pool/nfs-utils
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
devel
nfs-utils/0004-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-machine-cr.patch
Neil Brown 7325ccd1b0 - Update to version 2.8.1 
- https://lore.kernel.org/linux-nfs/4a86eea3-973e-4535-8aa5-f3b8b5f7934d@redhat.com/
  - https://kernel.org/pub/linux/utils/nfs-utils/2.8.1/2.8.1-Changelog
  - Add new binary nfsdctl
  - The default number of nfsd threads is now 16 instead of 8
- Removed patchs from previous releases
  - 0001-exportfs-remove-warning-if-neither-subtree_check-or-.patch
  - 0002-conffile-don-t-report-error-from-conf_init_file.patch
  - 0003-conffile-allow-usr-etc-to-provide-any-config-files-e.patch
  - 0004-fsidd-call-anonymous-sockets-by-their-name-only-don-.patch
  - 0001-gssd-revert-commit-a5f3b7ccb01c.patch
  - 0002-gssd-revert-commit-513630d720bd.patch
  - 0003-gssd-switch-to-using-rpc_gss_seccreate.patch
  - 0004-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-machine-cr.patch
  - 0005-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-user-crede.patch
  - 0006-configure-check-for-rpc_gss_seccreate.patch
- Turn nfs-utils-1.0.7-bind-syntax.patch to git patch (bug reference,
  easier to refresh via git, likely it can be now removed)
- Add BuildRequires libnl-3.0, readline

OBS-URL: https://build.opensuse.org/package/show/Base:System/nfs-utils?expand=0&rev=287
2024-11-04 02:35:38 +00:00

63 lines
1.9 KiB
Diff
Raw Permalink Blame History

From 2bfb59c6f50eb86c21f8e0c33bbf32ec53480fb8 Mon Sep 17 00:00:00 2001
From: Olga Kornievskaia <kolga@netapp.com>
Date: Mon, 11 Dec 2023 08:55:35 -0500
Subject: [PATCH 4/6] gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for machine
credentials
During context establishment, when the client received
KRB5_AP_ERR_BAD_INTEGRITY error, it might be due to the server
updating its key material. To handle such error, get a new
service ticket and re-try the AP_REQ.
This functionality relies on the new API in libtirpc that
exposes the gss errors.
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
---
utils/gssd/gssd_proc.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index 99761157..29600a3f 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -427,13 +427,32 @@ create_auth_rpc_client(struct clnt_info *clp,
auth = authgss_create_default(rpc_clnt, tgtname, &sec);
#endif
if (!auth) {
+#ifdef HAVE_TIRPC_GSS_SECCREATE
+ if (ret.minor_status == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
+ printerr(2, "WARNING: server=%s failed context "
+ "creation with KRB5_AP_ERR_BAD_INTEGRITY\n",
+ clp->servername);
+ if (cred == GSS_C_NO_CREDENTIAL)
+ retval = gssd_refresh_krb5_machine_credential(clp->servername,
+ "*", NULL, 1);
+ if (!retval) {
+ auth = rpc_gss_seccreate(rpc_clnt, tgtname,
+ mechanism, rpcsec_gss_svc_none,
+ NULL, &req, &ret);
+ if (auth)
+ goto success;
+ }
+ }
+#endif
/* Our caller should print appropriate message */
printerr(2, "WARNING: Failed to create krb5 context for "
"user with uid %d for server %s\n",
uid, tgtname);
goto out_fail;
}
-
+#ifdef HAVE_TIRPC_GSS_SECCREATE
+success:
+#endif
/* Success !!! */
rpc_clnt->cl_auth = auth;
*clnt_return = rpc_clnt;
--
2.46.0
Reference in New Issue View Git Blame Copy Permalink