Commit a5250def authored by Weston Andros Adamson's avatar Weston Andros Adamson Committed by Trond Myklebust

NFSv4: use the mach cred for SECINFO w/ integrity

Commit 5ec16a85 introduced a regression
that causes SECINFO to fail without actualy sending an RPC if:

 1) the nfs_client's rpc_client was using KRB5i/p (now tried by default)
 2) the current user doesn't have valid kerberos credentials

This situation is quite common - as of now a sec=sys mount would use
krb5i for the nfs_client's rpc_client and a user would hardly be faulted
for not having run kinit.

The solution is to use the machine cred when trying to use an integrity
protected auth flavor for SECINFO.

Older servers may not support using the machine cred or an integrity
protected auth flavor for SECINFO in every circumstance, so we fall back
to using the user's cred and the filesystem's auth flavor in this case.

We run into another problem when running against linux nfs servers -
they return NFS4ERR_WRONGSEC when using integrity auth flavor (unless the
mount is also that flavor) even though that is not a valid error for
SECINFO*.  Even though it's against spec, handle WRONGSEC errors on SECINFO
by falling back to using the user cred and the filesystem's auth flavor.
Signed-off-by: default avatarWeston Andros Adamson <dros@netapp.com>
Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
parent 35fa5f7b
...@@ -435,6 +435,20 @@ static int nfs4_handle_exception(struct nfs_server *server, int errorcode, struc ...@@ -435,6 +435,20 @@ static int nfs4_handle_exception(struct nfs_server *server, int errorcode, struc
return ret; return ret;
} }
/*
* Return 'true' if 'clp' is using an rpc_client that is integrity protected
* or 'false' otherwise.
*/
static bool _nfs4_is_integrity_protected(struct nfs_client *clp)
{
rpc_authflavor_t flavor = clp->cl_rpcclient->cl_auth->au_flavor;
if (flavor == RPC_AUTH_GSS_KRB5I ||
flavor == RPC_AUTH_GSS_KRB5P)
return true;
return false;
}
static void do_renew_lease(struct nfs_client *clp, unsigned long timestamp) static void do_renew_lease(struct nfs_client *clp, unsigned long timestamp)
{ {
...@@ -5842,10 +5856,13 @@ int nfs4_proc_fs_locations(struct rpc_clnt *client, struct inode *dir, ...@@ -5842,10 +5856,13 @@ int nfs4_proc_fs_locations(struct rpc_clnt *client, struct inode *dir,
} }
/** /**
* Use the state managment nfs_client cl_rpcclient, which uses krb5i (if * If 'use_integrity' is true and the state managment nfs_client
* possible) as per RFC3530bis and RFC5661 Security Considerations sections * cl_rpcclient is using krb5i/p, use the integrity protected cl_rpcclient
* and the machine credential as per RFC3530bis and RFC5661 Security
* Considerations sections. Otherwise, just use the user cred with the
* filesystem's rpc_client.
*/ */
static int _nfs4_proc_secinfo(struct inode *dir, const struct qstr *name, struct nfs4_secinfo_flavors *flavors) static int _nfs4_proc_secinfo(struct inode *dir, const struct qstr *name, struct nfs4_secinfo_flavors *flavors, bool use_integrity)
{ {
int status; int status;
struct nfs4_secinfo_arg args = { struct nfs4_secinfo_arg args = {
...@@ -5860,11 +5877,21 @@ static int _nfs4_proc_secinfo(struct inode *dir, const struct qstr *name, struct ...@@ -5860,11 +5877,21 @@ static int _nfs4_proc_secinfo(struct inode *dir, const struct qstr *name, struct
.rpc_argp = &args, .rpc_argp = &args,
.rpc_resp = &res, .rpc_resp = &res,
}; };
struct rpc_clnt *clnt = NFS_SERVER(dir)->nfs_client->cl_rpcclient; struct rpc_clnt *clnt = NFS_SERVER(dir)->client;
if (use_integrity) {
clnt = NFS_SERVER(dir)->nfs_client->cl_rpcclient;
msg.rpc_cred = nfs4_get_clid_cred(NFS_SERVER(dir)->nfs_client);
}
dprintk("NFS call secinfo %s\n", name->name); dprintk("NFS call secinfo %s\n", name->name);
status = nfs4_call_sync(clnt, NFS_SERVER(dir), &msg, &args.seq_args, &res.seq_res, 0); status = nfs4_call_sync(clnt, NFS_SERVER(dir), &msg, &args.seq_args,
&res.seq_res, 0);
dprintk("NFS reply secinfo: %d\n", status); dprintk("NFS reply secinfo: %d\n", status);
if (msg.rpc_cred)
put_rpccred(msg.rpc_cred);
return status; return status;
} }
...@@ -5874,7 +5901,21 @@ int nfs4_proc_secinfo(struct inode *dir, const struct qstr *name, ...@@ -5874,7 +5901,21 @@ int nfs4_proc_secinfo(struct inode *dir, const struct qstr *name,
struct nfs4_exception exception = { }; struct nfs4_exception exception = { };
int err; int err;
do { do {
err = _nfs4_proc_secinfo(dir, name, flavors); err = -NFS4ERR_WRONGSEC;
/* try to use integrity protection with machine cred */
if (_nfs4_is_integrity_protected(NFS_SERVER(dir)->nfs_client))
err = _nfs4_proc_secinfo(dir, name, flavors, true);
/*
* if unable to use integrity protection, or SECINFO with
* integrity protection returns NFS4ERR_WRONGSEC (which is
* disallowed by spec, but exists in deployed servers) use
* the current filesystem's rpc_client and the user cred.
*/
if (err == -NFS4ERR_WRONGSEC)
err = _nfs4_proc_secinfo(dir, name, flavors, false);
trace_nfs4_secinfo(dir, name, err); trace_nfs4_secinfo(dir, name, err);
err = nfs4_handle_exception(NFS_SERVER(dir), err, err = nfs4_handle_exception(NFS_SERVER(dir), err,
&exception); &exception);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment