diff --git a/allow-dns-resolver-key-to-expire.patch b/allow-dns-resolver-key-to-expire.patch new file mode 100644 index 0000000..1f4b00b --- /dev/null +++ b/allow-dns-resolver-key-to-expire.patch @@ -0,0 +1,268 @@ +From paulo@paulo.ac Wed Feb 13 18:09:41 2019 +Return-path: +Received: from prv1-mx.provo.novell.com (novprvlin0515.provo.novell.com [130.57.1.105]) + by prv-mh.provo.novell.com with ESMTP (NOT encrypted); Wed, 13 Feb 2019 11:09:56 -0700 +Received: from vger.kernel.org (209.132.180.67) by prv1-mx.provo.novell.com (130.57.1.11) GWAVA SMTP; Wed, 13 Feb 2019 11:09:57 -0700 +X-Spam_ID: str=0001.0A020211.5C645D75.005D,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0 +X-GWAVADAT: zFPcY7v2brlPt6Q2e5327cab1501d80247f45f4235d8ab62d9cebc212966054348ffdffbdcecc4b317boib3.17boib3.v6 +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1729522AbfBMSJ4 (ORCPT + 3 others); + Wed, 13 Feb 2019 13:09:56 -0500 +Received: from mail.paulo.ac ([18.228.144.36]:36484 "EHLO mail.paulo.ac" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1727937AbfBMSJz (ORCPT ); + Wed, 13 Feb 2019 13:09:55 -0500 +Received: from localhost (localhost [127.0.0.1]) + by mail.paulo.ac (Postfix) with ESMTP id 908B04823B16; + Wed, 13 Feb 2019 18:09:52 +0000 (UTC) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=paulo.ac; s=default; + t=1550081392; bh=NPHMWzhC+dOx1uqYM9k6+umJOPTfdQQb4DDuwxCPykY=; + h=From:To:Cc:Subject:Date; + b=T/4Gj7VIMqZKmdsNgp0GA1d/4g7rZD8wHngdPprFv5GJ3kwcM0HAiFs9IY7sqln2m + +zAQ9B5qbEoeJif9o/LeR7ED+kqAZyn+uGitgiE7DcMJ5wzvGIDZyl/KAGQn/35Auf + BNdDIwgVMyv0Iba6DiPlLSIXP9QBxBlXHGDD90fE= +Received: from mail.paulo.ac ([127.0.0.1]) + by localhost (ip-172-31-5-70.sa-east-1.compute.internal [127.0.0.1]) (amavisd-new, port 10024) + with ESMTP id ztemnOMlOHdf; Wed, 13 Feb 2019 18:09:51 +0000 (UTC) +Received: from localhost.localdomain (unknown [186.215.53.127]) + (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) + (No client certificate requested) + by mail.paulo.ac (Postfix) with ESMTPSA id CAFF84822E3F; + Wed, 13 Feb 2019 18:09:50 +0000 (UTC) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=paulo.ac; s=default; + t=1550081391; bh=NPHMWzhC+dOx1uqYM9k6+umJOPTfdQQb4DDuwxCPykY=; + h=From:To:Cc:Subject:Date; + b=iyVAaOItT0Qa5SuPc9LRAoN1qb8VHw5hZNzhOF6NOB178UgZYt2Tt9pzR9/0UbhUF + GeJP0gK64HWvGmbDz8zRhrVgnZpGgAXfaPa20AuGm3WlrtZpb3Z2s/krSAI2I1tQfx + 82wY8IeZOD9F+709ZZlwlkGHMWiDLaiRH7xTJWIU= +From: Paulo Alcantara +To: linux-cifs@vger.kernel.org +Cc: smfrench@gmail.com, aaptel@suse.com, piastryyy@gmail.com, + Paulo Alcantara , + Paulo Alcantara +Subject: [PATCH] cifs: Allow DNS resolver key to expire +Date: Wed, 13 Feb 2019 16:09:41 -0200 +Message-Id: <20190213180941.2587-1-paulo@paulo.ac> +X-Mailer: git-send-email 2.20.1 +MIME-Version: 1.0 +Content-Transfer-Encoding: 8bit +Sender: linux-cifs-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-cifs@vger.kernel.org + +This patch introduces a new '--expire' option that allows the user to +set a timeout value for the dns resolver key -- which is typically +useful for hostnames that may get their ip addresses changed under +long running mounts. + +The default timeout value is set to 10 minutes. + +Signed-off-by: Paulo Alcantara +--- + cifs.upcall.c | 88 +++++++++++++++++++++++++++++++++------------- + cifs.upcall.rst.in | 5 ++- + 2 files changed, 67 insertions(+), 26 deletions(-) + +diff --git a/cifs.upcall.c b/cifs.upcall.c +index 89563fd42adc..c92ee62f6764 100644 +--- a/cifs.upcall.c ++++ b/cifs.upcall.c +@@ -63,6 +63,8 @@ + static krb5_context context; + static const char *prog = "cifs.upcall"; + ++#define DNS_RESOLVER_DEFAULT_TIMEOUT 600 /* 10 minutes */ ++ + typedef enum _sectype { + NONE = 0, + KRB5, +@@ -749,19 +751,48 @@ decode_key_description(const char *desc, struct decoded_args *arg) + return retval; + } + +-static int cifs_resolver(const key_serial_t key, const char *key_descr) ++static int setup_key(const key_serial_t key, const void *data, size_t datalen) ++{ ++ int rc; ++ ++ rc = keyctl_instantiate(key, data, datalen, 0); ++ if (rc) { ++ switch (errno) { ++ case ENOMEM: ++ case EDQUOT: ++ rc = keyctl_clear(key); ++ if (rc) { ++ syslog(LOG_ERR, "%s: keyctl_clear: %s", ++ __func__, strerror(errno)); ++ return rc; ++ } ++ rc = keyctl_instantiate(key, data, datalen, 0); ++ break; ++ default: ++ ; ++ } ++ } ++ if (rc) { ++ syslog(LOG_ERR, "%s: keyctl_instantiate: %s", ++ __func__, strerror(errno)); ++ } ++ return rc; ++} ++ ++static int cifs_resolver(const key_serial_t key, const char *key_descr, ++ const char *key_buf, unsigned expire_time) + { + int c; + struct addrinfo *addr; + char ip[INET6_ADDRSTRLEN]; + void *p; +- const char *keyend = key_descr; ++ const char *keyend = key_buf; + /* skip next 4 ';' delimiters to get to description */ + for (c = 1; c <= 4; c++) { + keyend = index(keyend + 1, ';'); + if (!keyend) { + syslog(LOG_ERR, "invalid key description: %s", +- key_descr); ++ key_buf); + return 1; + } + } +@@ -787,15 +818,21 @@ static int cifs_resolver(const key_serial_t key, const char *key_descr) + return 1; + } + +- /* setup key */ +- c = keyctl_instantiate(key, ip, strlen(ip) + 1, 0); +- if (c == -1) { +- syslog(LOG_ERR, "%s: keyctl_instantiate: %s", __func__, +- strerror(errno)); +- freeaddrinfo(addr); +- return 1; +- } ++ /* needed for keyctl_set_timeout() */ ++ request_key("keyring", key_descr, NULL, KEY_SPEC_THREAD_KEYRING); + ++ c = setup_key(key, ip, strlen(ip) + 1); ++ if (c) { ++ freeaddrinfo(addr); ++ return 1; ++ } ++ c = keyctl_set_timeout(key, expire_time); ++ if (c) { ++ syslog(LOG_ERR, "%s: keyctl_set_timeout: %s", __func__, ++ strerror(errno)); ++ freeaddrinfo(addr); ++ return 1; ++ } + freeaddrinfo(addr); + return 0; + } +@@ -864,7 +901,7 @@ lowercase_string(char *c) + + static void usage(void) + { +- fprintf(stderr, "Usage: %s [ -K /path/to/keytab] [-k /path/to/krb5.conf] [-E] [-t] [-v] [-l] key_serial\n", prog); ++ fprintf(stderr, "Usage: %s [ -K /path/to/keytab] [-k /path/to/krb5.conf] [-E] [-t] [-v] [-l] [-e nsecs] key_serial\n", prog); + } + + static const struct option long_options[] = { +@@ -874,6 +911,7 @@ static const struct option long_options[] = { + {"trust-dns", 0, NULL, 't'}, + {"keytab", 1, NULL, 'K'}, + {"version", 0, NULL, 'v'}, ++ {"expire", 1, NULL, 'e'}, + {NULL, 0, NULL, 0} + }; + +@@ -897,13 +935,15 @@ int main(const int argc, char *const argv[]) + char *env_cachename = NULL; + krb5_ccache ccache = NULL; + struct passwd *pw; ++ unsigned expire_time = DNS_RESOLVER_DEFAULT_TIMEOUT; ++ const char *key_descr = NULL; + + hostbuf[0] = '\0'; + memset(&arg, 0, sizeof(arg)); + + openlog(prog, 0, LOG_DAEMON); + +- while ((c = getopt_long(argc, argv, "cEk:K:ltv", long_options, NULL)) != -1) { ++ while ((c = getopt_long(argc, argv, "cEk:K:ltve:", long_options, NULL)) != -1) { + switch (c) { + case 'c': + /* legacy option -- skip it */ +@@ -931,6 +971,9 @@ int main(const int argc, char *const argv[]) + rc = 0; + printf("version: %s\n", VERSION); + goto out; ++ case 'e': ++ expire_time = strtoul(optarg, NULL, 10); ++ break; + default: + syslog(LOG_ERR, "unknown option: %c", c); + goto out; +@@ -965,9 +1008,12 @@ int main(const int argc, char *const argv[]) + + syslog(LOG_DEBUG, "key description: %s", buf); + +- if ((strncmp(buf, "cifs.resolver", sizeof("cifs.resolver") - 1) == 0) || +- (strncmp(buf, "dns_resolver", sizeof("dns_resolver") - 1) == 0)) { +- rc = cifs_resolver(key, buf); ++ if (strncmp(buf, "cifs.resolver", sizeof("cifs.resolver") - 1) == 0) ++ key_descr = ".cifs.resolver"; ++ else if (strncmp(buf, "dns_resolver", sizeof("dns_resolver") - 1) == 0) ++ key_descr = ".dns_resolver"; ++ if (key_descr) { ++ rc = cifs_resolver(key, key_descr, buf, expire_time); + goto out; + } + +@@ -1193,16 +1239,8 @@ retry_new_hostname: + memcpy(&(keydata->data) + keydata->sesskey_len, + secblob.data, secblob.length); + +- /* setup key */ +- rc = keyctl_instantiate(key, keydata, datalen, 0); +- if (rc == -1) { +- syslog(LOG_ERR, "keyctl_instantiate: %s", strerror(errno)); +- goto out; +- } ++ rc = setup_key(key, keydata, datalen); + +- /* BB: maybe we need use timeout for key: for example no more then +- * ticket lifietime? */ +- /* keyctl_set_timeout( key, 60); */ + out: + /* + * on error, negatively instantiate the key ourselves so that we can +diff --git a/cifs.upcall.rst.in b/cifs.upcall.rst.in +index 1b8df3f31d94..08ce324fc5f6 100644 +--- a/cifs.upcall.rst.in ++++ b/cifs.upcall.rst.in +@@ -13,7 +13,7 @@ SYNOPSIS + + cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l] + [--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf] +- [--keytab=/path/to/keytab|-K /path/to/keytab] {keyid} ++ [--keytab=/path/to/keytab|-K /path/to/keytab] [--expire|-e nsecs] {keyid} + + *********** + DESCRIPTION +@@ -85,6 +85,9 @@ OPTIONS + user. Set this option if you want cifs.upcall to use the older uid= + parameter instead of the creduid= parameter. + ++--expire|-e ++ Override default timeout value (600 seconds) for ``dns_resolver`` key. ++ + --version|-v + Print version number and exit. + +-- +2.20.1 + + + + diff --git a/cifs-utils.changes b/cifs-utils.changes index fc39475..4d88810 100644 --- a/cifs-utils.changes +++ b/cifs-utils.