[nfs-utils] gssd: force getting tgt if ticket cache was removed
diff mbox series

Message ID 20191212160000.22320-1-olga.kornievskaia@gmail.com
State New
Headers show
Series
  • [nfs-utils] gssd: force getting tgt if ticket cache was removed
Related show

Commit Message

Olga Kornievskaia Dec. 12, 2019, 4 p.m. UTC
From: Olga Kornievskaia <kolga@netapp.com>

If ticket cache was removed manually, but gssd thinks it has a valid
credentials it will fail mount creation as it can't get a service
ticket (due to lack of the tgt).

Check if file-based ticket cache is not there and set the "nocache"
to 1 forcing the client to get a new tgt.

Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
---
 utils/gssd/krb5_util.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

Comments

Steve Dickson Dec. 18, 2019, 2:33 p.m. UTC | #1
On 12/12/19 11:00 AM, Olga Kornievskaia wrote:
> From: Olga Kornievskaia <kolga@netapp.com>
> 
> If ticket cache was removed manually, but gssd thinks it has a valid
> credentials it will fail mount creation as it can't get a service
> ticket (due to lack of the tgt).
> 
> Check if file-based ticket cache is not there and set the "nocache"
> to 1 forcing the client to get a new tgt.
> 
> Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
Committed... (tag: nfs-utils-2-4-3-rc3)

steved.

> ---
>  utils/gssd/krb5_util.c | 24 ++++++++++++++++++++++++
>  1 file changed, 24 insertions(+)
> 
> diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
> index 0474783..bff759f 100644
> --- a/utils/gssd/krb5_util.c
> +++ b/utils/gssd/krb5_util.c
> @@ -121,6 +121,9 @@
>  #include <krb5.h>
>  #include <rpc/auth_gss.h>
>  
> +#include <sys/types.h>
> +#include <fcntl.h>
> +
>  #include "nfslib.h"
>  #include "gssd.h"
>  #include "err_util.h"
> @@ -314,6 +317,25 @@ gssd_find_existing_krb5_ccache(uid_t uid, char *dirname,
>  	return err;
>  }
>  
> +/* check if the ticket cache exists, if not set nocache=1 so that new
> + * tgt is gotten
> + */
> +static int
> +gssd_check_if_cc_exists(struct gssd_k5_kt_princ *ple)
> +{
> +	int fd;
> +	char cc_name[BUFSIZ];
> +
> +	snprintf(cc_name, sizeof(cc_name), "%s/%s%s_%s",
> +		ccachesearch[0], GSSD_DEFAULT_CRED_PREFIX,
> +		GSSD_DEFAULT_MACHINE_CRED_SUFFIX, ple->realm);
> +	fd = open(cc_name, O_RDONLY);
> +	if (fd < 0)
> +		return 1;
> +	close(fd);
> +	return 0;
> +}
> +
>  /*
>   * Obtain credentials via a key in the keytab given
>   * a keytab handle and a gssd_k5_kt_princ structure.
> @@ -348,6 +370,8 @@ gssd_get_single_krb5_cred(krb5_context context,
>  
>  	memset(&my_creds, 0, sizeof(my_creds));
>  
> +	if (!nocache && !use_memcache)
> +		nocache = gssd_check_if_cc_exists(ple);
>  	/*
>  	 * Workaround for clock skew among NFS server, NFS client and KDC
>  	 * 300 because clock skew must be within 300sec for kerberos
>

Patch
diff mbox series

diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 0474783..bff759f 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -121,6 +121,9 @@ 
 #include <krb5.h>
 #include <rpc/auth_gss.h>
 
+#include <sys/types.h>
+#include <fcntl.h>
+
 #include "nfslib.h"
 #include "gssd.h"
 #include "err_util.h"
@@ -314,6 +317,25 @@  gssd_find_existing_krb5_ccache(uid_t uid, char *dirname,
 	return err;
 }
 
+/* check if the ticket cache exists, if not set nocache=1 so that new
+ * tgt is gotten
+ */
+static int
+gssd_check_if_cc_exists(struct gssd_k5_kt_princ *ple)
+{
+	int fd;
+	char cc_name[BUFSIZ];
+
+	snprintf(cc_name, sizeof(cc_name), "%s/%s%s_%s",
+		ccachesearch[0], GSSD_DEFAULT_CRED_PREFIX,
+		GSSD_DEFAULT_MACHINE_CRED_SUFFIX, ple->realm);
+	fd = open(cc_name, O_RDONLY);
+	if (fd < 0)
+		return 1;
+	close(fd);
+	return 0;
+}
+
 /*
  * Obtain credentials via a key in the keytab given
  * a keytab handle and a gssd_k5_kt_princ structure.
@@ -348,6 +370,8 @@  gssd_get_single_krb5_cred(krb5_context context,
 
 	memset(&my_creds, 0, sizeof(my_creds));
 
+	if (!nocache && !use_memcache)
+		nocache = gssd_check_if_cc_exists(ple);
 	/*
 	 * Workaround for clock skew among NFS server, NFS client and KDC
 	 * 300 because clock skew must be within 300sec for kerberos