+					free(best_match_dir);
 					best_match_dir = namelist[i];
 					best_match_stat = tmp_stat;
-					found++;
 				}
 				else {
-					/*
-					 * If the current match has
-					 * an mtime later than the
-					 * one we are looking at,
-					 * then use the current match.
-					 * Otherwise, we still have
-					 * the best match.
-					 */
-					if (tmp_stat.st_mtime >
-						    best_match_stat.st_mtime) {
-						free(best_match_dir);
-						best_match_dir = namelist[i];
-						best_match_stat = tmp_stat;
-					}
-					else {
-						free(namelist[i]);
-					}
-					printerr(3, "CC file '%s' is our "
-						    "current best match "
-						    "with mtime of %u\n",
-						 best_match_dir->d_name,
-						 best_match_stat.st_mtime);
+					free(namelist[i]);
 				}
+				printerr(3, "CC file '%s' is our "
+					    "current best match "
+					    "with mtime of %u\n",
+					 best_match_dir->d_name,
+					 best_match_stat.st_mtime);
 			}
-			else
-				free(namelist[i]);
 		}
 		free(namelist);
 	}

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

[PATCH 10/12] Share handling of lucid_sec_context for Heimdal and MIT

[Kevin Coffman]

From: Kevin Coffman <kwc@citi.umich.edu>

Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>

The 0.8 release of Heimdal has (will have) support for the lucid context.
The handling of lucid_sec_context can be shared between builds with MIT
or Heimdal Kerberos.

Split out the lucid_sec_context code from context_mit.c
and make a new common file, context_lucid.c.
---

 utils/gssd/Makefile.am       |    1 
 utils/gssd/context.h         |    4 +
 utils/gssd/context_heimdal.c |    6 +
 utils/gssd/context_lucid.c   |  220 ++++++++++++++++++++++++++++++++++++++++++
 utils/gssd/context_mit.c     |  173 +--------------------------------
 5 files changed, 234 insertions(+), 170 deletions(-)

diff --git a/utils/gssd/Makefile.am b/utils/gssd/Makefile.am
index 7009d8d..7c32597 100644
--- a/utils/gssd/Makefile.am
+++ b/utils/gssd/Makefile.am
@@ -16,6 +16,7 @@ COMMON_SRCS = \
 	context.c \
 	context_mit.c \
 	context_heimdal.c \
+	context_lucid.c \
 	context_spkm3.c \
 	gss_util.c \
 	gss_oids.c \
diff --git a/utils/gssd/context.h b/utils/gssd/context.h
index 2c9396a..67ed3bb 100644
--- a/utils/gssd/context.h
+++ b/utils/gssd/context.h
@@ -33,6 +33,10 @@ #define _CONTEXT_H_
 
 #include <rpc/rpc.h>
 
+/* Hopefully big enough to hold any serialized context */
+#define MAX_CTX_LEN 4096
+
+
 int serialize_context_for_kernel(gss_ctx_id_t ctx, gss_buffer_desc *buf,
 				 gss_OID mech);
 int serialize_spkm3_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf);
diff --git a/utils/gssd/context_heimdal.c b/utils/gssd/context_heimdal.c
index edd4dfc..5520cbc 100644
--- a/utils/gssd/context_heimdal.c
+++ b/utils/gssd/context_heimdal.c
@@ -1,5 +1,5 @@
 /*
-  Copyright (c) 2004 The Regents of the University of Michigan.
+  Copyright (c) 2004-2006 The Regents of the University of Michigan.
   All rights reserved.
 
   Redistribution and use in source and binary forms, with or without
@@ -30,6 +30,7 @@
 
 #include "config.h"
 
+#ifndef HAVE_LUCID_CONTEXT_SUPPORT
 #ifdef HAVE_HEIMDAL
 
 #include <stdio.h>
@@ -46,8 +47,6 @@ #include "err_util.h"
 #include "gss_oids.h"
 #include "write_bytes.h"
 
-#define MAX_CTX_LEN 4096
-
 int write_heimdal_keyblock(char **p, char *end, krb5_keyblock *key)
 {
 	gss_buffer_desc tmp;
@@ -265,3 +264,4 @@ out_err:
 }
 
