Dirk Mueller
99d3e0d9fa
0002-gssd-revert-commit-513630d720bd.patch, 0003-gssd-switch-to-using-rpc_gss_seccreate.patch, 0004-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-machine-cr.patch, 0005-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-user-crede.patch, 0006-configure-check-for-rpc_gss_seccreate.patch: fixes for libtirpc 1.3.5 - drop reenable-nfsv2.patch (poo#106679) Fix crash when rpc-gssd run with -v. - Replace references to /var/adm/fillup-templates with new options. - do not strip the binaries - mkinitrd-boot.sh: allow other mkinitrd-setup - nfs-utils-eperm-fallback.patch: mount.nfs Includes new config file: /etc/nfsmount.conf and - Kill processes on NFS mounts when unmounting bnc#442490 * fix typo in handling of "init.d/nfs status" - nfs.init: * unmount rpc_pipefs - fix sysconfig filename for changed fillup call services (gssd and idmpad have been rolled in to nfs/nfsserver). - remove svcinfo.d dir as it is provided now by filesystem - update to version 1.1.2 - uses libgssglue instead of libgssapi - add rpcbind support [fate#300607] - added gssapi to buildrequires (#116355) showmount has been removed there (#309782) - added README.NFSv4 (#182775) OBS-URL: https://build.opensuse.org/package/show/Base:System/nfs-utils?expand=0&rev=285
63 lines
1.9 KiB
Diff
63 lines
1.9 KiB
Diff
From 2bfb59c6f50eb86c21f8e0c33bbf32ec53480fb8 Mon Sep 17 00:00:00 2001
|
|
From: Olga Kornievskaia <kolga@netapp.com>
|
|
Date: Mon, 11 Dec 2023 08:55:35 -0500
|
|
Subject: [PATCH 4/6] gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for machine
|
|
credentials
|
|
|
|
During context establishment, when the client received
|
|
KRB5_AP_ERR_BAD_INTEGRITY error, it might be due to the server
|
|
updating its key material. To handle such error, get a new
|
|
service ticket and re-try the AP_REQ.
|
|
|
|
This functionality relies on the new API in libtirpc that
|
|
exposes the gss errors.
|
|
|
|
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
|
|
Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
|
|
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
---
|
|
utils/gssd/gssd_proc.c | 21 ++++++++++++++++++++-
|
|
1 file changed, 20 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
|
|
index 99761157..29600a3f 100644
|
|
--- a/utils/gssd/gssd_proc.c
|
|
+++ b/utils/gssd/gssd_proc.c
|
|
@@ -427,13 +427,32 @@ create_auth_rpc_client(struct clnt_info *clp,
|
|
auth = authgss_create_default(rpc_clnt, tgtname, &sec);
|
|
#endif
|
|
if (!auth) {
|
|
+#ifdef HAVE_TIRPC_GSS_SECCREATE
|
|
+ if (ret.minor_status == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
|
|
+ printerr(2, "WARNING: server=%s failed context "
|
|
+ "creation with KRB5_AP_ERR_BAD_INTEGRITY\n",
|
|
+ clp->servername);
|
|
+ if (cred == GSS_C_NO_CREDENTIAL)
|
|
+ retval = gssd_refresh_krb5_machine_credential(clp->servername,
|
|
+ "*", NULL, 1);
|
|
+ if (!retval) {
|
|
+ auth = rpc_gss_seccreate(rpc_clnt, tgtname,
|
|
+ mechanism, rpcsec_gss_svc_none,
|
|
+ NULL, &req, &ret);
|
|
+ if (auth)
|
|
+ goto success;
|
|
+ }
|
|
+ }
|
|
+#endif
|
|
/* Our caller should print appropriate message */
|
|
printerr(2, "WARNING: Failed to create krb5 context for "
|
|
"user with uid %d for server %s\n",
|
|
uid, tgtname);
|
|
goto out_fail;
|
|
}
|
|
-
|
|
+#ifdef HAVE_TIRPC_GSS_SECCREATE
|
|
+success:
|
|
+#endif
|
|
/* Success !!! */
|
|
rpc_clnt->cl_auth = auth;
|
|
*clnt_return = rpc_clnt;
|
|
--
|
|
2.46.0
|
|
|