* [nfs-utils PATCH] gssd: force getting tgt if ticket cache was removed
@ 2019-12-12 16:00 Olga Kornievskaia
2019-12-18 14:33 ` Steve Dickson
0 siblings, 1 reply; 2+ messages in thread
From: Olga Kornievskaia @ 2019-12-12 16:00 UTC (permalink / raw)
To: steved; +Cc: linux-nfs
From: Olga Kornievskaia <kolga@netapp.com>
If ticket cache was removed manually, but gssd thinks it has a valid
credentials it will fail mount creation as it can't get a service
ticket (due to lack of the tgt).
Check if file-based ticket cache is not there and set the "nocache"
to 1 forcing the client to get a new tgt.
Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
---
utils/gssd/krb5_util.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 0474783..bff759f 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -121,6 +121,9 @@
#include <krb5.h>
#include <rpc/auth_gss.h>
+#include <sys/types.h>
+#include <fcntl.h>
+
#include "nfslib.h"
#include "gssd.h"
#include "err_util.h"
@@ -314,6 +317,25 @@ gssd_find_existing_krb5_ccache(uid_t uid, char *dirname,
return err;
}
+/* check if the ticket cache exists, if not set nocache=1 so that new
+ * tgt is gotten
+ */
+static int
+gssd_check_if_cc_exists(struct gssd_k5_kt_princ *ple)
+{
+ int fd;
+ char cc_name[BUFSIZ];
+
+ snprintf(cc_name, sizeof(cc_name), "%s/%s%s_%s",
+ ccachesearch[0], GSSD_DEFAULT_CRED_PREFIX,
+ GSSD_DEFAULT_MACHINE_CRED_SUFFIX, ple->realm);
+ fd = open(cc_name, O_RDONLY);
+ if (fd < 0)
+ return 1;
+ close(fd);
+ return 0;
+}
+
/*
* Obtain credentials via a key in the keytab given
* a keytab handle and a gssd_k5_kt_princ structure.
@@ -348,6 +370,8 @@ gssd_get_single_krb5_cred(krb5_context context,
memset(&my_creds, 0, sizeof(my_creds));
+ if (!nocache && !use_memcache)
+ nocache = gssd_check_if_cc_exists(ple);
/*
* Workaround for clock skew among NFS server, NFS client and KDC
* 300 because clock skew must be within 300sec for kerberos
--
1.8.3.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [nfs-utils PATCH] gssd: force getting tgt if ticket cache was removed
2019-12-12 16:00 [nfs-utils PATCH] gssd: force getting tgt if ticket cache was removed Olga Kornievskaia
@ 2019-12-18 14:33 ` Steve Dickson
0 siblings, 0 replies; 2+ messages in thread
From: Steve Dickson @ 2019-12-18 14:33 UTC (permalink / raw)
To: Olga Kornievskaia; +Cc: linux-nfs
On 12/12/19 11:00 AM, Olga Kornievskaia wrote:
> From: Olga Kornievskaia <kolga@netapp.com>
>
> If ticket cache was removed manually, but gssd thinks it has a valid
> credentials it will fail mount creation as it can't get a service
> ticket (due to lack of the tgt).
>
> Check if file-based ticket cache is not there and set the "nocache"
> to 1 forcing the client to get a new tgt.
>
> Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
Committed... (tag: nfs-utils-2-4-3-rc3)
steved.
> ---
> utils/gssd/krb5_util.c | 24 ++++++++++++++++++++++++
> 1 file changed, 24 insertions(+)
>
> diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
> index 0474783..bff759f 100644
> --- a/utils/gssd/krb5_util.c
> +++ b/utils/gssd/krb5_util.c
> @@ -121,6 +121,9 @@
> #include <krb5.h>
> #include <rpc/auth_gss.h>
>
> +#include <sys/types.h>
> +#include <fcntl.h>
> +
> #include "nfslib.h"
> #include "gssd.h"
> #include "err_util.h"
> @@ -314,6 +317,25 @@ gssd_find_existing_krb5_ccache(uid_t uid, char *dirname,
> return err;
> }
>
> +/* check if the ticket cache exists, if not set nocache=1 so that new
> + * tgt is gotten
> + */
> +static int
> +gssd_check_if_cc_exists(struct gssd_k5_kt_princ *ple)
> +{
> + int fd;
> + char cc_name[BUFSIZ];
> +
> + snprintf(cc_name, sizeof(cc_name), "%s/%s%s_%s",
> + ccachesearch[0], GSSD_DEFAULT_CRED_PREFIX,
> + GSSD_DEFAULT_MACHINE_CRED_SUFFIX, ple->realm);
> + fd = open(cc_name, O_RDONLY);
> + if (fd < 0)
> + return 1;
> + close(fd);
> + return 0;
> +}
> +
> /*
> * Obtain credentials via a key in the keytab given
> * a keytab handle and a gssd_k5_kt_princ structure.
> @@ -348,6 +370,8 @@ gssd_get_single_krb5_cred(krb5_context context,
>
> memset(&my_creds, 0, sizeof(my_creds));
>
> + if (!nocache && !use_memcache)
> + nocache = gssd_check_if_cc_exists(ple);
> /*
> * Workaround for clock skew among NFS server, NFS client and KDC
> * 300 because clock skew must be within 300sec for kerberos
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-12-18 14:33 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-12 16:00 [nfs-utils PATCH] gssd: force getting tgt if ticket cache was removed Olga Kornievskaia
2019-12-18 14:33 ` Steve Dickson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.