 #endif	/* HAVE_HEIMDAL */
+#endif	/* HAVE_LUCID_CONTEXT_SUPPORT */
diff --git a/utils/gssd/context_lucid.c b/utils/gssd/context_lucid.c
new file mode 100644
index 0000000..3550762
--- /dev/null
+++ b/utils/gssd/context_lucid.c
@@ -0,0 +1,220 @@
+/*
+ * COPYRIGHT (c) 2006
+ * The Regents of the University of Michigan
+ * ALL RIGHTS RESERVED
+ *
+ * Permission is granted to use, copy, create derivative works
+ * and redistribute this software and such derivative works
+ * for any purpose, so long as the name of The University of
+ * Michigan is not used in any advertising or publicity
+ * pertaining to the use of distribution of this software
+ * without specific, written prior authorization.  If the
+ * above copyright notice or any other identification of the
+ * University of Michigan is included in any copy of any
+ * portion of this software, then the disclaimer below must
+ * also be included.
+ *
+ * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
+ * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
+ * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
+ * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+ * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
+ * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
+ * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
+ * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
+ * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGES.
+ */
+
+#include "config.h"
+
+#ifdef HAVE_LUCID_CONTEXT_SUPPORT
+
+/*
+ * Newer versions of MIT and Heimdal have lucid context support.
+ * We can use common code if it is supported.
+ */
+
+#include <stdio.h>
+#include <syslog.h>
+#include <string.h>
+#include "gss_util.h"
+#include "gss_oids.h"
+#include "err_util.h"
+#include "context.h"
+
+#include <krb5.h>
+#include <gssapi/gssapi.h>
+#ifndef OM_uint64
+typedef uint64_t OM_uint64;
+#endif
+#include <gssapi/gssapi_krb5.h>
+
+static int
+write_lucid_keyblock(char **p, char *end, gss_krb5_lucid_key_t *key)
+{
+	gss_buffer_desc tmp;
+
+	if (WRITE_BYTES(p, end, key->type)) return -1;
+	tmp.length = key->length;
+	tmp.value = key->data;
+	if (write_buffer(p, end, &tmp)) return -1;
+	return 0;
+}
+
+static int
+prepare_krb5_rfc1964_buffer(gss_krb5_lucid_context_v1_t *lctx,
+	gss_buffer_desc *buf)
+{
+	char *p, *end;
+	static int constant_zero = 0;
+	unsigned char fakeseed[16];
+	uint32_t word_send_seq;
+	gss_krb5_lucid_key_t enc_key;
+	int i;
+	char *skd, *dkd;
+	gss_buffer_desc fakeoid;
+
+	/*
+	 * The new Kerberos interface to get the gss context
+	 * does not include the seed or seed_init fields
+	 * because we never really use them.  But for now,
+	 * send down a fake buffer so we can use the same
+	 * interface to the kernel.
+	 */
+	memset(&enc_key, 0, sizeof(enc_key));
+	memset(&fakeoid, 0, sizeof(fakeoid));
+
+	if (!(buf->value = calloc(1, MAX_CTX_LEN)))
+		goto out_err;
+	p = buf->value;
+	end = buf->value + MAX_CTX_LEN;
+
+	if (WRITE_BYTES(&p, end, lctx->initiate)) goto out_err;
+
+	/* seed_init and seed not used by kernel anyway */
+	if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
+	if (write_bytes(&p, end, &fakeseed, 16)) goto out_err;
+
+	if (WRITE_BYTES(&p, end, lctx->rfc1964_kd.sign_alg)) goto out_err;
+	if (WRITE_BYTES(&p, end, lctx->rfc1964_kd.seal_alg)) goto out_err;
+	if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err;
+	word_send_seq = lctx->send_seq;	/* XXX send_seq is 64-bit */
+	if (WRITE_BYTES(&p, end, word_send_seq)) goto out_err;
