cifs-utils/allow-dns-resolver-key-to-expire.patch

From paulo@paulo.ac Wed Feb 13 18:09:41 2019
Return-path: <linux-cifs-owner@vger.kernel.org>
Received: from prv1-mx.provo.novell.com (novprvlin0515.provo.novell.com [130.57.1.105])
	by prv-mh.provo.novell.com with ESMTP (NOT encrypted); Wed, 13 Feb 2019 11:09:56 -0700
Received: from vger.kernel.org (209.132.180.67) by prv1-mx.provo.novell.com (130.57.1.11) GWAVA SMTP; Wed, 13 Feb 2019 11:09:57 -0700
X-Spam_ID: str=0001.0A020211.5C645D75.005D,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
X-GWAVADAT: <keymat><rkey>zFPcY7v2brlPt6Q2</rkey><gkey>e5327cab1501d80247f45f4235d8ab62d9cebc212966054348ffdffbdcecc4b3</gkey><objectid>17boib3.17boib3.v6</objectid></keymat>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729522AbfBMSJ4 (ORCPT <rfc822;dmulder@suse.com> + 3 others);
        Wed, 13 Feb 2019 13:09:56 -0500
Received: from mail.paulo.ac ([18.228.144.36]:36484 "EHLO mail.paulo.ac"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727937AbfBMSJz (ORCPT <rfc822;linux-cifs@vger.kernel.org>);
        Wed, 13 Feb 2019 13:09:55 -0500
Received: from localhost (localhost [127.0.0.1])
        by mail.paulo.ac (Postfix) with ESMTP id 908B04823B16;
        Wed, 13 Feb 2019 18:09:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=paulo.ac; s=default;
        t=1550081392; bh=NPHMWzhC+dOx1uqYM9k6+umJOPTfdQQb4DDuwxCPykY=;
        h=From:To:Cc:Subject:Date;
        b=T/4Gj7VIMqZKmdsNgp0GA1d/4g7rZD8wHngdPprFv5GJ3kwcM0HAiFs9IY7sqln2m
         +zAQ9B5qbEoeJif9o/LeR7ED+kqAZyn+uGitgiE7DcMJ5wzvGIDZyl/KAGQn/35Auf
         BNdDIwgVMyv0Iba6DiPlLSIXP9QBxBlXHGDD90fE=
Received: from mail.paulo.ac ([127.0.0.1])
        by localhost (ip-172-31-5-70.sa-east-1.compute.internal [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id ztemnOMlOHdf; Wed, 13 Feb 2019 18:09:51 +0000 (UTC)
Received: from localhost.localdomain (unknown [186.215.53.127])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.paulo.ac (Postfix) with ESMTPSA id CAFF84822E3F;
        Wed, 13 Feb 2019 18:09:50 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=paulo.ac; s=default;
        t=1550081391; bh=NPHMWzhC+dOx1uqYM9k6+umJOPTfdQQb4DDuwxCPykY=;
        h=From:To:Cc:Subject:Date;
        b=iyVAaOItT0Qa5SuPc9LRAoN1qb8VHw5hZNzhOF6NOB178UgZYt2Tt9pzR9/0UbhUF
         GeJP0gK64HWvGmbDz8zRhrVgnZpGgAXfaPa20AuGm3WlrtZpb3Z2s/krSAI2I1tQfx
         82wY8IeZOD9F+709ZZlwlkGHMWiDLaiRH7xTJWIU=
From: Paulo Alcantara <paulo@paulo.ac>
To: linux-cifs@vger.kernel.org
Cc: smfrench@gmail.com, aaptel@suse.com, piastryyy@gmail.com,
        Paulo Alcantara <paulo@paulo.ac>,
        Paulo Alcantara <palcantara@suse.de>
Subject: [PATCH] cifs: Allow DNS resolver key to expire
Date: Wed, 13 Feb 2019 16:09:41 -0200
Message-Id: <20190213180941.2587-1-paulo@paulo.ac>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-cifs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-cifs.vger.kernel.org>
X-Mailing-List: linux-cifs@vger.kernel.org

This patch introduces a new '--expire' option that allows the user to
set a timeout value for the dns resolver key -- which is typically
useful for hostnames that may get their ip addresses changed under
long running mounts.

The default timeout value is set to 10 minutes.

Signed-off-by: Paulo Alcantara <palcantara@suse.de>
---
 cifs.upcall.c      | 88 +++++++++++++++++++++++++++++++++-------------
 cifs.upcall.rst.in |  5 ++-
 2 files changed, 67 insertions(+), 26 deletions(-)

diff --git a/cifs.upcall.c b/cifs.upcall.c
index 89563fd42adc..c92ee62f6764 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -63,6 +63,8 @@
 static krb5_context	context;
 static const char	*prog = "cifs.upcall";
 
+#define DNS_RESOLVER_DEFAULT_TIMEOUT 600 /* 10 minutes */
+
 typedef enum _sectype {
 	NONE = 0,
 	KRB5,
@@ -749,19 +751,48 @@ decode_key_description(const char *desc, struct decoded_args *arg)
 	return retval;
 }
 
-static int cifs_resolver(const key_serial_t key, const char *key_descr)
+static int setup_key(const key_serial_t key, const void *data, size_t datalen)
+{
+	int rc;
+
+	rc = keyctl_instantiate(key, data, datalen, 0);
+	if (rc) {
+		switch (errno) {
+		case ENOMEM:
+		case EDQUOT:
+			rc = keyctl_clear(key);
+			if (rc) {
+				syslog(LOG_ERR, "%s: keyctl_clear: %s",
+				       __func__, strerror(errno));
+				return rc;
+			}
+			rc = keyctl_instantiate(key, data, datalen, 0);
+			break;
+		default:
+			;
+		}
+	}
+	if (rc) {
+		syslog(LOG_ERR, "%s: keyctl_instantiate: %s",
+		       __func__, strerror(errno));
+	}
+	return rc;
+}
+
+static int cifs_resolver(const key_serial_t key, const char *key_descr,
+			 const char *key_buf, unsigned expire_time)
 {
 	int c;
 	struct addrinfo *addr;
 	char ip[INET6_ADDRSTRLEN];
 	void *p;
-	const char *keyend = key_descr;
+	const char *keyend = key_buf;
 	/* skip next 4 ';' delimiters to get to description */
 	for (c = 1; c <= 4; c++) {
 		keyend = index(keyend + 1, ';');
 		if (!keyend) {
 			syslog(LOG_ERR, "invalid key description: %s",
-			       key_descr);
+			       key_buf);
 			return 1;
 		}
 	}
@@ -787,15 +818,21 @@ static int cifs_resolver(const key_serial_t key, const char *key_descr)
 		return 1;
 	}
 
-	/* setup key */
-	c = keyctl_instantiate(key, ip, strlen(ip) + 1, 0);
-	if (c == -1) {
-		syslog(LOG_ERR, "%s: keyctl_instantiate: %s", __func__,
-		       strerror(errno));
-		freeaddrinfo(addr);
-		return 1;
-	}
+	/* needed for keyctl_set_timeout() */
+	request_key("keyring", key_descr, NULL, KEY_SPEC_THREAD_KEYRING);
 
+	c = setup_key(key, ip, strlen(ip) + 1);
+	if (c) {
+		freeaddrinfo(addr);
+		return 1;
+	}
+	c = keyctl_set_timeout(key, expire_time);
+	if (c) {
+		syslog(LOG_ERR, "%s: keyctl_set_timeout: %s", __func__,
+		       strerror(errno));
+		freeaddrinfo(addr);
+		return 1;
+	}
 	freeaddrinfo(addr);
 	return 0;
 }
@@ -864,7 +901,7 @@ lowercase_string(char *c)
 
 static void usage(void)
 {
-	fprintf(stderr, "Usage: %s [ -K /path/to/keytab] [-k /path/to/krb5.conf] [-E] [-t] [-v] [-l] key_serial\n", prog);
+	fprintf(stderr, "Usage: %s [ -K /path/to/keytab] [-k /path/to/krb5.conf] [-E] [-t] [-v] [-l] [-e nsecs] key_serial\n", prog);
 }
 
 static const struct option long_options[] = {
@@ -874,6 +911,7 @@ static const struct option long_options[] = {
 	{"trust-dns", 0, NULL, 't'},
 	{"keytab", 1, NULL, 'K'},
 	{"version", 0, NULL, 'v'},
+	{"expire", 1, NULL, 'e'},
 	{NULL, 0, NULL, 0}
 };
 
@@ -897,13 +935,15 @@ int main(const int argc, char *const argv[])
 	char *env_cachename = NULL;
 	krb5_ccache ccache = NULL;
 	struct passwd *pw;
+	unsigned expire_time = DNS_RESOLVER_DEFAULT_TIMEOUT;
+	const char *key_descr = NULL;
 
 	hostbuf[0] = '\0';
 	memset(&arg, 0, sizeof(arg));
 
 	openlog(prog, 0, LOG_DAEMON);
 
-	while ((c = getopt_long(argc, argv, "cEk:K:ltv", long_options, NULL)) != -1) {
+	while ((c = getopt_long(argc, argv, "cEk:K:ltve:", long_options, NULL)) != -1) {
 		switch (c) {
 		case 'c':
 			/* legacy option -- skip it */
@@ -931,6 +971,9 @@ int main(const int argc, char *const argv[])
 			rc = 0;
 			printf("version: %s\n", VERSION);
 			goto out;
+		case 'e':
+			expire_time = strtoul(optarg, NULL, 10);
+			break;
 		default:
 			syslog(LOG_ERR, "unknown option: %c", c);
 			goto out;
@@ -965,9 +1008,12 @@ int main(const int argc, char *const argv[])
 
 	syslog(LOG_DEBUG, "key description: %s", buf);
 
-	if ((strncmp(buf, "cifs.resolver", sizeof("cifs.resolver") - 1) == 0) ||
-	    (strncmp(buf, "dns_resolver", sizeof("dns_resolver") - 1) == 0)) {
-		rc = cifs_resolver(key, buf);
+	if (strncmp(buf, "cifs.resolver", sizeof("cifs.resolver") - 1) == 0)
+		key_descr = ".cifs.resolver";
+	else if (strncmp(buf, "dns_resolver", sizeof("dns_resolver") - 1) == 0)
+		key_descr = ".dns_resolver";
+	if (key_descr) {
+		rc = cifs_resolver(key, key_descr, buf, expire_time);
 		goto out;
 	}
 
@@ -1193,16 +1239,8 @@ retry_new_hostname:
 	memcpy(&(keydata->data) + keydata->sesskey_len,
 	       secblob.data, secblob.length);
 
-	/* setup key */
-	rc = keyctl_instantiate(key, keydata, datalen, 0);
-	if (rc == -1) {
-		syslog(LOG_ERR, "keyctl_instantiate: %s", strerror(errno));
-		goto out;
-	}
+	rc = setup_key(key, keydata, datalen);
 
-	/* BB: maybe we need use timeout for key: for example no more then
-	 * ticket lifietime? */
-	/* keyctl_set_timeout( key, 60); */
 out:
 	/*
 	 * on error, negatively instantiate the key ourselves so that we can
diff --git a/cifs.upcall.rst.in b/cifs.upcall.rst.in
index 1b8df3f31d94..08ce324fc5f6 100644
--- a/cifs.upcall.rst.in
+++ b/cifs.upcall.rst.in
@@ -13,7 +13,7 @@ SYNOPSIS
 
   cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l]
               [--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf]
-              [--keytab=/path/to/keytab|-K /path/to/keytab] {keyid}
+              [--keytab=/path/to/keytab|-K /path/to/keytab] [--expire|-e nsecs] {keyid}
 
 ***********
 DESCRIPTION
@@ -85,6 +85,9 @@ OPTIONS
   user. Set this option if you want cifs.upcall to use the older uid=
   parameter instead of the creduid= parameter.
 
+--expire|-e
+  Override default timeout value (600 seconds) for ``dns_resolver`` key.
+
 --version|-v
   Print version number and exit.
 
-- 
2.20.1
Accepting request 676042 from home:aaptel:cifs-utils-6.8 - Allow cached DNS entry to expire * add allow-dns-resolver-key-to-expire.patch OBS-URL: https://build.opensuse.org/request/show/676042 OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/cifs-utils?expand=0&rev=160 2019-02-14 14:47:38 +01:00			`From paulo@paulo.ac Wed Feb 13 18:09:41 2019`
			`Return-path: <linux-cifs-owner@vger.kernel.org>`
			`Received: from prv1-mx.provo.novell.com (novprvlin0515.provo.novell.com [130.57.1.105])`
			`by prv-mh.provo.novell.com with ESMTP (NOT encrypted); Wed, 13 Feb 2019 11:09:56 -0700`
			`Received: from vger.kernel.org (209.132.180.67) by prv1-mx.provo.novell.com (130.57.1.11) GWAVA SMTP; Wed, 13 Feb 2019 11:09:57 -0700`
			`X-Spam_ID: str=0001.0A020211.5C645D75.005D,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0`
			`X-GWAVADAT: <keymat><rkey>zFPcY7v2brlPt6Q2</rkey><gkey>e5327cab1501d80247f45f4235d8ab62d9cebc212966054348ffdffbdcecc4b3</gkey><objectid>17boib3.17boib3.v6</objectid></keymat>`
			`Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand`
			`id S1729522AbfBMSJ4 (ORCPT <rfc822;dmulder@suse.com> + 3 others);`
			`Wed, 13 Feb 2019 13:09:56 -0500`
			`Received: from mail.paulo.ac ([18.228.144.36]:36484 "EHLO mail.paulo.ac"`
			`rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP`
			`id S1727937AbfBMSJz (ORCPT <rfc822;linux-cifs@vger.kernel.org>);`
			`Wed, 13 Feb 2019 13:09:55 -0500`
			`Received: from localhost (localhost [127.0.0.1])`
			`by mail.paulo.ac (Postfix) with ESMTP id 908B04823B16;`
			`Wed, 13 Feb 2019 18:09:52 +0000 (UTC)`
			`DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=paulo.ac; s=default;`
			`t=1550081392; bh=NPHMWzhC+dOx1uqYM9k6+umJOPTfdQQb4DDuwxCPykY=;`
			`h=From:To:Cc:Subject:Date;`
			`b=T/4Gj7VIMqZKmdsNgp0GA1d/4g7rZD8wHngdPprFv5GJ3kwcM0HAiFs9IY7sqln2m`
			`+zAQ9B5qbEoeJif9o/LeR7ED+kqAZyn+uGitgiE7DcMJ5wzvGIDZyl/KAGQn/35Auf`
			`BNdDIwgVMyv0Iba6DiPlLSIXP9QBxBlXHGDD90fE=`
			`Received: from mail.paulo.ac ([127.0.0.1])`
			`by localhost (ip-172-31-5-70.sa-east-1.compute.internal [127.0.0.1]) (amavisd-new, port 10024)`
			`with ESMTP id ztemnOMlOHdf; Wed, 13 Feb 2019 18:09:51 +0000 (UTC)`
			`Received: from localhost.localdomain (unknown [186.215.53.127])`
			`(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))`
			`(No client certificate requested)`
			`by mail.paulo.ac (Postfix) with ESMTPSA id CAFF84822E3F;`
			`Wed, 13 Feb 2019 18:09:50 +0000 (UTC)`
			`DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=paulo.ac; s=default;`
			`t=1550081391; bh=NPHMWzhC+dOx1uqYM9k6+umJOPTfdQQb4DDuwxCPykY=;`
			`h=From:To:Cc:Subject:Date;`
			`b=iyVAaOItT0Qa5SuPc9LRAoN1qb8VHw5hZNzhOF6NOB178UgZYt2Tt9pzR9/0UbhUF`
			`GeJP0gK64HWvGmbDz8zRhrVgnZpGgAXfaPa20AuGm3WlrtZpb3Z2s/krSAI2I1tQfx`
			`82wY8IeZOD9F+709ZZlwlkGHMWiDLaiRH7xTJWIU=`
			`From: Paulo Alcantara <paulo@paulo.ac>`
			`To: linux-cifs@vger.kernel.org`
			`Cc: smfrench@gmail.com, aaptel@suse.com, piastryyy@gmail.com,`
			`Paulo Alcantara <paulo@paulo.ac>,`
			`Paulo Alcantara <palcantara@suse.de>`
			`Subject: [PATCH] cifs: Allow DNS resolver key to expire`
			`Date: Wed, 13 Feb 2019 16:09:41 -0200`
			`Message-Id: <20190213180941.2587-1-paulo@paulo.ac>`
			`X-Mailer: git-send-email 2.20.1`
			`MIME-Version: 1.0`
			`Content-Transfer-Encoding: 8bit`
			`Sender: linux-cifs-owner@vger.kernel.org`
			`Precedence: bulk`
			`List-ID: <linux-cifs.vger.kernel.org>`
			`X-Mailing-List: linux-cifs@vger.kernel.org`

			`This patch introduces a new '--expire' option that allows the user to`
			`set a timeout value for the dns resolver key -- which is typically`
			`useful for hostnames that may get their ip addresses changed under`
			`long running mounts.`

			`The default timeout value is set to 10 minutes.`

			`Signed-off-by: Paulo Alcantara <palcantara@suse.de>`
			`---`
			`cifs.upcall.c \| 88 +++++++++++++++++++++++++++++++++-------------`
			`cifs.upcall.rst.in \| 5 ++-`
			`2 files changed, 67 insertions(+), 26 deletions(-)`

			`diff --git a/cifs.upcall.c b/cifs.upcall.c`
			`index 89563fd42adc..c92ee62f6764 100644`
			`--- a/cifs.upcall.c`
			`+++ b/cifs.upcall.c`
			`@@ -63,6 +63,8 @@`
			`static krb5_context context;`
			`static const char *prog = "cifs.upcall";`

			`+#define DNS_RESOLVER_DEFAULT_TIMEOUT 600 /* 10 minutes */`
			`+`
			`typedef enum _sectype {`
			`NONE = 0,`
			`KRB5,`
			`@@ -749,19 +751,48 @@ decode_key_description(const char desc, struct decoded_args arg)`
			`return retval;`
			`}`

			`-static int cifs_resolver(const key_serial_t key, const char *key_descr)`
			`+static int setup_key(const key_serial_t key, const void *data, size_t datalen)`
			`+{`
			`+ int rc;`
			`+`
			`+ rc = keyctl_instantiate(key, data, datalen, 0);`
			`+ if (rc) {`
			`+ switch (errno) {`
			`+ case ENOMEM:`
			`+ case EDQUOT:`
			`+ rc = keyctl_clear(key);`
			`+ if (rc) {`
			`+ syslog(LOG_ERR, "%s: keyctl_clear: %s",`
			`+ __func__, strerror(errno));`
			`+ return rc;`
			`+ }`
			`+ rc = keyctl_instantiate(key, data, datalen, 0);`
			`+ break;`
			`+ default:`
			`+ ;`
			`+ }`
			`+ }`
			`+ if (rc) {`
			`+ syslog(LOG_ERR, "%s: keyctl_instantiate: %s",`
			`+ __func__, strerror(errno));`
			`+ }`
			`+ return rc;`
			`+}`
			`+`
			`+static int cifs_resolver(const key_serial_t key, const char *key_descr,`
			`+ const char *key_buf, unsigned expire_time)`
			`{`
			`int c;`
			`struct addrinfo *addr;`
			`char ip[INET6_ADDRSTRLEN];`
			`void *p;`
			`- const char *keyend = key_descr;`
			`+ const char *keyend = key_buf;`
			`/* skip next 4 ';' delimiters to get to description */`
			`for (c = 1; c <= 4; c++) {`
			`keyend = index(keyend + 1, ';');`
			`if (!keyend) {`
			`syslog(LOG_ERR, "invalid key description: %s",`
			`- key_descr);`
			`+ key_buf);`
			`return 1;`
			`}`
			`}`
			`@@ -787,15 +818,21 @@ static int cifs_resolver(const key_serial_t key, const char *key_descr)`
			`return 1;`
			`}`

			`- /* setup key */`
			`- c = keyctl_instantiate(key, ip, strlen(ip) + 1, 0);`
			`- if (c == -1) {`
			`- syslog(LOG_ERR, "%s: keyctl_instantiate: %s", __func__,`
			`- strerror(errno));`
			`- freeaddrinfo(addr);`
			`- return 1;`
			`- }`
			`+ /* needed for keyctl_set_timeout() */`
			`+ request_key("keyring", key_descr, NULL, KEY_SPEC_THREAD_KEYRING);`

			`+ c = setup_key(key, ip, strlen(ip) + 1);`
			`+ if (c) {`
			`+ freeaddrinfo(addr);`
			`+ return 1;`
			`+ }`
			`+ c = keyctl_set_timeout(key, expire_time);`
			`+ if (c) {`
			`+ syslog(LOG_ERR, "%s: keyctl_set_timeout: %s", __func__,`
			`+ strerror(errno));`
			`+ freeaddrinfo(addr);`
			`+ return 1;`
			`+ }`
			`freeaddrinfo(addr);`
			`return 0;`
			`}`
			`@@ -864,7 +901,7 @@ lowercase_string(char *c)`

			`static void usage(void)`
			`{`
			`- fprintf(stderr, "Usage: %s [ -K /path/to/keytab] [-k /path/to/krb5.conf] [-E] [-t] [-v] [-l] key_serial\n", prog);`
			`+ fprintf(stderr, "Usage: %s [ -K /path/to/keytab] [-k /path/to/krb5.conf] [-E] [-t] [-v] [-l] [-e nsecs] key_serial\n", prog);`
			`}`

