• Weston Andros Adamson's avatar
    NFSv4: use mach cred for SECINFO_NO_NAME w/ integrity · b1b3e136
    Weston Andros Adamson authored
    Commit 97431204 introduced a regression
    that causes SECINFO_NO_NAME to fail without sending an RPC if:
    
     1) the nfs_client's rpc_client is using krb5i/p (now tried by default)
     2) the current user doesn't have valid kerberos credentials
    
    This situation is quite common - as of now a sec=sys mount would use
    krb5i for the nfs_client's rpc_client and a user would hardly be faulted
    for not having run kinit.
    
    The solution is to use the machine cred when trying to use an integrity
    protected auth flavor for SECINFO_NO_NAME.
    
    Older servers may not support using the machine cred or an integrity
    protected auth flavor for SECINFO_NO_NAME in every circumstance, so we fall
    back to using the user's cred and the filesystem's auth flavor in this case.
    
    We run into another problem when running against linux nfs servers -
    they return NFS4ERR_WRONGSEC when using integrity auth flavor (unless the
    mount is also that flavor) even though that is not a valid error for
    SECINFO*.  Even though it's against spec, handle WRONGSEC errors on
    SECINFO_NO_NAME by falling back to using the user cred and the
    filesystem's auth flavor.
    Signed-off-by: default avatarWeston Andros Adamson <dros@netapp.com>
    Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
    b1b3e136
nfs4proc.c 215 KB