Commit 414ca017 authored by J. Bruce Fields's avatar J. Bruce Fields

nfsd4: fix gss-proxy 4.1 mounts for some AD principals

The principal name on a gss cred is used to setup the NFSv4.0 callback,
which has to have a client principal name to authenticate to.

That code wants the name to be in the form servicetype@hostname.
rpc.svcgssd passes down such names (and passes down no principal name at
all in the case the principal isn't a service principal).

gss-proxy always passes down the principal name, and passes it down in
the form servicetype/hostname@REALM.  So we've been munging the name
gss-proxy passes down into the format the NFSv4.0 callback code expects,
or throwing away the name if we can't.

Since the introduction of the MACH_CRED enforcement in NFSv4.1, we've
also been using the principal name to verify that certain operations are
done as the same principal as was used on the original EXCHANGE_ID call.

For that application, the original name passed down by gss-proxy is also
useful.

Lack of that name in some cases was causing some kerberized NFSv4.1
mount failures in an Active Directory environment.

This fix only works in the gss-proxy case.  The fix for legacy
rpc.svcgssd would be more involved, and rpc.svcgssd already has other
problems in the AD case.
Reported-and-tested-by: default avatarJames Ralston <ralston@pobox.com>
Acked-by: default avatarSimo Sorce <simo@redhat.com>
Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
parent 920dd9bb
...@@ -1873,6 +1873,10 @@ static int copy_cred(struct svc_cred *target, struct svc_cred *source) ...@@ -1873,6 +1873,10 @@ static int copy_cred(struct svc_cred *target, struct svc_cred *source)
int ret; int ret;
ret = strdup_if_nonnull(&target->cr_principal, source->cr_principal); ret = strdup_if_nonnull(&target->cr_principal, source->cr_principal);
if (ret)
return ret;
ret = strdup_if_nonnull(&target->cr_raw_principal,
source->cr_raw_principal);
if (ret) if (ret)
return ret; return ret;
target->cr_flavor = source->cr_flavor; target->cr_flavor = source->cr_flavor;
...@@ -1978,6 +1982,9 @@ static bool mach_creds_match(struct nfs4_client *cl, struct svc_rqst *rqstp) ...@@ -1978,6 +1982,9 @@ static bool mach_creds_match(struct nfs4_client *cl, struct svc_rqst *rqstp)
return false; return false;
if (!svc_rqst_integrity_protected(rqstp)) if (!svc_rqst_integrity_protected(rqstp))
return false; return false;
if (cl->cl_cred.cr_raw_principal)
return 0 == strcmp(cl->cl_cred.cr_raw_principal,
cr->cr_raw_principal);
if (!cr->cr_principal) if (!cr->cr_principal)
return false; return false;
return 0 == strcmp(cl->cl_cred.cr_principal, cr->cr_principal); return 0 == strcmp(cl->cl_cred.cr_principal, cr->cr_principal);
...@@ -2390,7 +2397,8 @@ nfsd4_exchange_id(struct svc_rqst *rqstp, ...@@ -2390,7 +2397,8 @@ nfsd4_exchange_id(struct svc_rqst *rqstp,
* Which is a bug, really. Anyway, we can't enforce * Which is a bug, really. Anyway, we can't enforce
* MACH_CRED in that case, better to give up now: * MACH_CRED in that case, better to give up now:
*/ */
if (!new->cl_cred.cr_principal) { if (!new->cl_cred.cr_principal &&
!new->cl_cred.cr_raw_principal) {
status = nfserr_serverfault; status = nfserr_serverfault;
goto out_nolock; goto out_nolock;
} }
......
...@@ -23,13 +23,19 @@ struct svc_cred { ...@@ -23,13 +23,19 @@ struct svc_cred {
kgid_t cr_gid; kgid_t cr_gid;
struct group_info *cr_group_info; struct group_info *cr_group_info;
u32 cr_flavor; /* pseudoflavor */ u32 cr_flavor; /* pseudoflavor */
char *cr_principal; /* for gss */ /* name of form servicetype/hostname@REALM, passed down by
* gss-proxy: */
char *cr_raw_principal;
/* name of form servicetype@hostname, passed down by
* rpc.svcgssd, or computed from the above: */
char *cr_principal;
struct gss_api_mech *cr_gss_mech; struct gss_api_mech *cr_gss_mech;
}; };
static inline void init_svc_cred(struct svc_cred *cred) static inline void init_svc_cred(struct svc_cred *cred)
{ {
cred->cr_group_info = NULL; cred->cr_group_info = NULL;
cred->cr_raw_principal = NULL;
cred->cr_principal = NULL; cred->cr_principal = NULL;
cred->cr_gss_mech = NULL; cred->cr_gss_mech = NULL;
} }
...@@ -38,6 +44,7 @@ static inline void free_svc_cred(struct svc_cred *cred) ...@@ -38,6 +44,7 @@ static inline void free_svc_cred(struct svc_cred *cred)
{ {
if (cred->cr_group_info) if (cred->cr_group_info)
put_group_info(cred->cr_group_info); put_group_info(cred->cr_group_info);
kfree(cred->cr_raw_principal);
kfree(cred->cr_principal); kfree(cred->cr_principal);
gss_mech_put(cred->cr_gss_mech); gss_mech_put(cred->cr_gss_mech);
init_svc_cred(cred); init_svc_cred(cred);
......
...@@ -326,6 +326,9 @@ int gssp_accept_sec_context_upcall(struct net *net, ...@@ -326,6 +326,9 @@ int gssp_accept_sec_context_upcall(struct net *net,
if (data->found_creds && client_name.data != NULL) { if (data->found_creds && client_name.data != NULL) {
char *c; char *c;
data->creds.cr_raw_principal = kstrndup(client_name.data,
client_name.len, GFP_KERNEL);
data->creds.cr_principal = kstrndup(client_name.data, data->creds.cr_principal = kstrndup(client_name.data,
client_name.len, GFP_KERNEL); client_name.len, GFP_KERNEL);
if (data->creds.cr_principal) { if (data->creds.cr_principal) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment