From 2bfb59c6f50eb86c21f8e0c33bbf32ec53480fb8 Mon Sep 17 00:00:00 2001 From: Olga Kornievskaia Date: Mon, 11 Dec 2023 08:55:35 -0500 Subject: [PATCH 4/6] gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for machine credentials During context establishment, when the client received KRB5_AP_ERR_BAD_INTEGRITY error, it might be due to the server updating its key material. To handle such error, get a new service ticket and re-try the AP_REQ. This functionality relies on the new API in libtirpc that exposes the gss errors. Reviewed-by: Chuck Lever Signed-off-by: Olga Kornievskaia Signed-off-by: Steve Dickson --- utils/gssd/gssd_proc.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index 99761157..29600a3f 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -427,13 +427,32 @@ create_auth_rpc_client(struct clnt_info *clp, auth = authgss_create_default(rpc_clnt, tgtname, &sec); #endif if (!auth) { +#ifdef HAVE_TIRPC_GSS_SECCREATE + if (ret.minor_status == KRB5KRB_AP_ERR_BAD_INTEGRITY) { + printerr(2, "WARNING: server=%s failed context " + "creation with KRB5_AP_ERR_BAD_INTEGRITY\n", + clp->servername); + if (cred == GSS_C_NO_CREDENTIAL) + retval = gssd_refresh_krb5_machine_credential(clp->servername, + "*", NULL, 1); + if (!retval) { + auth = rpc_gss_seccreate(rpc_clnt, tgtname, + mechanism, rpcsec_gss_svc_none, + NULL, &req, &ret); + if (auth) + goto success; + } + } +#endif /* Our caller should print appropriate message */ printerr(2, "WARNING: Failed to create krb5 context for " "user with uid %d for server %s\n", uid, tgtname); goto out_fail; } - +#ifdef HAVE_TIRPC_GSS_SECCREATE +success: +#endif /* Success !!! */ rpc_clnt->cl_auth = auth; *clnt_return = rpc_clnt; -- 2.46.0