+	if (write_oid(&p, end, &krb5oid)) goto out_err;
+
+#ifdef HAVE_HEIMDAL
+	/*
+	 * The kernel gss code expects des-cbc-raw for all flavors of des.
+	 * The keytype from MIT has this type, but Heimdal does not.
+	 * Force the Heimdal keytype to 4 (des-cbc-raw).
+	 * Note that the rfc1964 version only supports DES enctypes.
+	 */
+	if (lctx->rfc1964_kd.ctx_key.type != 4) {
+		printerr(1, "prepare_krb5_rfc1964_buffer: "
+			    "overriding heimdal keytype (%d => %d)\n",
+			    lctx->rfc1964_kd.ctx_key.type, 4);
+		lctx->rfc1964_kd.ctx_key.type = 4;
+	}
+#endif
+	printerr(2, "prepare_krb5_rfc1964_buffer: serializing keys with "
+		 "enctype %d and length %d\n",
+		 lctx->rfc1964_kd.ctx_key.type,
+		 lctx->rfc1964_kd.ctx_key.length);
+
+	/* derive the encryption key and copy it into buffer */
+	enc_key.type = lctx->rfc1964_kd.ctx_key.type;
+	enc_key.length = lctx->rfc1964_kd.ctx_key.length;
+	if ((enc_key.data = calloc(1, enc_key.length)) == NULL)
+		goto out_err;
+	skd = (char *) lctx->rfc1964_kd.ctx_key.data;
+	dkd = (char *) enc_key.data;
+	for (i = 0; i < enc_key.length; i++)
+		dkd[i] = skd[i] ^ 0xf0;
+	if (write_lucid_keyblock(&p, end, &enc_key)) {
+		free(enc_key.data);
+		goto out_err;
+	}
+	free(enc_key.data);
+
+	if (write_lucid_keyblock(&p, end, &lctx->rfc1964_kd.ctx_key))
+		goto out_err;
+
+	buf->length = p - (char *)buf->value;
+	return 0;
+out_err:
+	printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
+	if (buf->value) free(buf->value);
+	buf->length = 0;
+	if (enc_key.data) free(enc_key.data);
+	return -1;
+}
+
+static int
+prepare_krb5_rfc_cfx_buffer(gss_krb5_lucid_context_v1_t *lctx,
+	gss_buffer_desc *buf)
+{
+	printerr(0, "ERROR: prepare_krb5_rfc_cfx_buffer: not implemented\n");
+	return -1;
+}
+
+
+int
+serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf)
+{
+	OM_uint32 maj_stat, min_stat;
+	void *return_ctx = 0;
+	OM_uint32 vers;
+	gss_krb5_lucid_context_v1_t *lctx = 0;
+	int retcode = 0;
+
+	printerr(2, "DEBUG: serialize_krb5_ctx: lucid version!\n");
+	maj_stat = gss_export_lucid_sec_context(&min_stat, &ctx,
+						1, &return_ctx);
+	if (maj_stat != GSS_S_COMPLETE) {
+		pgsserr("gss_export_lucid_sec_context",
+			maj_stat, min_stat, &krb5oid);
+		goto out_err;
+	}
+
+	/* Check the version returned, we only support v1 right now */
+	vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version;
+	switch (vers) {
+	case 1:
+		lctx = (gss_krb5_lucid_context_v1_t *) return_ctx;
+		break;
+	default:
+		printerr(0, "ERROR: unsupported lucid sec context version %d\n",
+			vers);
+		goto out_err;
+		break;
+	}
+
+	/* Now lctx points to a lucid context that we can send down to kernel */
+	if (lctx->protocol == 0)
+		retcode = prepare_krb5_rfc1964_buffer(lctx, buf);
+	else
+		retcode = prepare_krb5_rfc_cfx_buffer(lctx, buf);
+
+	maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx);
+	if (maj_stat != GSS_S_COMPLETE) {
+		pgsserr("gss_export_lucid_sec_context",
+			maj_stat, min_stat, &krb5oid);
+		printerr(0, "WARN: failed to free lucid sec context\n");
+	}
+
+	if (retcode) {
+		printerr(1, "serialize_krb5_ctx: prepare_krb5_*_buffer "
+			 "failed (retcode = %d)\n", retcode);
+		goto out_err;
+	}
+
+	return 0;
+
+out_err:
+	printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
+	return -1;
+}
+#endif /* HAVE_LUCID_CONTEXT_SUPPORT */
diff --git a/utils/gssd/context_mit.c b/utils/gssd/context_mit.c
index 5eb900f..94b2266 100644
--- a/utils/gssd/context_mit.c
+++ b/utils/gssd/context_mit.c
@@ -29,6 +29,10 @@
 */
 
 #include "config.h"
+
+#ifndef HAVE_LUCID_CONTEXT_SUPPORT
+#ifdef HAVE_KRB5
+
 #include <stdio.h>
 #include <syslog.h>
 #include <string.h>
@@ -40,18 +44,9 @@ #include "gss_oids.h"
 #include "err_util.h"
 #include "context.h"
 
-#ifdef HAVE_KRB5
 #include <krb5.h>
 
-/* XXX spkm3 seems to actually want it this big, yipes. */
-#define MAX_CTX_LEN 4096
-
-#ifdef HAVE_LUCID_CONTEXT_SUPPORT
-
-/* Don't use the private structure, use the exported lucid structure */
-#include <gssapi/gssapi_krb5.h>
-
-#elif (KRB5_VERSION > 131)
+#if (KRB5_VERSION > 131)
 /* XXX argggg, there's gotta be a better way than just duplicating this
  * whole struct.  Unfortunately, this is in a "private" header file,
  * so this is our best choice at this point :-/
@@ -131,162 +126,6 @@ typedef struct _krb5_gss_ctx_id_rec {
 #endif /* KRB5_VERSION */
 
 
-#ifdef HAVE_LUCID_CONTEXT_SUPPORT /* Lucid context support */
-static int
-write_lucid_keyblock(char **p, char *end, gss_krb5_lucid_key_t *key)
-{
-	gss_buffer_desc tmp;
-
-	if (WRITE_BYTES(p, end, key->type)) return -1;
-	tmp.length = key->length;
-	tmp.value = key->data;
-	if (write_buffer(p, end, &tmp)) return -1;
-	return 0;
-}
-
-static int
-prepare_krb5_rfc1964_buffer(gss_krb5_lucid_context_v1_t *lctx,
-	gss_buffer_desc *buf)
-{
-	char *p, *end;
-	static int constant_zero = 0;
-	unsigned char fakeseed[16];
-	uint32_t word_send_seq;
-	gss_krb5_lucid_key_t enc_key;
-	int i;
-	char *skd, *dkd;
-	gss_buffer_desc fakeoid;
-
-	/*
-	 * The new Kerberos interface to get the gss context
-	 * does not include the seed or seed_init fields
-	 * because we never really use them.  But for now,
-	 * send down a fake buffer so we can use the same
-	 * interface to the kernel.
-	 */
-	memset(&enc_key, 0, sizeof(enc_key));
-	memset(&fakeoid, 0, sizeof(fakeoid));
-
-	if (!(buf->value = calloc(1, MAX_CTX_LEN)))
-		goto out_err;
-	p = buf->value;
-	end = buf->value + MAX_CTX_LEN;
-
-	if (WRITE_BYTES(&p, end, lctx->initiate)) goto out_err;
-
-	/* seed_init and seed not used by kernel anyway */
-	if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
-	if (write_bytes(&p, end, &fakeseed, 16)) goto out_err;
-
-	if (WRITE_BYTES(&p, end, lctx->rfc1964_kd.sign_alg)) goto out_err;
-	if (WRITE_BYTES(&p, end, lctx->rfc1964_kd.seal_alg)) goto out_err;
-	if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err;
-	word_send_seq = lctx->send_seq;	/* XXX send_seq is 64-bit */
-	if (WRITE_BYTES(&p, end, word_send_seq)) goto out_err;
-	if (write_oid(&p, end, &krb5oid)) goto out_err;
-
-	printerr(2, "prepare_krb5_rfc1964_buffer: serializing keys with "
-		 "enctype %d and length %d\n",
-		 lctx->rfc1964_kd.ctx_key.type,
-		 lctx->rfc1964_kd.ctx_key.length);
-
-	/* derive the encryption key and copy it into buffer */
-	enc_key.type = lctx->rfc1964_kd.ctx_key.type;
-	enc_key.length = lctx->rfc1964_kd.ctx_key.length;
-	if ((enc_key.data = calloc(1, enc_key.length)) == NULL)
-		goto out_err;
-	skd = (char *) lctx->rfc1964_kd.ctx_key.data;
-	dkd = (char *) enc_key.data;
-	for (i = 0; i < enc_key.length; i++)
-		dkd[i] = skd[i] ^ 0xf0;
-	if (write_lucid_keyblock(&p, end, &enc_key)) {
-		free(enc_key.data);
-		goto out_err;
-	}
-	free(enc_key.data);
-
-	if (write_lucid_keyblock(&p, end, &lctx->rfc1964_kd.ctx_key))
-		goto out_err;
-
-	buf->length = p - (char *)buf->value;
-	return 0;
-out_err:
-	printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
-	if (buf->value) free(buf->value);
-	buf->length = 0;
-	if (enc_key.data) free(enc_key.data);
-	return -1;
-}
-
-static int
-prepare_krb5_rfc_cfx_buffer(gss_krb5_lucid_context_v1_t *lctx,
-	gss_buffer_desc *buf)
-{
-	printerr(0, "ERROR: prepare_krb5_rfc_cfx_buffer: not implemented\n");
-	return -1;
-}
-
-
-int
-serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf)
-{
-	OM_uint32 maj_stat, min_stat;
-	void *return_ctx = 0;
-	OM_uint32 vers;
-	gss_krb5_lucid_context_v1_t *lctx = 0;
-	int retcode = 0;
-
-	printerr(2, "DEBUG: serialize_krb5_ctx: lucid version!\n");
-	maj_stat = gss_export_lucid_sec_context(&min_stat, &ctx,
-						1, &return_ctx);
-	if (maj_stat != GSS_S_COMPLETE) {
-		pgsserr("gss_export_lucid_sec_context",
-			maj_stat, min_stat, &krb5oid);
-		goto out_err;
-	}
-
-	/* Check the version returned, we only support v1 right now */
-	vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version;
-	switch (vers) {
-	case 1:
-		lctx = (gss_krb5_lucid_context_v1_t *) return_ctx;
-		break;
-	default:
-		printerr(0, "ERROR: unsupported lucid sec context version %d\n",
-			vers);
-		goto out_err;
-		break;
-	}
-
-	/* Now lctx points to a lucid context that we can send down to kernel */
-	if (lctx->protocol == 0)
-		retcode = prepare_krb5_rfc1964_buffer(lctx, buf);
-	else
-		retcode = prepare_krb5_rfc_cfx_buffer(lctx, buf);
-
-	maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx);
-	if (maj_stat != GSS_S_COMPLETE) {
-		pgsserr("gss_export_lucid_sec_context",
-			maj_stat, min_stat, &krb5oid);
-		printerr(0, "WARN: failed to free lucid sec context\n");
-	}
-
-	if (retcode) {
-		printerr(1, "serialize_krb5_ctx: prepare_krb5_*_buffer "
-			 "failed (retcode = %d)\n", retcode);
-		goto out_err;
-	}
-
-	return 0;
-
-out_err:
-	printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
-	return -1;
-}
-
-
-#else /* HAVE_LUCID_CONTEXT_SUPPORT */
-
 static int
 write_keyblock(char **p, char *end, struct _krb5_keyblock *arg)
 {
@@ -360,6 +199,6 @@ out_err:
 	buf->length = 0;
 	return -1;
 }
-#endif /* HAVE_LUCID_CONTEXT_SUPPORT */
 
 #endif /* HAVE_KRB5 */
+#endif /* HAVE_LUCID_CONTEXT_SUPPORT */

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

[PATCH 11/12] Remove duplicated code.

[Kevin Coffman]

From: Kevin Coffman <kwc@citi.umich.edu>

Signed-off-by: Fred Isaman <iisaman@citi.umich.edu>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>

Remove duplicated code.
---

 utils/mountd/cache.c |   41 +++++++++++++++++++++--------------------
 1 files changed, 21 insertions(+), 20 deletions(-)

diff --git a/utils/mountd/cache.c b/utils/mountd/cache.c
index 89dc642..1da13db 100644
--- a/utils/mountd/cache.c
+++ b/utils/mountd/cache.c
@@ -260,6 +260,21 @@ static void write_fsloc(FILE *f, struct 
 	release_replicas(servers);
 }
 
+static int dump_to_cache(FILE *f, char *domain, char *path, struct exportent *exp)
+{
+	qword_print(f, domain);
+	qword_print(f, path);
+	qword_printint(f, time(0)+30*60);
+	if (exp) {
+		qword_printint(f, exp->e_flags);
+		qword_printint(f, exp->e_anonuid);
+		qword_printint(f, exp->e_anongid);
+		qword_printint(f, exp->e_fsid);
+		write_fsloc(f, exp, exp->e_path);
+	}
+	return qword_eol(f);
+}
+
 void nfsd_export(FILE *f)
 {
 	/* requests are:
@@ -308,18 +323,13 @@ void nfsd_export(FILE *f)
 		}
 	}
 
-	qword_print(f, dom);
-	qword_print(f, path);
-	qword_printint(f, time(0)+30*60);
 	if (found) {
-		qword_printint(f, found->m_export.e_flags);
-		qword_printint(f, found->m_export.e_anonuid);
-		qword_printint(f, found->m_export.e_anongid);
-		qword_printint(f, found->m_export.e_fsid);
-		write_fsloc(f, &found->m_export, path);
+		dump_to_cache(f, dom, path, &found->m_export);
 		mountlist_add(dom, path);
 	}
-	qword_eol(f);
+	else {
+		dump_to_cache(f, dom, path, NULL);
+	}
  out:
 	if (dom) free(dom);
 	if (path) free(path);
@@ -385,18 +395,9 @@ int cache_export_ent(char *domain, struc
 	if (!f)
 		return -1;
 
-	qword_print(f, domain);
-	qword_print(f, exp->e_path);
-	qword_printint(f, time(0)+30*60);
-	qword_printint(f, exp->e_flags);
-	qword_printint(f, exp->e_anonuid);
-	qword_printint(f, exp->e_anongid);
-	qword_printint(f, exp->e_fsid);
-	write_fsloc(f, exp, exp->e_path);
-	mountlist_add(domain, exp->e_path);
-	qword_eol(f);
-
+	err = dump_to_cache(f, domain, exp->e_path, exp);
 	fclose(f);
+	mountlist_add(domain, exp->e_path);
 	return err;
 }
 

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

[PATCH 12/12] Add option to svcgssd to enable libnfsidmap debugging.

[Kevin Coffman]

From: Kevin Coffman <kwc@citi.umich.edu>

Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>

As suggested by Glenn Machin <GMachin@sandia.gov>.  Allow svcgssd
to turn on libnfsidmap debugging.  This uses a new command-line
parameter so that it can be enabled independently from other
debugging.
---

 utils/gssd/svcgssd.c   |   16 ++++++++++++++--
 utils/gssd/svcgssd.man |    8 ++++++--
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/utils/gssd/svcgssd.c b/utils/gssd/svcgssd.c
index 0db3762..37e0407 100644
--- a/utils/gssd/svcgssd.c
+++ b/utils/gssd/svcgssd.c
@@ -54,6 +54,7 @@ #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <signal.h>
+#include <nfsidmap.h>
 #include "nfslib.h"
 #include "svcgssd.h"
 #include "gss_util.h"
@@ -154,7 +155,7 @@ sig_hup(int signal)
 static void
 usage(char *progname)
 {
-	fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r]\n",
+	fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r] [-i]\n",
 		progname);
 	exit(1);
 }
@@ -166,15 +167,19 @@ main(int argc, char *argv[])
 	int fg = 0;
 	int verbosity = 0;
 	int rpc_verbosity = 0;
+	int idmap_verbosity = 0;
 	int opt;
 	extern char *optarg;
 	char *progname;
 
-	while ((opt = getopt(argc, argv, "fvrnp:")) != -1) {
+	while ((opt = getopt(argc, argv, "fivrnp:")) != -1) {
 		switch (opt) {
 			case 'f':
 				fg = 1;
 				break;
+			case 'i':
+				idmap_verbosity++;
+				break;
 			case 'n':
 				get_creds = 0;
 				break;
@@ -203,6 +208,13 @@ #else
 		printerr(0, "Warning: rpcsec_gss library does not "
 			    "support setting debug level\n");
 #endif
+#ifdef HAVE_NFS4_SET_DEBUG
+        nfs4_set_debug(idmap_verbosity, NULL);
+#else
+	if (idmap_verbosity > 0)
+		printerr(0, "Warning: your nfsidmap library does not "
+			    "support setting debug level\n");
+#endif
 
 	if (gssd_check_mechs() != 0) {
 		printerr(0, "ERROR: Problem with gssapi library\n");
diff --git a/utils/gssd/svcgssd.man b/utils/gssd/svcgssd.man
index a770662..1a015e1 100644
--- a/utils/gssd/svcgssd.man
+++ b/utils/gssd/svcgssd.man
@@ -2,11 +2,11 @@
 .\" rpc.svcgssd(8)
 .\"
 .\" Copyright (C) 2003 J. Bruce Fields <bfields@umich.edu>
-.TH rpc.svcgssd 8 "17 Mar 2003"
+.TH rpc.svcgssd 8 "12 Jan 2007"
 .SH NAME
 rpc.svcgssd \- server-side rpcsec_gss daemon
 .SH SYNOPSIS
-.B "rpc.svcgssd [-v] [-r] [-f] [-p pipefsdir]"
+.B "rpc.svcgssd [-v] [-r] [-i] [-f] [-p pipefsdir]"
 .SH DESCRIPTION
 The rpcsec_gss protocol gives a means of using the gss-api generic security
 api to provide security for protocols using rpc (in particular, nfs).  Before
@@ -31,6 +31,10 @@ Increases the verbosity of the output (c
 .B -r
 If the rpcsec_gss library supports setting debug level,
 increases the verbosity of the output (can be specified multiple times).
+.TP
+.B -i
+If the nfsidmap library supports setting debug level,
+increases the verbosity of the output (can be specified multiple times).
 
 .SH SEE ALSO
 .BR rpc.gssd(8),

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

NFSv3 + krb5 home directory problem

[Jim Davis]

I've been trying to get NFSv3 home directory mounts with sec=krb5
working between a Netapp filer running OnTap 7.0.5 and a Fedora Core 6
client with the latest nfs-* RPMs installed and kernel version
2.6.18-1.2869.fc6.  Our KDCs run FreeBSD 6.1 with the MIT Kerberos
port installed.  Authentication seems to work okay,

Script started on Thu Feb  8 15:31:23 2007
bsod$ /bin/su - testacct
Password:

but the home directory isn't usable.

/bin/su: warning: cannot change directory to /home/testacct: Permission 
denied
-bash: /home/testacct/.bash_profile: Permission denied

The mount though did succeed:

-bash-3.1$ mount | grep testacct
sinagua:/vol/vol0/home/testacct on /home/testacct type nfs 
(rw,nfsvers=3,tcp,timeo=600,rsize=32768,wsize=32768,hard,intr,sec=krb5,addr=172.16.1.252)
-bash-3.1$ grep testacct /etc/auto.home
testacct 
-rw,bg,vers=3,tcp,timeo=600,rsize=32768,wsize=32768,hard,intr,sec=krb5 
sinagua:/vol/vol0/home/testacct

But

-bash-3.1$ klist -e
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500_vZWPDb)


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached

Okay, I thought the PAM stack would provide the credentials.  But even 
after running kinit...

-bash-3.1$ kinit
Password for testacct@CS.ARIZONA.EDU:
-bash-3.1$ cd
-bash: cd: /home/testacct: Permission denied
-bash-3.1$ klist -e
Ticket cache: FILE:/tmp/krb5cc_500_vZWPDb
Default principal: testacct@CS.ARIZONA.EDU

Valid starting     Expires            Service principal
02/08/07 15:32:03  02/09/07 15:32:03  krbtgt/CS.ARIZONA.EDU@CS.ARIZONA.EDU
         renew until 02/08/07 15:32:03, Etype (skey, tkt): Triple DES 
cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
-bash-3.1$ exit
logout

...the directory isn't usable

-bash: /home/testacct/.bash_logout: Permission denied
bsod$ exit
exit

Script done on Thu Feb  8 15:32:39 2007

Running rpc.gssd in verbose mode produced

Script started on Thu Feb  8 15:30:29 2007
bsod$ /sbin/lsmod | grep sunrpc
sunrpc                158333  6 
nfs,lockd,nfs_acl,rpcsec_gss_krb5,auth_rpcgss
bsod$ mount | grep rpc_pipe
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
bsod$ sudo strace -o /tmp/rpc.gssd -f /usr/sbin/rpc.gssd -f -vvv
Using keytab file '/etc/krb5.keytab'
Processing keytab entry for principal 
'nfs/bsod.cs.arizona.edu@CS.ARIZONA.EDU'
We will use this entry (nfs/bsod.cs.arizona.edu@CS.ARIZONA.EDU)
Using (machine) credentials cache: 
'MEMORY:/tmp/krb5cc_machine_CS.ARIZONA.EDU'

That's the extent of output while the commands above ran.

And the (enormous) strace output file seems mostly to consist of polling
loops something like

2720  poll([{fd=6, events=POLLIN, revents=POLLERR|POLLHUP}, {fd=0, 
events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, 
events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, 
events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, 
events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, 
events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, 
events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, 
events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, events=0}, {fd=0, 
events=0}, {fd=0, events=0}, {fd=0, events=0}], 32, 500) = 1
2720  chdir("/var/lib/nfs/rpc_pipefs/nfs") = 0
2720  open("/var/lib/nfs/rpc_pipefs/nfs", 
O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 7
2720  fstat64(7, {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
2720  fcntl64(7, F_SETFD, FD_CLOEXEC)   = 0
2720  getdents64(7, /* 3 entries */, 4096) = 80
2720  getdents64(7, /* 0 entries */, 4096) = 0
2720  close(7)                          = 0

Any ideas?




-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: [PATCH 03/12] Extend the exportfs interface to pass fslocations info into the kernel.

[Neil Brown]

On Thursday February 8, kwc@citi.umich.edu wrote:
> From: Kevin Coffman <kwc@citi.umich.edu>
> 
> Signed-off-by: Fred Isaman <iisaman@citi.umich.edu>
> Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
> 
> Extend exportfs interface to pass fslocations info into the kernel,
> using syntax modelled after AIX.  Adds "--refer" and "--replicas"
> options to exportfs to enable use of the kernel fslocation code.

I cannot see the "--refer" and "--replicas" implemented or documented
in the patch.  I think the changelog entry must be out of date, and
when we remove that sentence, there isn't much left....

> +/* Called by setting 'Method = stub' in config file.  Just returns
> + * some syntactically correct gibberish for testing purposes.
> + */
> +static struct servers *method_stub(char *key)
> +{
> +	struct servers *sp;
> +	struct mount_point *mp;
> +
> +	syslog(LOG_INFO, "called method_stub");
> +	sp = malloc(sizeof(struct servers));
> +	if (!sp)
> +		return NULL;
> +	mp = calloc(1, sizeof(struct mount_point));
> +	if (!mp) {
> +		free(sp);
> +		return NULL;
> +	}
> +	sp->h_num = 1;
> +	sp->h_mp[0] = mp;
> +	mp->h_host = strdup("stub_server");
> +	mp->h_path = strdup("/my/test/path");
> +	sp->h_referral = 1;
> +	return sp;
> +}


This makes perfect sense for testing during development, but do you
really want it in the released version?
If so, should there be "#ifdef DEBUG" or something around it ??


And I'm a little confused by the replicas_lookup, method_list stuff.
I think it is just parsing the format from /etc/exports so that it can
be written in the different format to the kernel.
It would seem more appropriate to do this when parsing the
/etc/exports (to /etab) file rather than every time we talk to the
kernel.  Is there are reason for the way it is?
(Just trying to make sure I understand).