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Thu Feb 14 11:27:09 UTC 2019 - aaptel@suse.com + +- Allow cached DNS entry to expire + * add allow-dns-resolver-key-to-expire.patch + +------------------------------------------------------------------- +Tue Feb 12 17:34:00 UTC 2019 - aaptel@suse.com + +- Document new SMB2.1+ defaults + * be more verbose on mount errors, especially with EHOSTDOWN which + is often returned on SMB version issues. + * add suse-document-new-vers-default-SMB2.1.patch + +------------------------------------------------------------------- +Mon Feb 11 08:33:10 UTC 2019 - dmulder@suse.com + +- Fix python dependency stalemate by requiring python3 version of + samba-libs. + ------------------------------------------------------------------- Mon Sep 10 12:29:37 UTC 2018 - aaptel@suse.com diff --git a/cifs-utils.spec b/cifs-utils.spec index 6a96d11..3fc9ef5 100644 --- a/cifs-utils.spec +++ b/cifs-utils.spec @@ -1,7 +1,7 @@ # # spec file for package cifs-utils # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -42,6 +42,8 @@ Patch6: 0007-checkopts-report-duplicated-options-in-man-page.patch Patch7: 0008-mount.cifs.rst-more-cleanups.patch Patch8: 0009-mount.cifs.rst-document-vers-3-mount-option.patch Patch9: 0010-mount.cifs.rst-document-vers-3.02-mount-option.patch +Patch10: suse-document-new-vers-default-SMB2.1.patch +Patch11: allow-dns-resolver-key-to-expire.patch # cifs-utils 6.8 switched to python for man page generation # we need to require either py2 or py3 package @@ -83,6 +85,7 @@ BuildRequires: fdupes BuildRequires: libwbclient-devel BuildRequires: pam-devel BuildRequires: pkg-config +BuildRequires: samba-libs-python3 Requires: keyutils %if ! %{defined _rundir} %define _rundir %{_localstatedir}/run @@ -128,6 +131,8 @@ cp -a ${RPM_SOURCE_DIR}/README.cifstab.migration . %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 %build export CFLAGS="%{optflags} -D_GNU_SOURCE -fpie" diff --git a/suse-document-new-vers-default-SMB2.1.patch b/suse-document-new-vers-default-SMB2.1.patch new file mode 100644 index 0000000..51ed1b0 --- /dev/null +++ b/suse-document-new-vers-default-SMB2.1.patch @@ -0,0 +1,37 @@ +Index: cifs-utils-6.8/mount.cifs.c +=================================================================== +--- cifs-utils-6.8.orig/mount.cifs.c ++++ cifs-utils-6.8/mount.cifs.c +@@ -2099,6 +2099,10 @@ mount_retry: + switch (errno) { + case ECONNREFUSED: + case EHOSTUNREACH: ++ if (currentaddress) { ++ fprintf(stderr, "mount error(%d): could not connect to %s", ++ errno, currentaddress); ++ } + currentaddress = nextaddress; + if (currentaddress) { + nextaddress = strchr(currentaddress, ','); +@@ -2110,6 +2114,12 @@ mount_retry: + fprintf(stderr, + "mount error: %s filesystem not supported by the system\n", cifs_fstype); + break; ++ case EHOSTDOWN: ++ fprintf(stderr, ++ "mount error: Server abruptly closed the connection.\n" ++ "This can happen if the server does not support the SMB version you are trying to use.\n" ++ "The default SMB version recently changed from SMB1 to SMB2.1 and above. Try mounting with vers=1.0.\n"); ++ break; + case ENXIO: + if (!already_uppercased && + uppercase_string(parsed_info->host) && +@@ -2126,7 +2136,7 @@ mount_retry: + strerror(errno)); + fprintf(stderr, + "Refer to the %s(8) manual page (e.g. man " +- "%s)\n", thisprogram, thisprogram); ++ "%s) and kernel log messages (dmesg)\n", thisprogram, thisprogram); + rc = EX_FAIL; + goto mount_exit; + }