Commit a1a23777 authored by Chuck Lever's avatar Chuck Lever Committed by J. Bruce Fields

sunrpc: Enable the kernel to specify the hostname part of service principals

A multi-homed NFS server may have more than one "nfs" key in its
keytab. Enable the kernel to pick the key it wants as a machine
credential when establishing a GSS context.

This is useful for GSS-protected NFSv4.0 callbacks, which are
required by RFC 7530 S3.3.3 to use the same principal as the service
principal the client used when establishing its lease.

A complementary modification to rpc.gssd is required to fully enable
this feature.
Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
parent 44090cc8
...@@ -284,7 +284,12 @@ gss_fill_context(const void *p, const void *end, struct gss_cl_ctx *ctx, struct ...@@ -284,7 +284,12 @@ gss_fill_context(const void *p, const void *end, struct gss_cl_ctx *ctx, struct
return p; return p;
} }
#define UPCALL_BUF_LEN 128 /* XXX: Need some documentation about why UPCALL_BUF_LEN is so small.
* Is user space expecting no more than UPCALL_BUF_LEN bytes?
* Note that there are now _two_ NI_MAXHOST sized data items
* being passed in this string.
*/
#define UPCALL_BUF_LEN 256
struct gss_upcall_msg { struct gss_upcall_msg {
refcount_t count; refcount_t count;
...@@ -462,8 +467,17 @@ static int gss_encode_v1_msg(struct gss_upcall_msg *gss_msg, ...@@ -462,8 +467,17 @@ static int gss_encode_v1_msg(struct gss_upcall_msg *gss_msg,
p += len; p += len;
gss_msg->msg.len += len; gss_msg->msg.len += len;
} }
if (service_name != NULL) { if (service_name) {
len = scnprintf(p, buflen, "service=%s ", service_name); char *c = strchr(service_name, '@');
if (!c)
len = scnprintf(p, buflen, "service=%s ",
service_name);
else
len = scnprintf(p, buflen,
"service=%.*s srchost=%s ",
(int)(c - service_name),
service_name, c + 1);
buflen -= len; buflen -= len;
p += len; p += len;
gss_msg->msg.len += len; gss_msg->msg.len += len;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment