[PATCH 0/7] nfs-utils: add support for authenticated callbacks

[PATCH 0/7] nfs-utils: add support for authenticated callbacks

[Kevin Coffman]

This series adds support to gssd and svcgssd to support
authenticated callbacks.

1) adds the name the client used when authenticating to the
svcgssd downcall information.  This is used by nfsd to determine
the target name when initiating the callback.

2) splits out the processing of update_client_list() to accomodate
a new upcall pipe added in the next patch.

3) adds support in gssd to process the new nfsd4_cb pipe for callbacks

4) a debugging aid to distinquish "normal" upcalls and "callback" upcalls

5) adds support for the new text-based upcall format added in 2.6.29

6) adds support for handling the "target=" attribute in the new upcall

7) adds support for handling the "service=" attribute in the new upcall

NOTE:  For authenticated callbacks to work, an NFS client or an
NFS server must be running both rpcgssd _and_ rpcsvcgssd.
This will require a configuration change.

A future patch is planned to combine gssd and svcgssd into
a single daemon to make configuration easier.  However, there
are some architectural issues that must be resolved first.

---

Olga Kornievskaia (7):
      gssd: process service= attribute in new upcall
      gssd: process target= attribute in new upcall
      gssd: handle new client upcall
      gssd: print full client directory being handled
      gssd: add support for callback authentication
      gssd: refactor update_client_list()
      svcgssd: add client's principal name to downcall information


 utils/gssd/gssd.c           |    5 +
 utils/gssd/gssd.h           |    5 +
 utils/gssd/gssd_main_loop.c |   32 ++++
 utils/gssd/gssd_proc.c      |  351 ++++++++++++++++++++++++++++++++++++-------
 utils/gssd/krb5_util.c      |   21 ++-
 utils/gssd/krb5_util.h      |    3 
 utils/gssd/svcgssd_proc.c   |   94 +++++++++++-
 7 files changed, 436 insertions(+), 75 deletions(-)

[PATCH 1/7] svcgssd: add client's principal name to downcall information

[Kevin Coffman]

From: Olga Kornievskaia <aglo@citi.umich.edu>

This patch adds the krb5 hostbased principal, name which the
nfs client used to authenticate, to the svcgssd downcall
information.  This information is needed for the callback
authentication.

When estabishing the callback, nfsd will pass the principal
name in the upcall to the gssd.  gssd will acquire a service
ticket for the specified principal name.

Signed-off-by: Olga Kornievskaia <aglo@citi.umich.edu>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
---

 utils/gssd/svcgssd_proc.c |   94 ++++++++++++++++++++++++++++++++++++++++++---
 1 files changed, 87 insertions(+), 7 deletions(-)

diff --git a/utils/gssd/svcgssd_proc.c b/utils/gssd/svcgssd_proc.c
index 6f2ba61..f1bfbef 100644
--- a/utils/gssd/svcgssd_proc.c
+++ b/utils/gssd/svcgssd_proc.c
@@ -56,6 +56,7 @@
 #include "gss_util.h"
 #include "err_util.h"
 #include "context.h"
+#include "gss_oids.h"
 
 extern char * mech2file(gss_OID mech);
 #define SVCGSSD_CONTEXT_CHANNEL "/proc/net/rpc/auth.rpcsec.context/channel"
@@ -73,7 +74,7 @@ struct svc_cred {
 static int
 do_svc_downcall(gss_buffer_desc *out_handle, struct svc_cred *cred,
 		gss_OID mech, gss_buffer_desc *context_token,
-		int32_t endtime)
+		int32_t endtime, char *client_name)
 {
 	FILE *f;
 	int i;
@@ -98,9 +99,10 @@ do_svc_downcall(gss_buffer_desc *out_handle, struct svc_cred *cred,
 	qword_printint(f, cred->cr_gid);
 	qword_printint(f, cred->cr_ngroups);
 	printerr(2, "mech: %s, hndl len: %d, ctx len %d, timeout: %d (%d from now), "
-		 "uid: %d, gid: %d, num aux grps: %d:\n",
+		 "clnt: %s, uid: %d, gid: %d, num aux grps: %d:\n",
 		 fname, out_handle->length, context_token->length,
 		 endtime, endtime - time(0),
+		 client_name ? client_name : "<null>",
 		 cred->cr_uid, cred->cr_gid, cred->cr_ngroups);
 	for (i=0; i < cred->cr_ngroups; i++) {
 		qword_printint(f, cred->cr_groups[i]);
@@ -108,6 +110,8 @@ do_svc_downcall(gss_buffer_desc *out_handle, struct svc_cred *cred,
 	}
 	qword_print(f, fname);
 	qword_printhex(f, context_token->value, context_token->length);
+	if (client_name)
+		qword_print(f, client_name);
 	err = qword_eol(f);
 	if (err) {
 		printerr(1, "WARNING: error writing to downcall channel "
@@ -307,6 +311,75 @@ print_hexl(const char *description, unsigned char *cp, int length)
 }
 #endif
 
+static int
+get_krb5_hostbased_name (gss_buffer_desc *name, char **hostbased_name)
+{
+	char *p, *sname = NULL;
+	if (strchr(name->value, '@') && strchr(name->value, '/')) {
+		if ((sname = calloc(name->length, 1)) == NULL) {
+			printerr(0, "ERROR: get_krb5_hostbased_name failed "
+				 "to allocate %d bytes\n", name->length);
+			return -1;
+		}
+		/* read in name and instance and replace '/' with '@' */
+		sscanf(name->value, "%[^@]", sname);
+		p = strrchr(sname, '/');
+		if (p == NULL) {    /* The '@' preceeded the '/' */
+			free(sname);
+			return -1;
+		}
+		*p = '@';
+	}
+	*hostbased_name = sname;
+	return 0;
+}
+
+static int
+get_hostbased_client_name(gss_name_t client_name, gss_OID mech,
+			  char **hostbased_name)
+{
+	u_int32_t	maj_stat, min_stat;
+	gss_buffer_desc	name;
+	gss_OID		name_type = GSS_C_NO_OID;
+	char		*cname;
+	int		res = -1;
+
+	*hostbased_name = NULL;	    /* preset in case we fail */
+
+	/* Get the client's gss authenticated name */
+	maj_stat = gss_display_name(&min_stat, client_name, &name, &name_type);
+	if (maj_stat != GSS_S_COMPLETE) {
+		pgsserr("get_hostbased_client_name: gss_display_name",
+			maj_stat, min_stat, mech);
+		goto out_err;
+	}
+	if (name.length >= 0xffff) {	    /* don't overflow */
+		printerr(0, "ERROR: get_hostbased_client_name: "
+			 "received gss_name is too long (%d bytes)\n",
+			 name.length);
+		goto out_rel_buf;
+	}
+
+	/* For Kerberos, transform the NT_KRB5_PRINCIPAL name to
+	 * an NT_HOSTBASED_SERVICE name */
+	if (g_OID_equal(&krb5oid, mech)) {
+		if (get_krb5_hostbased_name(&name, &cname) == 0)
+			*hostbased_name = cname;
+	}
+
+	/* No support for SPKM3, just print a warning (for now) */
+	if (g_OID_equal(&spkm3oid, mech)) {
+		printerr(1, "WARNING: get_hostbased_client_name: "
+			 "no hostbased_name support for SPKM3\n");
+	}
+
+	res = 0;
+out_rel_buf:
+	gss_release_buffer(&min_stat, &name);
+out_err:
+	return res;
+}
+
 void
 handle_nullreq(FILE *f) {
 	/* XXX initialize to a random integer to reduce chances of unnecessary
@@ -325,7 +398,7 @@ handle_nullreq(FILE *f) {
 				null_token = {.value = NULL};
 	u_int32_t		ret_flags;
 	gss_ctx_id_t		ctx = GSS_C_NO_CONTEXT;
-	gss_name_t		client_name;
+	gss_name_t		client_name = NULL;
 	gss_OID			mech = GSS_C_NO_OID;
 	u_int32_t		maj_stat = GSS_S_FAILURE, min_stat = 0;
 	u_int32_t		ignore_min_stat;
@@ -334,6 +407,7 @@ handle_nullreq(FILE *f) {
 	static int		lbuflen = 0;
 	static char		*cp;
 	int32_t			ctx_endtime;
+	char			*hostbased_name = NULL;
 
 	printerr(1, "handling null request\n");
 
@@ -396,11 +470,13 @@ handle_nullreq(FILE *f) {
 	if (get_ids(client_name, mech, &cred)) {
 		/* get_ids() prints error msg */
 		maj_stat = GSS_S_BAD_NAME; /* XXX ? */
-		gss_release_name(&ignore_min_stat, &client_name);
 		goto out_err;
 	}
-	gss_release_name(&ignore_min_stat, &client_name);
-
+	if (get_hostbased_client_name(client_name, mech, &hostbased_name)) {
+		/* get_hostbased_client_name() prints error msg */
+		maj_stat = GSS_S_BAD_NAME; /* XXX ? */
+		goto out_err;
+	}
 
 	/* Context complete. Pass handle_seq in out_handle to use
 	 * for context lookup in the kernel. */
@@ -419,7 +495,8 @@ handle_nullreq(FILE *f) {
 	/* We no longer need the gss context */
 	gss_delete_sec_context(&ignore_min_stat, &ctx, &ignore_out_tok);
 
-	do_svc_downcall(&out_handle, &cred, mech, &ctx_token, ctx_endtime);
+	do_svc_downcall(&out_handle, &cred, mech, &ctx_token, ctx_endtime,
+			hostbased_name);
 continue_needed:
 	send_response(f, &in_handle, &in_tok, maj_stat, min_stat,
 			&out_handle, &out_tok);
@@ -428,6 +505,9 @@ out:
 		free(ctx_token.value);
 	if (out_tok.value != NULL)
 		gss_release_buffer(&ignore_min_stat, &out_tok);
+	if (client_name)
+		gss_release_name(&ignore_min_stat, &client_name);
+	free(hostbased_name);
 	printerr(1, "finished handling null request\n");
 	return;
 

[PATCH 2/7] gssd: refactor update_client_list()

[Kevin Coffman]

From: Olga Kornievskaia <aglo@citi.umich.edu>

Split out the processing for a pipe to a separate routine.  The next
patch adds a new pipe to be processed.

Signed-off-by: Olga Kornievskaia <aglo@citi.umich.edu>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
---

 utils/gssd/gssd_main_loop.c |    3 +--
 utils/gssd/gssd_proc.c      |   28 +++++++++++++++++++++-------
 2 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/utils/gssd/gssd_main_loop.c b/utils/gssd/gssd_main_loop.c
index 917b662..397fd14 100644
--- a/utils/gssd/gssd_main_loop.c
+++ b/utils/gssd/gssd_main_loop.c
@@ -132,8 +132,7 @@ gssd_run()
 		while (dir_changed) {
 			dir_changed = 0;
 			if (update_client_list()) {
-				printerr(0, "ERROR: couldn't update "
-					 "client list\n");
+				/* Error msg is already printed */
 				exit(1);
 			}
 		}
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index 02239d2..0fc0c42 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -478,25 +478,25 @@ find_client(char *dirname)
 	return 0;
 }
 
-/* Used to read (and re-read) list of clients, set up poll array. */
-int
-update_client_list(void)
+static int
+process_pipedir(char *pipe_name)
 {
 	struct dirent **namelist;
 	int i, j;
 
-	if (chdir(pipefs_nfsdir) < 0) {
+	if (chdir(pipe_name) < 0) {
 		printerr(0, "ERROR: can't chdir to %s: %s\n",
-			 pipefs_nfsdir, strerror(errno));
+			 pipe_name, strerror(errno));
 		return -1;
 	}
 
-	j = scandir(pipefs_nfsdir, &namelist, NULL, alphasort);
+	j = scandir(pipe_name, &namelist, NULL, alphasort);
 	if (j < 0) {
 		printerr(0, "ERROR: can't scandir %s: %s\n",
-			 pipefs_nfsdir, strerror(errno));
+			 pipe_name, strerror(errno));
 		return -1;
 	}
+
 	update_old_clients(namelist, j);
 	for (i=0; i < j; i++) {
 		if (i < FD_ALLOC_BLOCK
@@ -507,9 +507,23 @@ update_client_list(void)
 	}
 
 	free(namelist);
+
 	return 0;
 }
 
+/* Used to read (and re-read) list of clients, set up poll array. */
+int
+update_client_list(void)
+{
+	int retval = -1;
+
+	retval = process_pipedir(pipefs_nfsdir);
+	if (retval)
+		printerr(0, "ERROR: processing %s\n", pipefs_nfsdir);
+
+	return retval;
+}
+
 static int
 do_downcall(int k5_fd, uid_t uid, struct authgss_private_data *pd,
 	    gss_buffer_desc *context_token)

[PATCH 3/7] gssd: add support for callback authentication

[Kevin Coffman]

From: Olga Kornievskaia <aglo@citi.umich.edu>

Add support for handling upcalls on the new "nfsd4_cb" directory pipes.
Only new kernels (2.6.29) have support for this new pipe directory.
(The need for this new pipe directory will go away with NFSv4.1 where
the callback can be done on the same connection as the fore-channel.)

Signed-off-by: Olga Kornievskaia <aglo@citi.umich.edu>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
---

 utils/gssd/gssd.c           |    5 +++
 utils/gssd/gssd.h           |    2 +
 utils/gssd/gssd_main_loop.c |   18 ++++++++++-
 utils/gssd/gssd_proc.c      |   73 +++++++++++++++++++++++++++++--------------
 4 files changed, 74 insertions(+), 24 deletions(-)

diff --git a/utils/gssd/gssd.c b/utils/gssd/gssd.c
index f6949db..7a23362 100644
--- a/utils/gssd/gssd.c
+++ b/utils/gssd/gssd.c
@@ -57,6 +57,7 @@
 
 char pipefs_dir[PATH_MAX] = GSSD_PIPEFS_DIR;
 char pipefs_nfsdir[PATH_MAX] = GSSD_PIPEFS_DIR;
+char pipefs_nfscbdir[PATH_MAX] = GSSD_PIPEFS_DIR;
 char keytabfile[PATH_MAX] = GSSD_DEFAULT_KEYTAB_FILE;
 char ccachedir[PATH_MAX] = GSSD_DEFAULT_CRED_DIR;
 char *ccachesearch[GSSD_MAX_CCACHE_SEARCH + 1];
@@ -163,6 +164,10 @@ main(int argc, char *argv[])
 		 pipefs_dir, GSSD_SERVICE_NAME);
 	if (pipefs_nfsdir[sizeof(pipefs_nfsdir)-1] != '\0')
 		errx(1, "pipefs_nfsdir path name too long");
+	snprintf(pipefs_nfscbdir, sizeof(pipefs_nfscbdir), "%s/%s",
+		 pipefs_dir, GSSD_NFSCB_NAME);
+	if (pipefs_nfscbdir[sizeof(pipefs_nfscbdir)-1] != '\0')
+		errx(1, "pipefs_nfscbdir path name too long");
 
 	if ((progname = strrchr(argv[0], '/')))
 		progname++;
diff --git a/utils/gssd/gssd.h b/utils/gssd/gssd.h
index 3c52f46..ef2ac54 100644
--- a/utils/gssd/gssd.h
+++ b/utils/gssd/gssd.h
@@ -49,6 +49,7 @@
 #define GSSD_DEFAULT_MACHINE_CRED_SUFFIX	"machine"
 #define GSSD_DEFAULT_KEYTAB_FILE		"/etc/krb5.keytab"
 #define GSSD_SERVICE_NAME			"nfs"
+#define GSSD_NFSCB_NAME				"nfsd4_cb"
 #define GSSD_SERVICE_NAME_LEN			3
 #define GSSD_MAX_CCACHE_SEARCH			16
 
@@ -61,6 +62,7 @@ enum {AUTHTYPE_KRB5, AUTHTYPE_SPKM3, AUTHTYPE_LIPKEY};
 
 extern char			pipefs_dir[PATH_MAX];
 extern char			pipefs_nfsdir[PATH_MAX];
+extern char			pipefs_nfscbdir[PATH_MAX];
 extern char			keytabfile[PATH_MAX];
 extern char			*ccachesearch[];
 extern int			use_memcache;
diff --git a/utils/gssd/gssd_main_loop.c b/utils/gssd/gssd_main_loop.c
index 397fd14..1c1ff4f 100644
--- a/utils/gssd/gssd_main_loop.c
+++ b/utils/gssd/gssd_main_loop.c
@@ -103,7 +103,7 @@ gssd_run()
 {
 	int			ret;
 	struct sigaction	dn_act;
-	int			fd;
+	int			fd, fd_cb;
 	sigset_t		set;
 
 	/* Taken from linux/Documentation/dnotify.txt: */
@@ -125,6 +125,20 @@ gssd_run()
 	fcntl(fd, F_SETSIG, DNOTIFY_SIGNAL);
 	fcntl(fd, F_NOTIFY, DN_CREATE|DN_DELETE|DN_MODIFY|DN_MULTISHOT);
 
+	/* Attempt to open new callback pipe.  If the open fails,
+	 * don't try to process it. */
+	if ((fd_cb = open(pipefs_nfscbdir, O_RDONLY)) == -1) {
+		/* could be an older kernel or a newer one doing NFS 4.1 */
+		if (errno != ENOENT)
+			printerr(0, "WARNING: failed to open %s: %s\n",
+				 pipefs_nfscbdir, strerror(errno));
+		memset(pipefs_nfscbdir, '\0', sizeof(pipefs_nfscbdir));
+	} else {
+		fcntl(fd_cb, F_SETSIG, DNOTIFY_SIGNAL);
+		fcntl(fd_cb, F_NOTIFY,
+			DN_CREATE|DN_DELETE|DN_MODIFY|DN_MULTISHOT);
+	}
+
 	init_client_list();
 
 	printerr(1, "beginning poll\n");
@@ -151,5 +165,7 @@ gssd_run()
 		}
 	}
 	close(fd);
+	if (fd_cb != -1)
+		close(fd_cb);
 	return;
 }
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index 0fc0c42..969d113 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -232,11 +232,19 @@ read_service_info(char *info_file_name, char **servicename, char **servername,
 		sscanf(p, "port: %127s\n", cb_port);
 
 	/* check service, program, and version */
-	if(memcmp(service, "nfs", 3)) return -1;
+	if (memcmp(service, "nfs", 3) != 0)
+		return -1;
 	*prog = atoi(program + 1); /* skip open paren */
 	*vers = atoi(version);
-	if((*prog != 100003) || ((*vers != 2) && (*vers != 3) && (*vers != 4)))
-		goto fail;
+
+	if (strlen(service) == 3 ) {
+		if ((*prog != 100003) || ((*vers != 2) && (*vers != 3) &&
+		    (*vers != 4)))
+			goto fail;
+	} else if (memcmp(service, "nfs4_cb", 7) == 0) {
+		if (*vers != 1)
+			goto fail;
+	}
 
 	if (cb_port[0] != '\0') {
 		port = atoi(cb_port);
@@ -315,19 +323,18 @@ out:
 static int
 process_clnt_dir_files(struct clnt_info * clp)
 {
-	char	kname[32];
-	char	sname[32];
-	char	info_file_name[32];
+	char	name[PATH_MAX];
+	char	info_file_name[PATH_MAX];
 
 	if (clp->krb5_fd == -1) {
-		snprintf(kname, sizeof(kname), "%s/krb5", clp->dirname);
-		clp->krb5_fd = open(kname, O_RDWR);
+		snprintf(name, sizeof(name), "%s/krb5", clp->dirname);
+		clp->krb5_fd = open(name, O_RDWR);
 	}
 	if (clp->spkm3_fd == -1) {
-		snprintf(sname, sizeof(sname), "%s/spkm3", clp->dirname);
-		clp->spkm3_fd = open(sname, O_RDWR);
+		snprintf(name, sizeof(name), "%s/spkm3", clp->dirname);
+		clp->spkm3_fd = open(name, O_RDWR);
 	}
-	if((clp->krb5_fd == -1) && (clp->spkm3_fd == -1))
+	if ((clp->krb5_fd == -1) && (clp->spkm3_fd == -1))
 		return -1;
 	snprintf(info_file_name, sizeof(info_file_name), "%s/info",
 			clp->dirname);
@@ -384,17 +391,18 @@ insert_clnt_poll(struct clnt_info *clp)
 }
 
 static void
-process_clnt_dir(char *dir)
+process_clnt_dir(char *dir, char *pdir)
 {
 	struct clnt_info *	clp;
 
 	if (!(clp = insert_new_clnt()))
 		goto fail_destroy_client;
 
-	if (!(clp->dirname = calloc(strlen(dir) + 1, 1))) {
+	/* An extra for the '/', and an extra for the null */
+	if (!(clp->dirname = calloc(strlen(dir) + strlen(pdir) + 2, 1))) {
 		goto fail_destroy_client;
 	}
-	memcpy(clp->dirname, dir, strlen(dir));
+	sprintf(clp->dirname, "%s/%s", pdir, dir);
 	if ((clp->dir_fd = open(clp->dirname, O_RDONLY)) == -1) {
 		printerr(0, "ERROR: can't open %s: %s\n",
 			 clp->dirname, strerror(errno));
@@ -438,16 +446,24 @@ init_client_list(void)
  * directories, since the DNOTIFY could have been in there.
  */
 static void
-update_old_clients(struct dirent **namelist, int size)
+update_old_clients(struct dirent **namelist, int size, char *pdir)
 {
 	struct clnt_info *clp;
 	void *saveprev;
 	int i, stillhere;
+	char fname[PATH_MAX];
 
 	for (clp = clnt_list.tqh_first; clp != NULL; clp = clp->list.tqe_next) {
+		/* only compare entries in the global list that are from the
+		 * same pipefs parent directory as "pdir"
+		 */
+		if (strncmp(clp->dirname, pdir, strlen(pdir)) != 0) continue;
+
 		stillhere = 0;
 		for (i=0; i < size; i++) {
-			if (!strcmp(clp->dirname, namelist[i]->d_name)) {
+			snprintf(fname, sizeof(fname), "%s/%s",
+				 pdir, namelist[i]->d_name);
+			if (strcmp(clp->dirname, fname) == 0) {
 				stillhere = 1;
 				break;
 			}
@@ -468,13 +484,16 @@ update_old_clients(struct dirent **namelist, int size)
 
 /* Search for a client by directory name, return 1 if found, 0 otherwise */
 static int
-find_client(char *dirname)
+find_client(char *dirname, char *pdir)
 {
 	struct clnt_info	*clp;
+	char fname[PATH_MAX];
 
-	for (clp = clnt_list.tqh_first; clp != NULL; clp = clp->list.tqe_next)
-		if (!strcmp(clp->dirname, dirname))
+	for (clp = clnt_list.tqh_first; clp != NULL; clp = clp->list.tqe_next) {
+		snprintf(fname, sizeof(fname), "%s/%s", pdir, dirname);
+		if (strcmp(clp->dirname, fname) == 0)
 			return 1;
+	}
 	return 0;
 }
 
@@ -497,12 +516,12 @@ process_pipedir(char *pipe_name)
 		return -1;
 	}
 
-	update_old_clients(namelist, j);
+	update_old_clients(namelist, j, pipe_name);
 	for (i=0; i < j; i++) {
 		if (i < FD_ALLOC_BLOCK
 				&& !strncmp(namelist[i]->d_name, "clnt", 4)
-				&& !find_client(namelist[i]->d_name))
-			process_clnt_dir(namelist[i]->d_name);
+				&& !find_client(namelist[i]->d_name, pipe_name))
+			process_clnt_dir(namelist[i]->d_name, pipe_name);
 		free(namelist[i]);
 	}
 
@@ -510,7 +529,6 @@ process_pipedir(char *pipe_name)
 
 	return 0;
 }
-
 /* Used to read (and re-read) list of clients, set up poll array. */
 int
 update_client_list(void)
@@ -521,6 +539,15 @@ update_client_list(void)
 	if (retval)
 		printerr(0, "ERROR: processing %s\n", pipefs_nfsdir);
 
+	/* If we successfully processed nfsdir and callback directory exists
+	 * process any events in the callback directory
+	 */
+	if (retval == 0 && pipefs_nfscbdir[0] != '\0') {
+		retval = process_pipedir(pipefs_nfscbdir);
+		if (retval)
+			printerr(0, "ERROR: processing %s\n", pipefs_nfscbdir);
+	}
+
 	return retval;
 }
 

[PATCH 4/7] gssd: print full client directory being handled

[Kevin Coffman]

From: Olga Kornievskaia <aglo@citi.umich.edu>

For convenience, add the full name of the upcall pipe being processed.
(Distinquishes between "normal" upcall, and a callback upcall.)

Signed-off-by: Olga Kornievskaia <aglo@citi.umich.edu>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
---

 utils/gssd/gssd_proc.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index 969d113..c1f0350 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -857,7 +857,7 @@ handle_krb5_upcall(struct clnt_info *clp)
 	char			**dirname;
 	int			create_resp = -1;
 
-	printerr(1, "handling krb5 upcall\n");
+	printerr(1, "handling krb5 upcall (%s)\n", clp->dirname);
 
 	token.length = 0;
 	token.value = NULL;
@@ -972,7 +972,7 @@ handle_spkm3_upcall(struct clnt_info *clp)
 	struct authgss_private_data pd;
 	gss_buffer_desc		token;
 
-	printerr(2, "handling spkm3 upcall\n");
+	printerr(2, "handling spkm3 upcall (%s)\n", clp->dirname);
 
 	token.length = 0;
 	token.value = NULL;

[PATCH 5/7] gssd: handle new client upcall

[Kevin Coffman]

From: Olga Kornievskaia <aglo@citi.umich.edu>

Add support for handling the new client-side upcall.  The kernel,
beginning with 2.6.29, will attempt to use a new pipe, "gssd",
which can be used for upcalls for all gss mechanisms.

The new upcall is text-based with an <attribute>=<value> format.
Attribute/value pairs are separated by a space, and terminated
with a new-line character.

The intial version has two required attributes,
mech=<gss_mechanism_name> and uid=<user's_UID_number>, and two
optional attributes, target=<gss_target_name> and service=<value>.

Future kernels may add new attribute/value pairs.

Signed-off-by: Olga Kornievskaia <aglo@citi.umich.edu>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
---

 utils/gssd/gssd.h           |    3 +
 utils/gssd/gssd_main_loop.c |   11 +++
 utils/gssd/gssd_proc.c      |  181 ++++++++++++++++++++++++++++++++++++-------
 3 files changed, 165 insertions(+), 30 deletions(-)

diff --git a/utils/gssd/gssd.h b/utils/gssd/gssd.h
index ef2ac54..35da4cf 100644
--- a/utils/gssd/gssd.h
+++ b/utils/gssd/gssd.h
@@ -85,6 +85,8 @@ struct clnt_info {
 	int			krb5_poll_index;
 	int			spkm3_fd;
 	int			spkm3_poll_index;
+	int                     gssd_fd;
+	int                     gssd_poll_index;
 	struct sockaddr_storage addr;
 };
 
@@ -92,6 +94,7 @@ void init_client_list(void);
 int update_client_list(void);
 void handle_krb5_upcall(struct clnt_info *clp);
 void handle_spkm3_upcall(struct clnt_info *clp);
+void handle_gssd_upcall(struct clnt_info *clp);
 int gssd_acquire_cred(char *server_name);
 void gssd_run(void);
 
diff --git a/utils/gssd/gssd_main_loop.c b/utils/gssd/gssd_main_loop.c
index 1c1ff4f..5a0dda9 100644
--- a/utils/gssd/gssd_main_loop.c
+++ b/utils/gssd/gssd_main_loop.c
@@ -73,6 +73,17 @@ scan_poll_results(int ret)
 
 	for (clp = clnt_list.tqh_first; clp != NULL; clp = clp->list.tqe_next)
 	{
+		i = clp->gssd_poll_index;
+		if (i >= 0 && pollarray[i].revents) {
+			if (pollarray[i].revents & POLLHUP)
+				dir_changed = 1;
+			if (pollarray[i].revents & POLLIN)
+				handle_gssd_upcall(clp);
+			pollarray[clp->gssd_poll_index].revents = 0;
+			ret--;
+			if (!ret)
+				break;
+		}
 		i = clp->krb5_poll_index;
 		if (i >= 0 && pollarray[i].revents) {
 			if (pollarray[i].revents & POLLHUP)
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index c1f0350..2fc26b4 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -73,6 +73,7 @@
 #include "krb5_util.h"
 #include "context.h"
 #include "nfsrpc.h"
+#include "nfslib.h"
 
 /*
  * pollarray:
@@ -289,9 +290,13 @@ destroy_client(struct clnt_info *clp)
 	if (clp->spkm3_poll_index != -1)
 		memset(&pollarray[clp->spkm3_poll_index], 0,
 					sizeof(struct pollfd));
+	if (clp->gssd_poll_index != -1)
+		memset(&pollarray[clp->gssd_poll_index], 0,
+					sizeof(struct pollfd));
 	if (clp->dir_fd != -1) close(clp->dir_fd);
 	if (clp->krb5_fd != -1) close(clp->krb5_fd);
 	if (clp->spkm3_fd != -1) close(clp->spkm3_fd);
+	if (clp->gssd_fd != -1) close(clp->gssd_fd);
 	free(clp->dirname);
 	free(clp->servicename);
 	free(clp->servername);
@@ -311,8 +316,10 @@ insert_new_clnt(void)
 	}
 	clp->krb5_poll_index = -1;
 	clp->spkm3_poll_index = -1;
+	clp->gssd_poll_index = -1;
 	clp->krb5_fd = -1;
 	clp->spkm3_fd = -1;
+	clp->gssd_fd = -1;
 	clp->dir_fd = -1;
 
 	TAILQ_INSERT_HEAD(&clnt_list, clp, list);
@@ -324,17 +331,42 @@ static int
 process_clnt_dir_files(struct clnt_info * clp)
 {
 	char	name[PATH_MAX];
+	char	gname[PATH_MAX];
 	char	info_file_name[PATH_MAX];
 
-	if (clp->krb5_fd == -1) {
-		snprintf(name, sizeof(name), "%s/krb5", clp->dirname);
-		clp->krb5_fd = open(name, O_RDWR);
+	if (clp->gssd_fd == -1) {
+		snprintf(gname, sizeof(gname), "%s/gssd", clp->dirname);
+		clp->gssd_fd = open(gname, O_RDWR);
 	}
-	if (clp->spkm3_fd == -1) {
-		snprintf(name, sizeof(name), "%s/spkm3", clp->dirname);
-		clp->spkm3_fd = open(name, O_RDWR);
+	if (clp->gssd_fd == -1) {
+		if (clp->krb5_fd == -1) {
+			snprintf(name, sizeof(name), "%s/krb5", clp->dirname);
+			clp->krb5_fd = open(name, O_RDWR);
+		}
+		if (clp->spkm3_fd == -1) {
+			snprintf(name, sizeof(name), "%s/spkm3", clp->dirname);
+			clp->spkm3_fd = open(name, O_RDWR);
+		}
+
+		/* If we opened a gss-specific pipe, let's try opening
+		 * the new upcall pipe again. If we succeed, close
+		 * gss-specific pipe(s).
+		 */
+		if (clp->krb5_fd != -1 || clp->spkm3_fd != -1) {
+			clp->gssd_fd = open(gname, O_RDWR);
+			if (clp->gssd_fd != -1) {
+				if (clp->krb5_fd != -1)
+					close(clp->krb5_fd);
+				clp->krb5_fd = -1;
+				if (clp->spkm3_fd != -1)
+					close(clp->spkm3_fd);
+				clp->spkm3_fd = -1;
+			}
+		}
 	}
-	if ((clp->krb5_fd == -1) && (clp->spkm3_fd == -1))
+
+	if ((clp->krb5_fd == -1) && (clp->spkm3_fd == -1) &&
+			(clp->gssd_fd == -1))
 		return -1;
 	snprintf(info_file_name, sizeof(info_file_name), "%s/info",
 			clp->dirname);
@@ -369,6 +401,15 @@ get_poll_index(int *ind)
 static int
 insert_clnt_poll(struct clnt_info *clp)
 {
+	if ((clp->gssd_fd != -1) && (clp->gssd_poll_index == -1)) {
+		if (get_poll_index(&clp->gssd_poll_index)) {
+			printerr(0, "ERROR: Too many gssd clients\n");
+			return -1;
+		}
+		pollarray[clp->gssd_poll_index].fd = clp->gssd_fd;
+		pollarray[clp->gssd_poll_index].events |= POLLIN;
+	}
+
 	if ((clp->krb5_fd != -1) && (clp->krb5_poll_index == -1)) {
 		if (get_poll_index(&clp->krb5_poll_index)) {
 			printerr(0, "ERROR: Too many krb5 clients\n");
@@ -839,15 +880,13 @@ int create_auth_rpc_client(struct clnt_info *clp,
 	goto out;
 }
 
-
 /*
  * this code uses the userland rpcsec gss library to create a krb5
  * context on behalf of the kernel
  */
-void
-handle_krb5_upcall(struct clnt_info *clp)
+static void
+process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd)
 {
-	uid_t			uid;
 	CLIENT			*rpc_clnt = NULL;
 	AUTH			*auth = NULL;
 	struct authgss_private_data pd;
@@ -863,12 +902,6 @@ handle_krb5_upcall(struct clnt_info *clp)
 	token.value = NULL;
 	memset(&pd, 0, sizeof(struct authgss_private_data));
 
-	if (read(clp->krb5_fd, &uid, sizeof(uid)) < sizeof(uid)) {
-		printerr(0, "WARNING: failed reading uid from krb5 "
-			    "upcall pipe: %s\n", strerror(errno));
-		goto out;
-	}
-
 	if (uid != 0 || (uid == 0 && root_uses_machine_creds == 0)) {
 		/* Tell krb5 gss which credentials cache to use */
 		for (dirname = ccachesearch; *dirname != NULL; dirname++) {
@@ -939,7 +972,7 @@ handle_krb5_upcall(struct clnt_info *clp)
 		goto out_return_error;
 	}
 
-	do_downcall(clp->krb5_fd, uid, &pd, &token);
+	do_downcall(fd, uid, &pd, &token);
 
 out:
 	if (token.value)
@@ -955,7 +988,7 @@ out:
 	return;
 
 out_return_error:
-	do_error_downcall(clp->krb5_fd, uid, -1);
+	do_error_downcall(fd, uid, -1);
 	goto out;
 }
 
@@ -963,10 +996,9 @@ out_return_error:
  * this code uses the userland rpcsec gss library to create an spkm3
  * context on behalf of the kernel
  */
-void
-handle_spkm3_upcall(struct clnt_info *clp)
+static void
+process_spkm3_upcall(struct clnt_info *clp, uid_t uid, int fd)
 {
-	uid_t			uid;
 	CLIENT			*rpc_clnt = NULL;
 	AUTH			*auth = NULL;
 	struct authgss_private_data pd;
@@ -977,12 +1009,6 @@ handle_spkm3_upcall(struct clnt_info *clp)
 	token.length = 0;
 	token.value = NULL;
 
-	if (read(clp->spkm3_fd, &uid, sizeof(uid)) < sizeof(uid)) {
-		printerr(0, "WARNING: failed reading uid from spkm3 "
-			 "upcall pipe: %s\n", strerror(errno));
-		goto out;
-	}
-
 	if (create_auth_rpc_client(clp, &rpc_clnt, &auth, uid, AUTHTYPE_SPKM3)) {
 		printerr(0, "WARNING: Failed to create spkm3 context for "
 			    "user with uid %d\n", uid);
@@ -1003,7 +1029,7 @@ handle_spkm3_upcall(struct clnt_info *clp)
 		goto out_return_error;
 	}
 
-	do_downcall(clp->spkm3_fd, uid, &pd, &token);
+	do_downcall(fd, uid, &pd, &token);
 
 out:
 	if (token.value)
@@ -1015,6 +1041,101 @@ out:
 	return;
 
 out_return_error:
-	do_error_downcall(clp->spkm3_fd, uid, -1);
+	do_error_downcall(fd, uid, -1);
 	goto out;
 }
+
+void
+handle_krb5_upcall(struct clnt_info *clp)
+{
+	uid_t			uid;
+
+	if (read(clp->krb5_fd, &uid, sizeof(uid)) < sizeof(uid)) {
+		printerr(0, "WARNING: failed reading uid from krb5 "
+			    "upcall pipe: %s\n", strerror(errno));
+		return;
+	}
+
+	return process_krb5_upcall(clp, uid, clp->krb5_fd);
+}
+
+void
+handle_spkm3_upcall(struct clnt_info *clp)
+{
+	uid_t			uid;
+
+	if (read(clp->spkm3_fd, &uid, sizeof(uid)) < sizeof(uid)) {
+		printerr(0, "WARNING: failed reading uid from spkm3 "
+			 "upcall pipe: %s\n", strerror(errno));
+		return;
+	}
+
+	return process_spkm3_upcall(clp, uid, clp->spkm3_fd);
+}
+
+void
+handle_gssd_upcall(struct clnt_info *clp)
+{
+	uid_t			uid;
+	char			*lbuf = NULL;
+	int			lbuflen = 0;
+	char			*p;
+	char			*mech = NULL;
+
+	printerr(1, "handling gssd upcall (%s)\n", clp->dirname);
+
+	if (readline(clp->gssd_fd, &lbuf, &lbuflen) != 1) {
+		printerr(0, "WARNING: handle_gssd_upcall: "
+			    "failed reading request\n");
+		return;
+	}
+	printerr(2, "%s: '%s'\n", __func__, lbuf);
+
+	/* find the mechanism name */
+	if ((p = strstr(lbuf, "mech=")) != NULL) {
+		mech = malloc(lbuflen);
+		if (!mech)
+			goto out;
+		if (sscanf(p, "mech=%s", mech) != 1) {
+			printerr(0, "WARNING: handle_gssd_upcall: "
+				    "failed to parse gss mechanism name "
+				    "in upcall string '%s'\n", lbuf);
+			goto out;
+		}
+	} else {
+		printerr(0, "WARNING: handle_gssd_upcall: "
+			    "failed to find gss mechanism name "
+			    "in upcall string '%s'\n", lbuf);
+		goto out;
+	}
+
+	/* read uid */
+	if ((p = strstr(lbuf, "uid=")) != NULL) {
+		if (sscanf(p, "uid=%d", &uid) != 1) {
+			printerr(0, "WARNING: handle_gssd_upcall: "
+				    "failed to parse uid "
+				    "in upcall string '%s'\n", lbuf);
+			goto out;
+		}
+	} else {
+		printerr(0, "WARNING: handle_gssd_upcall: "
+			    "failed to find uid "
+			    "in upcall string '%s'\n", lbuf);
+		goto out;
+	}
+
+
+	if (strcmp(mech, "krb5") == 0)
+		process_krb5_upcall(clp, uid, clp->gssd_fd);
+	else if (strcmp(mech, "spkm3") == 0)
+		process_spkm3_upcall(clp, uid, clp->gssd_fd);
+	else
+		printerr(0, "WARNING: handle_gssd_upcall: "
+			    "received unknown gss mech '%s'\n", mech);
+
+out:
+	free(lbuf);
+	free(mech);
+	return;	
+}
+

[PATCH 6/7] gssd: process target= attribute in new upcall

[Kevin Coffman]

From: Olga Kornievskaia <aglo@citi.umich.edu>

Add processing of the "target=" attribute in the new gssd upcall.
Information in this field is used to construct the gss service name
of the server for which gssd will create a context .

This, along with the next patch handling "service=", is needed
for callback security.

For Kerberos, the NFS client will use a service principal present
in its keytab during authentication of the SETCLIENT_ID operation.
When establishing the context for the callback, the gssd on the
NFS server will attempt to authenticate the callback against the
principal name used by the client.

Note: An NFS client machine must have a keytab for the callback
authentication to succeed.

Signed-off-by: Olga Kornievskaia <aglo@citi.umich.edu>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
---

 utils/gssd/gssd_proc.c |   26 +++++++++++++++++++++++---
 1 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index 2fc26b4..12eb5b3 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -885,7 +885,7 @@ int create_auth_rpc_client(struct clnt_info *clp,
  * context on behalf of the kernel
  */
 static void
-process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd)
+process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname)
 {
 	CLIENT			*rpc_clnt = NULL;
 	AUTH			*auth = NULL;
@@ -898,6 +898,12 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd)
 
 	printerr(1, "handling krb5 upcall (%s)\n", clp->dirname);
 
+	if (tgtname) {
+		if (clp->servicename) {
+			free(clp->servicename);
+			clp->servicename = strdup(tgtname);
+		}
+	}
 	token.length = 0;
 	token.value = NULL;
 	memset(&pd, 0, sizeof(struct authgss_private_data));
@@ -1056,7 +1062,7 @@ handle_krb5_upcall(struct clnt_info *clp)
 		return;
 	}
 
-	return process_krb5_upcall(clp, uid, clp->krb5_fd);
+	return process_krb5_upcall(clp, uid, clp->krb5_fd, NULL);
 }
 
 void
@@ -1081,6 +1087,7 @@ handle_gssd_upcall(struct clnt_info *clp)
 	int			lbuflen = 0;
 	char			*p;
 	char			*mech = NULL;
+	char			*target = NULL;
 
 	printerr(1, "handling gssd upcall (%s)\n", clp->dirname);
 
@@ -1124,9 +1131,21 @@ handle_gssd_upcall(struct clnt_info *clp)
 		goto out;
 	}
 
+	/* read target name */
+	if ((p = strstr(lbuf, "target=")) != NULL) {
+		target = malloc(lbuflen);
+		if (!target)
+			goto out;
+		if (sscanf(p, "target=%s", target) != 1) {
+			printerr(0, "WARNING: handle_gssd_upcall: "
+				    "failed to parse target name "
+				    "in upcall string '%s'\n", lbuf);
+			goto out;
+		}
+	}
 
 	if (strcmp(mech, "krb5") == 0)
-		process_krb5_upcall(clp, uid, clp->gssd_fd);
+		process_krb5_upcall(clp, uid, clp->gssd_fd, target);
 	else if (strcmp(mech, "spkm3") == 0)
 		process_spkm3_upcall(clp, uid, clp->gssd_fd);
 	else
@@ -1136,6 +1155,7 @@ handle_gssd_upcall(struct clnt_info *clp)
 out:
 	free(lbuf);
 	free(mech);
+	free(target);
 	return;	
 }
 

[PATCH 7/7] gssd: process service= attribute in new upcall

[Kevin Coffman]

From: Olga Kornievskaia <aglo@citi.umich.edu>

Add processing of the "service=" attribute in the new gssd upcall.

If "service" is specified, then the kernel is indicating that
we must use machine credentials for this request.  (Regardless
of the uid value or the setting of root_uses_machine_creds.)
If the service value is "*", then any service name can be used.
Otherwise, it specifies the service name that should be used.
(For now, the values of service will only be "*" or "nfs".)

Restricting gssd to use "nfs" service name is needed for when
the NFS server is doing a callback to the NFS client.  In this
case, the NFS server has to authenticate itself as "nfs" --
even if there are other service keys such as "host" or "root"
in the keytab.

Another case when the kernel may specify the service attribute
is when gssd is being asked to create the context for a
SETCLIENT_ID operation.  In this case, machine credentials
must be used for the authentication.  However, the service name
used for this case is not important.

Signed-off-by: Olga Kornievskaia <aglo@citi.umich.edu>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
---

 utils/gssd/gssd_proc.c |   63 +++++++++++++++++++++++++++++++++++++++++++-----
 utils/gssd/krb5_util.c |   21 ++++++++++++----
 utils/gssd/krb5_util.h |    3 ++
 3 files changed, 75 insertions(+), 12 deletions(-)

diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index 12eb5b3..b48fd38 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -885,7 +885,8 @@ int create_auth_rpc_client(struct clnt_info *clp,
  * context on behalf of the kernel
  */
 static void
-process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname)
+process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname,
+		    char *service)
 {
 	CLIENT			*rpc_clnt = NULL;
 	AUTH			*auth = NULL;
@@ -908,7 +909,31 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname)
 	token.value = NULL;
 	memset(&pd, 0, sizeof(struct authgss_private_data));
 
-	if (uid != 0 || (uid == 0 && root_uses_machine_creds == 0)) {
+	/*
+	 * If "service" is specified, then the kernel is indicating that
+	 * we must use machine credentials for this request.  (Regardless
+	 * of the uid value or the setting of root_uses_machine_creds.)
+	 * If the service value is "*", then any service name can be used.
+	 * Otherwise, it specifies the service name that should be used.
+	 * (For now, the values of service will only be "*" or "nfs".)
+	 *
+	 * Restricting gssd to use "nfs" service name is needed for when
+	 * the NFS server is doing a callback to the NFS client.  In this
+	 * case, the NFS server has to authenticate itself as "nfs" --
+	 * even if there are other service keys such as "host" or "root"
+	 * in the keytab.
+	 *
+	 * Another case when the kernel may specify the service attribute
+	 * is when gssd is being asked to create the context for a
+	 * SETCLIENT_ID operation.  In this case, machine credentials
+	 * must be used for the authentication.  However, the service name
+	 * used for this case is not important.
+	 *
+	 */
+	printerr(2, "%s: service is '%s'\n", __func__,
+		 service ? service : "<null>");
+	if (uid != 0 || (uid == 0 && root_uses_machine_creds == 0 &&
+				service == NULL)) {
 		/* Tell krb5 gss which credentials cache to use */
 		for (dirname = ccachesearch; *dirname != NULL; dirname++) {
 			if (gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *dirname) == 0)
@@ -919,11 +944,13 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname)
 		}
 	}
 	if (create_resp != 0) {
-		if (uid == 0 && root_uses_machine_creds == 1) {
+
+		if (uid == 0 && (root_uses_machine_creds == 1 ||
+				service != NULL)) {
 			int success = 0;
 
 			gssd_refresh_krb5_machine_credential(clp->servername,
-							     NULL);
+							     NULL, service);
 			/*
 			 * Get a list of credential cache names and try each
 			 * of them until one works or we've tried them all
@@ -1062,7 +1089,7 @@ handle_krb5_upcall(struct clnt_info *clp)
 		return;
 	}
 
-	return process_krb5_upcall(clp, uid, clp->krb5_fd, NULL);
+	return process_krb5_upcall(clp, uid, clp->krb5_fd, NULL, NULL);
 }
 
 void
@@ -1088,6 +1115,7 @@ handle_gssd_upcall(struct clnt_info *clp)
 	char			*p;
 	char			*mech = NULL;
 	char			*target = NULL;
+	char			*service = NULL;
 
 	printerr(1, "handling gssd upcall (%s)\n", clp->dirname);
 
@@ -1144,8 +1172,30 @@ handle_gssd_upcall(struct clnt_info *clp)
 		}
 	}
 
+	/*
+	 * read the service name
+	 *
+	 * The presence of attribute "service=" indicates that machine
+	 * credentials should be used for this request.  If the value
+	 * is "*", then any machine credentials available can be used.
+	 * If the value is anything else, then machine credentials for
+	 * the specified service name (always "nfs" for now) should be
+	 * used.
+	 */
+	if ((p = strstr(lbuf, "service=")) != NULL) {
+		service = malloc(lbuflen);
+		if (!service)
+			goto out;
+		if (sscanf(p, "service=%s", service) != 1) {
+			printerr(0, "WARNING: handle_gssd_upcall: "
+				    "failed to parse service type "
+				    "in upcall string '%s'\n", lbuf);
+			goto out;
+		}
+	}
+
 	if (strcmp(mech, "krb5") == 0)
-		process_krb5_upcall(clp, uid, clp->gssd_fd, target);
+		process_krb5_upcall(clp, uid, clp->gssd_fd, target, service);
 	else if (strcmp(mech, "spkm3") == 0)
 		process_spkm3_upcall(clp, uid, clp->gssd_fd);
 	else
@@ -1156,6 +1206,7 @@ out:
 	free(lbuf);
 	free(mech);
 	free(target);
+	free(service);
 	return;	
 }
 
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 3009cc5..ef12ec5 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -796,10 +796,9 @@ gssd_search_krb5_keytab(krb5_context context, krb5_keytab kt,
  */
 static int
 find_keytab_entry(krb5_context context, krb5_keytab kt, const char *hostname,
-		  krb5_keytab_entry *kte)
+		  krb5_keytab_entry *kte, const char **svcnames)
 {
 	krb5_error_code code;
-	const char *svcnames[] = { "root", "nfs", "host", NULL };
 	char **realmnames = NULL;
 	char myhostname[NI_MAXHOST], targethostname[NI_MAXHOST];
 	int i, j, retval;
@@ -1095,7 +1094,8 @@ gssd_get_krb5_machine_cred_list(char ***list)
 	for (ple = gssd_k5_kt_princ_list; ple; ple = ple->next) {
 		if (ple->ccname) {
 			/* Make sure cred is up-to-date before returning it */
-			retval = gssd_refresh_krb5_machine_credential(NULL, ple);
+			retval = gssd_refresh_krb5_machine_credential(NULL, ple,
+					NULL);
 			if (retval)
 				continue;
 			if (i + 1 > listsize) {
@@ -1185,13 +1185,24 @@ gssd_destroy_krb5_machine_creds(void)
  */
 int
 gssd_refresh_krb5_machine_credential(char *hostname,
-				     struct gssd_k5_kt_princ *ple)
+				     struct gssd_k5_kt_princ *ple,
+				     char *service)
 {
 	krb5_error_code code = 0;
 	krb5_context context;
 	krb5_keytab kt = NULL;;
 	int retval = 0;
 	char *k5err = NULL;
+	const char *svcnames[4] = { "root", "nfs", "host", NULL };
+
+	/*
+	 * If a specific service name was specified, use it.
+	 * Otherwise, use the default list.
+	 */
+	if (service != NULL && strcmp(service, "*") != 0) {
+		svcnames[0] = service;
+		svcnames[1] = NULL;
+	}
 
 	if (hostname == NULL && ple == NULL)
 		return EINVAL;
@@ -1215,7 +1226,7 @@ gssd_refresh_krb5_machine_credential(char *hostname,
 	if (ple == NULL) {
 		krb5_keytab_entry kte;
 
-		code = find_keytab_entry(context, kt, hostname, &kte);
+		code = find_keytab_entry(context, kt, hostname, &kte, svcnames);
 		if (code) {
 			printerr(0, "ERROR: %s: no usable keytab entry found "
 				 "in keytab %s for connection with host %s\n",
diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h
index 3d39300..b696ea4 100644
--- a/utils/gssd/krb5_util.h
+++ b/utils/gssd/krb5_util.h
@@ -30,7 +30,8 @@ void gssd_free_krb5_machine_cred_list(char **list);
 void gssd_setup_krb5_machine_gss_ccache(char *servername);
 void gssd_destroy_krb5_machine_creds(void);
 int  gssd_refresh_krb5_machine_credential(char *hostname,
-					  struct gssd_k5_kt_princ *ple);
+					  struct gssd_k5_kt_princ *ple,
+					  char *service);
 char *gssd_k5_err_msg(krb5_context context, krb5_error_code code);
 void gssd_k5_get_default_realm(char **def_realm);
 

Re: [PATCH 0/7] nfs-utils: add support for authenticated callbacks

[Kevin Coffman]

On Wed, Apr 29, 2009 at 5:56 PM, Kevin Coffman <kwc@citi.umich.edu> wrote:
> This series adds support to gssd and svcgssd to support
> authenticated callbacks.
>
> [...]
>
> NOTE:  For authenticated callbacks to work, an NFS client or an
> NFS server must be running both rpcgssd _and_ rpcsvcgssd.
> This will require a configuration change.

Also note that when running svcgssd on an NFS cllient which does not
have an "nfs" key in its keytab, it must be run with the "-n" flag or
it will fail to start.

Re: [PATCH 3/7] gssd: add support for callback authentication

[J. Bruce Fields]

On Wed, Apr 29, 2009 at 05:56:26PM -0400, Kevin Coffman wrote:
> From: Olga Kornievskaia <aglo@citi.umich.edu>
> 
> Add support for handling upcalls on the new "nfsd4_cb" directory pipes.
> Only new kernels (2.6.29) have support for this new pipe directory.
> (The need for this new pipe directory will go away with NFSv4.1 where
> the callback can be done on the same connection as the fore-channel.)

My only complaint is that the code would be robust (and more
future-proof) if instead of specifically looking for "nfs" and
"nfsd4_cb", we just look at all top-level rpc_pipefs directories and
handed directories under any of them in the same way.

--b.

> 
> Signed-off-by: Olga Kornievskaia <aglo@citi.umich.edu>
> Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
> ---
> 
>  utils/gssd/gssd.c           |    5 +++
>  utils/gssd/gssd.h           |    2 +
>  utils/gssd/gssd_main_loop.c |   18 ++++++++++-
>  utils/gssd/gssd_proc.c      |   73 +++++++++++++++++++++++++++++--------------
>  4 files changed, 74 insertions(+), 24 deletions(-)
> 
> diff --git a/utils/gssd/gssd.c b/utils/gssd/gssd.c
> index f6949db..7a23362 100644
> --- a/utils/gssd/gssd.c
> +++ b/utils/gssd/gssd.c
> @@ -57,6 +57,7 @@
>  
>  char pipefs_dir[PATH_MAX] = GSSD_PIPEFS_DIR;
>  char pipefs_nfsdir[PATH_MAX] = GSSD_PIPEFS_DIR;
> +char pipefs_nfscbdir[PATH_MAX] = GSSD_PIPEFS_DIR;
>  char keytabfile[PATH_MAX] = GSSD_DEFAULT_KEYTAB_FILE;
>  char ccachedir[PATH_MAX] = GSSD_DEFAULT_CRED_DIR;
>  char *ccachesearch[GSSD_MAX_CCACHE_SEARCH + 1];
> @@ -163,6 +164,10 @@ main(int argc, char *argv[])
>  		 pipefs_dir, GSSD_SERVICE_NAME);
>  	if (pipefs_nfsdir[sizeof(pipefs_nfsdir)-1] != '\0')
>  		errx(1, "pipefs_nfsdir path name too long");
> +	snprintf(pipefs_nfscbdir, sizeof(pipefs_nfscbdir), "%s/%s",
> +		 pipefs_dir, GSSD_NFSCB_NAME);
> +	if (pipefs_nfscbdir[sizeof(pipefs_nfscbdir)-1] != '\0')
> +		errx(1, "pipefs_nfscbdir path name too long");
>  
>  	if ((progname = strrchr(argv[0], '/')))
>  		progname++;
> diff --git a/utils/gssd/gssd.h b/utils/gssd/gssd.h
> index 3c52f46..ef2ac54 100644
> --- a/utils/gssd/gssd.h
> +++ b/utils/gssd/gssd.h
> @@ -49,6 +49,7 @@
>  #define GSSD_DEFAULT_MACHINE_CRED_SUFFIX	"machine"
>  #define GSSD_DEFAULT_KEYTAB_FILE		"/etc/krb5.keytab"
>  #define GSSD_SERVICE_NAME			"nfs"
> +#define GSSD_NFSCB_NAME				"nfsd4_cb"
>  #define GSSD_SERVICE_NAME_LEN			3
>  #define GSSD_MAX_CCACHE_SEARCH			16
>  
> @@ -61,6 +62,7 @@ enum {AUTHTYPE_KRB5, AUTHTYPE_SPKM3, AUTHTYPE_LIPKEY};
>  
>  extern char			pipefs_dir[PATH_MAX];
>  extern char			pipefs_nfsdir[PATH_MAX];
> +extern char			pipefs_nfscbdir[PATH_MAX];
>  extern char			keytabfile[PATH_MAX];
>  extern char			*ccachesearch[];
>  extern int			use_memcache;
> diff --git a/utils/gssd/gssd_main_loop.c b/utils/gssd/gssd_main_loop.c
> index 397fd14..1c1ff4f 100644
> --- a/utils/gssd/gssd_main_loop.c
> +++ b/utils/gssd/gssd_main_loop.c
> @@ -103,7 +103,7 @@ gssd_run()
>  {
>  	int			ret;
>  	struct sigaction	dn_act;
> -	int			fd;
> +	int			fd, fd_cb;
>  	sigset_t		set;
>  
>  	/* Taken from linux/Documentation/dnotify.txt: */
> @@ -125,6 +125,20 @@ gssd_run()
>  	fcntl(fd, F_SETSIG, DNOTIFY_SIGNAL);
>  	fcntl(fd, F_NOTIFY, DN_CREATE|DN_DELETE|DN_MODIFY|DN_MULTISHOT);
>  
> +	/* Attempt to open new callback pipe.  If the open fails,
> +	 * don't try to process it. */
> +	if ((fd_cb = open(pipefs_nfscbdir, O_RDONLY)) == -1) {
> +		/* could be an older kernel or a newer one doing NFS 4.1 */
> +		if (errno != ENOENT)
> +			printerr(0, "WARNING: failed to open %s: %s\n",
> +				 pipefs_nfscbdir, strerror(errno));
> +		memset(pipefs_nfscbdir, '\0', sizeof(pipefs_nfscbdir));
> +	} else {
> +		fcntl(fd_cb, F_SETSIG, DNOTIFY_SIGNAL);
> +		fcntl(fd_cb, F_NOTIFY,
> +			DN_CREATE|DN_DELETE|DN_MODIFY|DN_MULTISHOT);
> +	}
> +
>  	init_client_list();
>  
>  	printerr(1, "beginning poll\n");
> @@ -151,5 +165,7 @@ gssd_run()
>  		}
>  	}
>  	close(fd);
> +	if (fd_cb != -1)
> +		close(fd_cb);
>  	return;
>  }
> diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
> index 0fc0c42..969d113 100644
> --- a/utils/gssd/gssd_proc.c
> +++ b/utils/gssd/gssd_proc.c
> @@ -232,11 +232,19 @@ read_service_info(char *info_file_name, char **servicename, char **servername,
>  		sscanf(p, "port: %127s\n", cb_port);
>  
>  	/* check service, program, and version */
> -	if(memcmp(service, "nfs", 3)) return -1;
> +	if (memcmp(service, "nfs", 3) != 0)
> +		return -1;
>  	*prog = atoi(program + 1); /* skip open paren */
>  	*vers = atoi(version);
> -	if((*prog != 100003) || ((*vers != 2) && (*vers != 3) && (*vers != 4)))
> -		goto fail;
> +
> +	if (strlen(service) == 3 ) {
> +		if ((*prog != 100003) || ((*vers != 2) && (*vers != 3) &&
> +		    (*vers != 4)))
> +			goto fail;
> +	} else if (memcmp(service, "nfs4_cb", 7) == 0) {
> +		if (*vers != 1)
> +			goto fail;
> +	}
>  
>  	if (cb_port[0] != '\0') {
>  		port = atoi(cb_port);
> @@ -315,19 +323,18 @@ out:
>  static int
>  process_clnt_dir_files(struct clnt_info * clp)
>  {
> -	char	kname[32];
> -	char	sname[32];
> -	char	info_file_name[32];
> +	char	name[PATH_MAX];
> +	char	info_file_name[PATH_MAX];
>  
>  	if (clp->krb5_fd == -1) {
> -		snprintf(kname, sizeof(kname), "%s/krb5", clp->dirname);
> -		clp->krb5_fd = open(kname, O_RDWR);
> +		snprintf(name, sizeof(name), "%s/krb5", clp->dirname);
> +		clp->krb5_fd = open(name, O_RDWR);
>  	}
>  	if (clp->spkm3_fd == -1) {
> -		snprintf(sname, sizeof(sname), "%s/spkm3", clp->dirname);
> -		clp->spkm3_fd = open(sname, O_RDWR);
> +		snprintf(name, sizeof(name), "%s/spkm3", clp->dirname);
> +		clp->spkm3_fd = open(name, O_RDWR);
>  	}
> -	if((clp->krb5_fd == -1) && (clp->spkm3_fd == -1))
> +	if ((clp->krb5_fd == -1) && (clp->spkm3_fd == -1))
>  		return -1;
>  	snprintf(info_file_name, sizeof(info_file_name), "%s/info",
>  			clp->dirname);
> @@ -384,17 +391,18 @@ insert_clnt_poll(struct clnt_info *clp)
>  }
>  
>  static void
> -process_clnt_dir(char *dir)
> +process_clnt_dir(char *dir, char *pdir)
>  {
>  	struct clnt_info *	clp;
>  
>  	if (!(clp = insert_new_clnt()))
>  		goto fail_destroy_client;
>  
> -	if (!(clp->dirname = calloc(strlen(dir) + 1, 1))) {
> +	/* An extra for the '/', and an extra for the null */
> +	if (!(clp->dirname = calloc(strlen(dir) + strlen(pdir) + 2, 1))) {
>  		goto fail_destroy_client;
>  	}
> -	memcpy(clp->dirname, dir, strlen(dir));
> +	sprintf(clp->dirname, "%s/%s", pdir, dir);
>  	if ((clp->dir_fd = open(clp->dirname, O_RDONLY)) == -1) {
>  		printerr(0, "ERROR: can't open %s: %s\n",
>  			 clp->dirname, strerror(errno));
> @@ -438,16 +446,24 @@ init_client_list(void)
>   * directories, since the DNOTIFY could have been in there.
>   */
>  static void
> -update_old_clients(struct dirent **namelist, int size)
> +update_old_clients(struct dirent **namelist, int size, char *pdir)
>  {
>  	struct clnt_info *clp;
>  	void *saveprev;
>  	int i, stillhere;
> +	char fname[PATH_MAX];
>  
>  	for (clp = clnt_list.tqh_first; clp != NULL; clp = clp->list.tqe_next) {
> +		/* only compare entries in the global list that are from the
> +		 * same pipefs parent directory as "pdir"
> +		 */
> +		if (strncmp(clp->dirname, pdir, strlen(pdir)) != 0) continue;
> +
>  		stillhere = 0;
>  		for (i=0; i < size; i++) {
> -			if (!strcmp(clp->dirname, namelist[i]->d_name)) {
> +			snprintf(fname, sizeof(fname), "%s/%s",
> +				 pdir, namelist[i]->d_name);
> +			if (strcmp(clp->dirname, fname) == 0) {
>  				stillhere = 1;
>  				break;
>  			}
> @@ -468,13 +484,16 @@ update_old_clients(struct dirent **namelist, int size)
>  
>  /* Search for a client by directory name, return 1 if found, 0 otherwise */
>  static int
> -find_client(char *dirname)
> +find_client(char *dirname, char *pdir)
>  {
>  	struct clnt_info	*clp;
> +	char fname[PATH_MAX];
>  
> -	for (clp = clnt_list.tqh_first; clp != NULL; clp = clp->list.tqe_next)
> -		if (!strcmp(clp->dirname, dirname))
> +	for (clp = clnt_list.tqh_first; clp != NULL; clp = clp->list.tqe_next) {
> +		snprintf(fname, sizeof(fname), "%s/%s", pdir, dirname);
> +		if (strcmp(clp->dirname, fname) == 0)
>  			return 1;
> +	}
>  	return 0;
>  }
>  
> @@ -497,12 +516,12 @@ process_pipedir(char *pipe_name)
>  		return -1;
>  	}
>  
> -	update_old_clients(namelist, j);
> +	update_old_clients(namelist, j, pipe_name);
>  	for (i=0; i < j; i++) {
>  		if (i < FD_ALLOC_BLOCK
>  				&& !strncmp(namelist[i]->d_name, "clnt", 4)
> -				&& !find_client(namelist[i]->d_name))
> -			process_clnt_dir(namelist[i]->d_name);
> +				&& !find_client(namelist[i]->d_name, pipe_name))
> +			process_clnt_dir(namelist[i]->d_name, pipe_name);
>  		free(namelist[i]);
>  	}
>  
> @@ -510,7 +529,6 @@ process_pipedir(char *pipe_name)
>  
>  	return 0;
>  }
> -
>  /* Used to read (and re-read) list of clients, set up poll array. */
>  int
>  update_client_list(void)
> @@ -521,6 +539,15 @@ update_client_list(void)
>  	if (retval)
>  		printerr(0, "ERROR: processing %s\n", pipefs_nfsdir);
>  
> +	/* If we successfully processed nfsdir and callback directory exists
> +	 * process any events in the callback directory
> +	 */
> +	if (retval == 0 && pipefs_nfscbdir[0] != '\0') {
> +		retval = process_pipedir(pipefs_nfscbdir);
> +		if (retval)
> +			printerr(0, "ERROR: processing %s\n", pipefs_nfscbdir);
> +	}
> +
>  	return retval;
>  }
>  
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 3/7] gssd: add support for callback authentication

[Kevin Coffman]

On Thu, Apr 30, 2009 at 5:24 PM, J. Bruce Fields <bfields@fieldses.org> wrote:
> On Wed, Apr 29, 2009 at 05:56:26PM -0400, Kevin Coffman wrote:
>> From: Olga Kornievskaia <aglo@citi.umich.edu>
>>
>> Add support for handling upcalls on the new "nfsd4_cb" directory pipes.
>> Only new kernels (2.6.29) have support for this new pipe directory.
>> (The need for this new pipe directory will go away with NFSv4.1 where
>> the callback can be done on the same connection as the fore-channel.)
>
> My only complaint is that the code would be robust (and more
> future-proof) if instead of specifically looking for "nfs" and
> "nfsd4_cb", we just look at all top-level rpc_pipefs directories and
> handed directories under any of them in the same way.
>
> --b.

In our offline discussion, Bruce convinced me that we should just
treat all the directories under the rpc_pipefs directory as equal, and
process any clnt directories that show up within them.  (This
currently includes, "lockd  mount  nfs  nfsd4_cb  portmap  statd".)
Any new directories appearing in the future will automatically get the
same treatment.

Steve, I don't know what you might have already done with these
patches.  Would you prefer a replacement for this patch, or patch on
top of this?

K.C.

Re: [PATCH 3/7] gssd: add support for callback authentication

[Steve Dickson]

Since I'm just getting around to this now... just
replace this patch please....

tia,

steved

Kevin Coffman wrote:
> On Thu, Apr 30, 2009 at 5:24 PM, J. Bruce Fields <bfields@fieldses.org> wrote:
>> On Wed, Apr 29, 2009 at 05:56:26PM -0400, Kevin Coffman wrote:
>>> From: Olga Kornievskaia <aglo@citi.umich.edu>
>>>
>>> Add support for handling upcalls on the new "nfsd4_cb" directory pipes.
>>> Only new kernels (2.6.29) have support for this new pipe directory.
>>> (The need for this new pipe directory will go away with NFSv4.1 where
>>> the callback can be done on the same connection as the fore-channel.)
>> My only complaint is that the code would be robust (and more
>> future-proof) if instead of specifically looking for "nfs" and
>> "nfsd4_cb", we just look at all top-level rpc_pipefs directories and
>> handed directories under any of them in the same way.
>>
>> --b.
> 
> In our offline discussion, Bruce convinced me that we should just
> treat all the directories under the rpc_pipefs directory as equal, and
> process any clnt directories that show up within them.  (This
> currently includes, "lockd  mount  nfs  nfsd4_cb  portmap  statd".)
> Any new directories appearing in the future will automatically get the
> same treatment.
> 
> Steve, I don't know what you might have already done with these
> patches.  Would you prefer a replacement for this patch, or patch on
> top of this?
> 
> K.C.

Re: [PATCH 3/7] gssd: add support for callback authentication

[Kevin Coffman]

OK.  I'll squash this in and re-submit the series on Wednesday.

On Mon, May 18, 2009 at 11:18 AM, Steve Dickson <SteveD@redhat.com> wro=
te:
> Since I'm just getting around to this now... just
> replace this patch please....
>
> tia,
>
> steved
>
> Kevin Coffman wrote:
>> On Thu, Apr 30, 2009 at 5:24 PM, J. Bruce Fields <bfields@fieldses.o=
rg> wrote:
>>> On Wed, Apr 29, 2009 at 05:56:26PM -0400, Kevin Coffman wrote:
>>>> From: Olga Kornievskaia <aglo@citi.umich.edu>
>>>>
>>>> Add support for handling upcalls on the new "nfsd4_cb" directory p=
ipes.
>>>> Only new kernels (2.6.29) have support for this new pipe directory=
=2E
>>>> (The need for this new pipe directory will go away with NFSv4.1 wh=
ere
>>>> the callback can be done on the same connection as the fore-channe=
l.)
>>> My only complaint is that the code would be robust (and more
>>> future-proof) if instead of specifically looking for "nfs" and
>>> "nfsd4_cb", we just look at all top-level rpc_pipefs directories an=
d
>>> handed directories under any of them in the same way.
>>>
>>> --b.
>>
>> In our offline discussion, Bruce convinced me that we should just
>> treat all the directories under the rpc_pipefs directory as equal, a=
nd
>> process any clnt directories that show up within them. =A0(This
>> currently includes, "lockd =A0mount =A0nfs =A0nfsd4_cb =A0portmap =A0=
statd".)
>> Any new directories appearing in the future will automatically get t=
he
>> same treatment.
>>
>> Steve, I don't know what you might have already done with these
>> patches. =A0Would you prefer a replacement for this patch, or patch =
on
>> top of this?
>>
>> K.C.
>
>