git.ipfire.org Git - people/arne

author	J. Bruce Fields <bfields@redhat.com>
	Fri, 20 Nov 2015 15:48:02 +0000 (10:48 -0500)
committer	J. Bruce Fields <bfields@redhat.com>
	Tue, 24 Nov 2015 18:36:31 +0000 (11:36 -0700)
commit	414ca017a54d26c3a58ed1504884e51448d22ae1
tree	e76eb79e0573b50eed71b8fe5a20696f702fde82	tree \| snapshot
parent	920dd9bb7d7cf9ae339e15240326a28a22f08a74	commit \| diff

nfsd4: fix gss-proxy 4.1 mounts for some AD principals

The principal name on a gss cred is used to setup the NFSv4.0 callback,
which has to have a client principal name to authenticate to.

That code wants the name to be in the form servicetype@hostname.
rpc.svcgssd passes down such names (and passes down no principal name at
all in the case the principal isn't a service principal).

gss-proxy always passes down the principal name, and passes it down in
the form servicetype/hostname@REALM. So we've been munging the name
gss-proxy passes down into the format the NFSv4.0 callback code expects,
or throwing away the name if we can't.

Since the introduction of the MACH_CRED enforcement in NFSv4.1, we've
also been using the principal name to verify that certain operations are
done as the same principal as was used on the original EXCHANGE_ID call.

For that application, the original name passed down by gss-proxy is also
useful.

Lack of that name in some cases was causing some kerberized NFSv4.1
mount failures in an Active Directory environment.

This fix only works in the gss-proxy case. The fix for legacy
rpc.svcgssd would be more involved, and rpc.svcgssd already has other
problems in the AD case.

Reported-and-tested-by: James Ralston <ralston@pobox.com>
Acked-by: Simo Sorce <simo@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>

fs/nfsd/nfs4state.c		diff \| blob \| blame \| history
include/linux/sunrpc/svcauth.h		diff \| blob \| blame \| history
net/sunrpc/auth_gss/gss_rpc_upcall.c		diff \| blob \| blame \| history