			`static const struct option long_options[] = {`
			`@@ -874,6 +911,7 @@ static const struct option long_options[] = {`
			`{"trust-dns", 0, NULL, 't'},`
			`{"keytab", 1, NULL, 'K'},`
			`{"version", 0, NULL, 'v'},`
			`+ {"expire", 1, NULL, 'e'},`
			`{NULL, 0, NULL, 0}`
			`};`

			`@@ -897,13 +935,15 @@ int main(const int argc, char *const argv[])`
			`char *env_cachename = NULL;`
			`krb5_ccache ccache = NULL;`
			`struct passwd *pw;`
			`+ unsigned expire_time = DNS_RESOLVER_DEFAULT_TIMEOUT;`
			`+ const char *key_descr = NULL;`

			`hostbuf[0] = '\0';`
			`memset(&arg, 0, sizeof(arg));`

			`openlog(prog, 0, LOG_DAEMON);`

			`- while ((c = getopt_long(argc, argv, "cEk:K:ltv", long_options, NULL)) != -1) {`
			`+ while ((c = getopt_long(argc, argv, "cEk:K:ltve:", long_options, NULL)) != -1) {`
			`switch (c) {`
			`case 'c':`
			`/* legacy option -- skip it */`
			`@@ -931,6 +971,9 @@ int main(const int argc, char *const argv[])`
			`rc = 0;`
			`printf("version: %s\n", VERSION);`
			`goto out;`
			`+ case 'e':`
			`+ expire_time = strtoul(optarg, NULL, 10);`
			`+ break;`
			`default:`
			`syslog(LOG_ERR, "unknown option: %c", c);`
			`goto out;`
			`@@ -965,9 +1008,12 @@ int main(const int argc, char *const argv[])`

			`syslog(LOG_DEBUG, "key description: %s", buf);`

			`- if ((strncmp(buf, "cifs.resolver", sizeof("cifs.resolver") - 1) == 0) \|\|`
			`- (strncmp(buf, "dns_resolver", sizeof("dns_resolver") - 1) == 0)) {`
			`- rc = cifs_resolver(key, buf);`
			`+ if (strncmp(buf, "cifs.resolver", sizeof("cifs.resolver") - 1) == 0)`
			`+ key_descr = ".cifs.resolver";`
			`+ else if (strncmp(buf, "dns_resolver", sizeof("dns_resolver") - 1) == 0)`
			`+ key_descr = ".dns_resolver";`
			`+ if (key_descr) {`
			`+ rc = cifs_resolver(key, key_descr, buf, expire_time);`
			`goto out;`
			`}`

			`@@ -1193,16 +1239,8 @@ retry_new_hostname:`
			`memcpy(&(keydata->data) + keydata->sesskey_len,`
			`secblob.data, secblob.length);`

			`- /* setup key */`
			`- rc = keyctl_instantiate(key, keydata, datalen, 0);`
			`- if (rc == -1) {`
			`- syslog(LOG_ERR, "keyctl_instantiate: %s", strerror(errno));`
			`- goto out;`
			`- }`
			`+ rc = setup_key(key, keydata, datalen);`

			`- /* BB: maybe we need use timeout for key: for example no more then`
			`- * ticket lifietime? */`
			`- /* keyctl_set_timeout( key, 60); */`
			`out:`
			`/*`
			`* on error, negatively instantiate the key ourselves so that we can`
			`diff --git a/cifs.upcall.rst.in b/cifs.upcall.rst.in`
			`index 1b8df3f31d94..08ce324fc5f6 100644`
			`--- a/cifs.upcall.rst.in`
			`+++ b/cifs.upcall.rst.in`
			`@@ -13,7 +13,7 @@ SYNOPSIS`

			`cifs.upcall [--trust-dns\|-t] [--version\|-v] [--legacy-uid\|-l]`
			`[--krb5conf=/path/to/krb5.conf\|-k /path/to/krb5.conf]`
			`- [--keytab=/path/to/keytab\|-K /path/to/keytab] {keyid}`
			`+ [--keytab=/path/to/keytab\|-K /path/to/keytab] [--expire\|-e nsecs] {keyid}`

			`***********`
			`DESCRIPTION`
			`@@ -85,6 +85,9 @@ OPTIONS`
			`user. Set this option if you want cifs.upcall to use the older uid=`
			`parameter instead of the creduid= parameter.`

			`+--expire\|-e`
			+ Override default timeout value (600 seconds) for ``dns_resolver`` key.
			`+`
			`--version\|-v`
			`Print version number and exit.`

			`--`
			`2.20.1`