NFS + Kerberos

Momchil Ivanov momchil at xaxo.eu
Sat Feb 23 12:00:20 UTC 2013 

At Fri, 22 Feb 2013 19:04:23 -0500 (EST),
Rick Macklem wrote:
> You can run "gssd -d -d" and it will run in foreground and print
> out messages related to resource allocation. This isn't much use,
> except to tell you that it is doing something. (Adding a "verbose"
> option is on my "to do" list, but I don't have any code at this time.
> If someone wants to do this, I think it would be great.)
> 
> If you do this, don't have it started at boot (gssd_enable="NO" in
> /etc/rc.conf) and then do the above command as root in a window
> before attempting the mount command.
> 
> Beyond that, you could add printfs to gssd.c. The main client side
> function is gssd_init_sec_context(), which should get the Kerberos
> ticket for a user via their TGT.

well, the server doesn't seem to start it at boot with
gssd_enable="YES", I don't know why, but I cannot stop/restart nfsd
until I manually start gssd :) the client starts it at boot, though

note: I can ssh into the server even when gssd is not running, I don't
know if this is expected.

"gssd -d -d" prints things like this on the client and the server:

1 resources allocated
2 resources allocated
1 resources allocated
0 resources allocated
1 resources allocated
2 resources allocated
1 resources allocated
0 resources allocated
1 resources allocated
2 resources allocated
1 resources allocated
0 resources allocated

which doesn't tell me anything :) so here is what happens on the
client without a kerberos ticket:

1 resources allocated
/usr/src/usr.sbin/gssd/gssd.c:279 FILE:/tmp/krb5cc_1001
> init_sec_context_args
uid:       1001
cred:      0
ctx:       0
name:      5848115787646107649
req_flags: 5848115787646107650
> gss_resources
i=0
gr_id  :5848115787646107649
gr_res :0x28203060
/usr/src/usr.sbin/gssd/gssd.c:307 argp->name
/usr/src/usr.sbin/gssd/gssd.c:309 name=673198176
/usr/src/usr.sbin/gssd/gssd.c:310 name=0x28203060
0 resources allocated
1 resources allocated
/usr/src/usr.sbin/gssd/gssd.c:279 FILE:/tmp/krb5cc_1001
> init_sec_context_args
uid:       1001
cred:      0
ctx:       0
name:      5848115787646107650
req_flags: 5848115787646107650
> gss_resources
i=0
gr_id  :5848115787646107650
gr_res :0x28203060
/usr/src/usr.sbin/gssd/gssd.c:307 argp->name
/usr/src/usr.sbin/gssd/gssd.c:309 name=673198176
/usr/src/usr.sbin/gssd/gssd.c:310 name=0x28203060
0 resources allocated
1 resources allocated
/usr/src/usr.sbin/gssd/gssd.c:279 FILE:/tmp/krb5cc_1001
> init_sec_context_args
uid:       1001
cred:      0
ctx:       0
name:      5848115787646107651
req_flags: 5848115787646107650
> gss_resources
i=0
gr_id  :5848115787646107651
gr_res :0x28203060
/usr/src/usr.sbin/gssd/gssd.c:307 argp->name
/usr/src/usr.sbin/gssd/gssd.c:309 name=673198176
/usr/src/usr.sbin/gssd/gssd.c:310 name=0x28203060
0 resources allocated

here is what happens with a kerberos ticket:

1 resources allocated
/usr/src/usr.sbin/gssd/gssd.c:279 FILE:/tmp/krb5cc_1001
> init_sec_context_args
uid:       1001
cred:      0
ctx:       0
name:      5848116041049178113
req_flags: 5848116041049178114
> gss_resources
i=0
gr_id  :5848116041049178113
gr_res :0x28203060
/usr/src/usr.sbin/gssd/gssd.c:307 argp->name
/usr/src/usr.sbin/gssd/gssd.c:309 name=673198176
/usr/src/usr.sbin/gssd/gssd.c:310 name=0x28203060
2 resources allocated
/usr/src/usr.sbin/gssd/gssd.c:335 GSS_S_CONTINUE_NEEDED
1 resources allocated
0 resources allocated
1 resources allocated
/usr/src/usr.sbin/gssd/gssd.c:279 FILE:/tmp/krb5cc_1001
> init_sec_context_args
uid:       1001
cred:      0
ctx:       0
name:      5848116041049178115
req_flags: 5848116041049178114
> gss_resources
i=0
gr_id  :5848116041049178115
gr_res :0x28203060
/usr/src/usr.sbin/gssd/gssd.c:307 argp->name
/usr/src/usr.sbin/gssd/gssd.c:309 name=673198176
/usr/src/usr.sbin/gssd/gssd.c:310 name=0x28203060
2 resources allocated
/usr/src/usr.sbin/gssd/gssd.c:335 GSS_S_CONTINUE_NEEDED
1 resources allocated
0 resources allocated
1 resources allocated
/usr/src/usr.sbin/gssd/gssd.c:279 FILE:/tmp/krb5cc_1001
> init_sec_context_args
uid:       1001
cred:      0
ctx:       0
name:      5848116041049178117
req_flags: 5848116041049178114
> gss_resources
i=0
gr_id  :5848116041049178117
gr_res :0x28203060
/usr/src/usr.sbin/gssd/gssd.c:307 argp->name
/usr/src/usr.sbin/gssd/gssd.c:309 name=673198176
/usr/src/usr.sbin/gssd/gssd.c:310 name=0x28203060
2 resources allocated
/usr/src/usr.sbin/gssd/gssd.c:335 GSS_S_CONTINUE_NEEDED
1 resources allocated
0 resources allocated

here is what I have changed:

--- gssd.c.orig	2013-02-23 11:13:20.000000000 +0100
+++ gssd.c	2013-02-23 12:34:33.000000000 +0100
@@ -238,6 +238,33 @@
 	return (TRUE);
 }
 
+static void
+dump_resources(FILE *s)
+{
+	struct gss_resource *gr;
+	int i;
+
+	fprintf(s, "> gss_resources\n");
+
+	i = 0;
+	LIST_FOREACH(gr, &gss_resources, gr_link) {
+	  fprintf(s, "i=%d\n", i);
+	  fprintf(s, "gr_id  :%llu\n", gr->gr_id);
+	  fprintf(s, "gr_res :%p\n", gr->gr_res);
+	}
+}
+
+void
+dump_init_sec_context_args(FILE *s, init_sec_context_args *p)
+{
+	fprintf(s, "> init_sec_context_args\n");
+	fprintf(s, "uid:       %d\n", p->uid);
+	fprintf(s, "cred:      %llu\n", p->cred);
+	fprintf(s, "ctx:       %llu\n", p->ctx);
+	fprintf(s, "name:      %llu\n", p->name);
+	fprintf(s, "req_flags: %llu\n", p->req_flags);
+}
+
 bool_t
 gssd_init_sec_context_1_svc(init_sec_context_args *argp, init_sec_context_res *result, struct svc_req *rqstp)
 {
@@ -248,27 +275,42 @@
 
 	snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d",
 	    (int) argp->uid);
+
+	printf("%s:%d %s\n", __FILE__, __LINE__, ccname);
+	dump_init_sec_context_args(stdout, argp);
+	dump_resources(stdout);
+
 	setenv("KRB5CCNAME", ccname, TRUE);
 
 	memset(result, 0, sizeof(*result));
 	if (argp->cred) {
+                printf("%s:%d argp->cred\n", __FILE__, __LINE__);
 		cred = gssd_find_resource(argp->cred);
+		printf("%s:%d cred=%llu\n", __FILE__, __LINE__, cred);
 		if (!cred) {
 			result->major_status = GSS_S_CREDENTIALS_EXPIRED;
+			printf("%s:%d GSS_S_CREDENTIALS_EXPIRED\n", __FILE__, __LINE__);
 			return (TRUE);
 		}
 	}
 	if (argp->ctx) {
+	        printf("%s:%d argp->ctx\n", __FILE__, __LINE__);
 		ctx = gssd_find_resource(argp->ctx);
+		printf("%s:%d ctx=%llu\n", __FILE__, __LINE__, ctx);
 		if (!ctx) {
 			result->major_status = GSS_S_CONTEXT_EXPIRED;
+			printf("%s:%d GSS_S_CONTEXT_EXPIRED\n", __FILE__, __LINE__);
 			return (TRUE);
 		}
 	}
 	if (argp->name) {
+	        printf("%s:%d argp->name\n", __FILE__, __LINE__);
 		name = gssd_find_resource(argp->name);
+		printf("%s:%d name=%llu\n", __FILE__, __LINE__, name);
+		printf("%s:%d name=%p\n", __FILE__, __LINE__, name);
 		if (!name) {
 			result->major_status = GSS_S_BAD_NAME;
+			printf("%s:%d GSS_S_BAD_NAME\n", __FILE__, __LINE__);
 			return (TRUE);
 		}
 	}
@@ -286,6 +328,11 @@
 			result->ctx = argp->ctx;
 		else
 			result->ctx = gssd_make_resource(ctx);
+
+		if (result->major_status == GSS_S_COMPLETE)
+			printf("%s:%d GSS_S_COMPLETE\n", __FILE__, __LINE__);
+		else
+			printf("%s:%d GSS_S_CONTINUE_NEEDED\n", __FILE__, __LINE__);
 	}
 
 	return (TRUE);

Ideas?

Thank you,
Momchil

More information about the freebsd-fs mailing list