nfs-utils/0003-gssd-switch-to-using-rpc_gss_seccreate.patch

From 3abf6b5223af0ccf07d217d71978ee7987acce88 Mon Sep 17 00:00:00 2001
From: Olga Kornievskaia <kolga@netapp.com>
Date: Mon, 11 Dec 2023 08:52:47 -0500
Subject: [PATCH 3/6] gssd: switch to using rpc_gss_seccreate()

If available from the libtirpc library, switch to using
rpc_gss_seccreate() instead of authgss_create_default() which does not
expose gss error codes.

Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
---
 utils/gssd/gssd_proc.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index 4fb6b72d..99761157 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -70,6 +70,9 @@
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <syscall.h>
+#ifdef HAVE_TIRPC_GSS_SECCREATE
+#include <rpc/rpcsec_gss.h>
+#endif
 
 #include "gssd.h"
 #include "err_util.h"
@@ -330,6 +333,11 @@ create_auth_rpc_client(struct clnt_info *clp,
 	struct timeval	timeout;
 	struct sockaddr		*addr = (struct sockaddr *) &clp->addr;
 	socklen_t		salen;
+#ifdef HAVE_TIRPC_GSS_SECCREATE
+	rpc_gss_options_req_t	req;
+	rpc_gss_options_ret_t	ret;
+	char			mechanism[] = "kerberos_v5";
+#endif
 	pthread_t tid = pthread_self();
 
 	sec.qop = GSS_C_QOP_DEFAULT;
@@ -410,7 +418,14 @@ create_auth_rpc_client(struct clnt_info *clp,
 
 	printerr(3, "create_auth_rpc_client(0x%lx): creating context with server %s\n", 
 		tid, tgtname);
+#ifdef HAVE_TIRPC_GSS_SECCREATE
+	memset(&req, 0, sizeof(req));
+	req.my_cred = sec.cred;
+	auth = rpc_gss_seccreate(rpc_clnt, tgtname, mechanism,
+			rpcsec_gss_svc_none, NULL, &req, &ret);
+#else
 	auth = authgss_create_default(rpc_clnt, tgtname, &sec);
+#endif
 	if (!auth) {
 		/* Our caller should print appropriate message */
 		printerr(2, "WARNING: Failed to create krb5 context for "
-- 
2.46.0
- Update to version 2.8.1 - https://lore.kernel.org/linux-nfs/4a86eea3-973e-4535-8aa5-f3b8b5f7934d@redhat.com/ - https://kernel.org/pub/linux/utils/nfs-utils/2.8.1/2.8.1-Changelog - Add new binary nfsdctl - The default number of nfsd threads is now 16 instead of 8 - Removed patchs from previous releases - 0001-exportfs-remove-warning-if-neither-subtree_check-or-.patch - 0002-conffile-don-t-report-error-from-conf_init_file.patch - 0003-conffile-allow-usr-etc-to-provide-any-config-files-e.patch - 0004-fsidd-call-anonymous-sockets-by-their-name-only-don-.patch - 0001-gssd-revert-commit-a5f3b7ccb01c.patch - 0002-gssd-revert-commit-513630d720bd.patch - 0003-gssd-switch-to-using-rpc_gss_seccreate.patch - 0004-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-machine-cr.patch - 0005-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-user-crede.patch - 0006-configure-check-for-rpc_gss_seccreate.patch - Turn nfs-utils-1.0.7-bind-syntax.patch to git patch (bug reference, easier to refresh via git, likely it can be now removed) - Add BuildRequires libnl-3.0, readline OBS-URL: https://build.opensuse.org/package/show/Base:System/nfs-utils?expand=0&rev=287 2024-11-04 03:35:38 +01:00			`From 3abf6b5223af0ccf07d217d71978ee7987acce88 Mon Sep 17 00:00:00 2001`
			`From: Olga Kornievskaia <kolga@netapp.com>`
			`Date: Mon, 11 Dec 2023 08:52:47 -0500`
			`Subject: [PATCH 3/6] gssd: switch to using rpc_gss_seccreate()`

			`If available from the libtirpc library, switch to using`
			`rpc_gss_seccreate() instead of authgss_create_default() which does not`
			`expose gss error codes.`

			`Reviewed-by: Chuck Lever <chuck.lever@oracle.com>`
			`Signed-off-by: Olga Kornievskaia <kolga@netapp.com>`
			`Signed-off-by: Steve Dickson <steved@redhat.com>`
			`---`
			`utils/gssd/gssd_proc.c \| 15 +++++++++++++++`
			`1 file changed, 15 insertions(+)`

			`diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c`
			`index 4fb6b72d..99761157 100644`
			`--- a/utils/gssd/gssd_proc.c`
			`+++ b/utils/gssd/gssd_proc.c`
			`@@ -70,6 +70,9 @@`
			`#include <sys/types.h>`
			`#include <sys/wait.h>`
			`#include <syscall.h>`
			`+#ifdef HAVE_TIRPC_GSS_SECCREATE`
			`+#include <rpc/rpcsec_gss.h>`
			`+#endif`

			`#include "gssd.h"`
			`#include "err_util.h"`
			`@@ -330,6 +333,11 @@ create_auth_rpc_client(struct clnt_info *clp,`
			`struct timeval timeout;`
			`struct sockaddr addr = (struct sockaddr ) &clp->addr;`
			`socklen_t salen;`
			`+#ifdef HAVE_TIRPC_GSS_SECCREATE`
			`+ rpc_gss_options_req_t req;`
			`+ rpc_gss_options_ret_t ret;`
			`+ char mechanism[] = "kerberos_v5";`
			`+#endif`
			`pthread_t tid = pthread_self();`

			`sec.qop = GSS_C_QOP_DEFAULT;`
			`@@ -410,7 +418,14 @@ create_auth_rpc_client(struct clnt_info *clp,`

			`printerr(3, "create_auth_rpc_client(0x%lx): creating context with server %s\n",`
			`tid, tgtname);`
			`+#ifdef HAVE_TIRPC_GSS_SECCREATE`
			`+ memset(&req, 0, sizeof(req));`
			`+ req.my_cred = sec.cred;`
			`+ auth = rpc_gss_seccreate(rpc_clnt, tgtname, mechanism,`
			`+ rpcsec_gss_svc_none, NULL, &req, &ret);`
			`+#else`
			`auth = authgss_create_default(rpc_clnt, tgtname, &sec);`
			`+#endif`
			`if (!auth) {`
			`/* Our caller should print appropriate message */`
			`printerr(2, "WARNING: Failed to create krb5 context for "`
			`--`
			`2.46.0`