Thanks,
NeilBrown

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: NFSv3 + krb5 home directory problem

[Kevin Coffman]

On 2/8/07, Jim Davis <jdavis@cs.arizona.edu> wrote:
> I've been trying to get NFSv3 home directory mounts with sec=krb5
> working between a Netapp filer running OnTap 7.0.5 and a Fedora Core 6
> client with the latest nfs-* RPMs installed and kernel version
> 2.6.18-1.2869.fc6.  Our KDCs run FreeBSD 6.1 with the MIT Kerberos
> port installed.  Authentication seems to work okay,
>

> Running rpc.gssd in verbose mode produced
>
> Script started on Thu Feb  8 15:30:29 2007
> bsod$ /sbin/lsmod | grep sunrpc
> sunrpc                158333  6
> nfs,lockd,nfs_acl,rpcsec_gss_krb5,auth_rpcgss
> bsod$ mount | grep rpc_pipe
> sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
> bsod$ sudo strace -o /tmp/rpc.gssd -f /usr/sbin/rpc.gssd -f -vvv
> Using keytab file '/etc/krb5.keytab'
> Processing keytab entry for principal
> 'nfs/bsod.cs.arizona.edu@CS.ARIZONA.EDU'
> We will use this entry (nfs/bsod.cs.arizona.edu@CS.ARIZONA.EDU)
> Using (machine) credentials cache:
> 'MEMORY:/tmp/krb5cc_machine_CS.ARIZONA.EDU'
>
> That's the extent of output while the commands above ran.

So there is never an upcall to request a context for testacct.  That
seems like a kernel issue.  Any chance you have a different kernel
still on that machine you could try?

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: [PATCH 03/12] Extend the exportfs interface to pass fslocations info into the kernel.

[Kevin Coffman]

On 2/8/07, Neil Brown <neilb@suse.de> wrote:
> On Thursday February 8, kwc@citi.umich.edu wrote:
> > From: Kevin Coffman <kwc@citi.umich.edu>
> >
> > Signed-off-by: Fred Isaman <iisaman@citi.umich.edu>
> > Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
> >
> > Extend exportfs interface to pass fslocations info into the kernel,
> > using syntax modelled after AIX.  Adds "--refer" and "--replicas"
> > options to exportfs to enable use of the kernel fslocation code.
>
> I cannot see the "--refer" and "--replicas" implemented or documented
> in the patch.  I think the changelog entry must be out of date, and
> when we remove that sentence, there isn't much left....

I guess that should read "refer=" and "replicas=".

> > +/* Called by setting 'Method = stub' in config file.  Just returns
> > + * some syntactically correct gibberish for testing purposes.
> > + */
> > +static struct servers *method_stub(char *key)
> > +{
> > +     struct servers *sp;
> > +     struct mount_point *mp;
> > +
> > +     syslog(LOG_INFO, "called method_stub");
> > +     sp = malloc(sizeof(struct servers));
> > +     if (!sp)
> > +             return NULL;
> > +     mp = calloc(1, sizeof(struct mount_point));
> > +     if (!mp) {
> > +             free(sp);
> > +             return NULL;
> > +     }
> > +     sp->h_num = 1;
> > +     sp->h_mp[0] = mp;
> > +     mp->h_host = strdup("stub_server");
> > +     mp->h_path = strdup("/my/test/path");
> > +     sp->h_referral = 1;
> > +     return sp;
> > +}
>
>
> This makes perfect sense for testing during development, but do you
> really want it in the released version?
> If so, should there be "#ifdef DEBUG" or something around it ??

Sounds reasonable.

> And I'm a little confused by the replicas_lookup, method_list stuff.
> I think it is just parsing the format from /etc/exports so that it can
> be written in the different format to the kernel.
> It would seem more appropriate to do this when parsing the
> /etc/exports (to /etab) file rather than every time we talk to the
> kernel.  Is there are reason for the way it is?
> (Just trying to make sure I understand).

I'll have to defer to Fred on this.  I think he is going to be out for a week.

K.C.

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: [PATCH 03/12] Extend the exportfs interface to pass fslocations info into the kernel.

[Neil Brown]

On Friday February 9, kwc@citi.umich.edu wrote:
> 
> > And I'm a little confused by the replicas_lookup, method_list stuff.
> > I think it is just parsing the format from /etc/exports so that it can
> > be written in the different format to the kernel.
> > It would seem more appropriate to do this when parsing the
> > /etc/exports (to /etab) file rather than every time we talk to the
> > kernel.  Is there are reason for the way it is?
> > (Just trying to make sure I understand).
> 
> I'll have to defer to Fred on this.  I think he is going to be out for a week.

I wanted to push out 1.0.11 so I had another look at this patch and
decided I was happy with it after all, so it is now in, and 1.0.11
is out there.

Thanks,
NeilBrown

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs