NFS + Kerberos
Rick Macklem
rmacklem at uoguelph.ca
Sat Feb 23 15:57:16 UTC 2013
Momchil Ivanov wrote:
> At Fri, 22 Feb 2013 19:04:23 -0500 (EST),
> Rick Macklem wrote:
> > You can run "gssd -d -d" and it will run in foreground and print
> > out messages related to resource allocation. This isn't much use,
> > except to tell you that it is doing something. (Adding a "verbose"
> > option is on my "to do" list, but I don't have any code at this
> > time.
> > If someone wants to do this, I think it would be great.)
> >
> > If you do this, don't have it started at boot (gssd_enable="NO" in
> > /etc/rc.conf) and then do the above command as root in a window
> > before attempting the mount command.
> >
> > Beyond that, you could add printfs to gssd.c. The main client side
> > function is gssd_init_sec_context(), which should get the Kerberos
> > ticket for a user via their TGT.
>
> well, the server doesn't seem to start it at boot with
> gssd_enable="YES", I don't know why, but I cannot stop/restart nfsd
> until I manually start gssd :) the client starts it at boot, though
>
> note: I can ssh into the server even when gssd is not running, I don't
> know if this is expected.
>
> "gssd -d -d" prints things like this on the client and the server:
>
> 1 resources allocated
> 2 resources allocated
> 1 resources allocated
> 0 resources allocated
> 1 resources allocated
> 2 resources allocated
> 1 resources allocated
> 0 resources allocated
> 1 resources allocated
> 2 resources allocated
> 1 resources allocated
> 0 resources allocated
>
> which doesn't tell me anything :) so here is what happens on the
> client without a kerberos ticket:
>
> 1 resources allocated
> /usr/src/usr.sbin/gssd/gssd.c:279 FILE:/tmp/krb5cc_1001
> > init_sec_context_args
> uid: 1001
> cred: 0
> ctx: 0
> name: 5848115787646107649
> req_flags: 5848115787646107650
> > gss_resources
> i=0
> gr_id :5848115787646107649
> gr_res :0x28203060
> /usr/src/usr.sbin/gssd/gssd.c:307 argp->name
> /usr/src/usr.sbin/gssd/gssd.c:309 name=673198176
> /usr/src/usr.sbin/gssd/gssd.c:310 name=0x28203060
> 0 resources allocated
> 1 resources allocated
> /usr/src/usr.sbin/gssd/gssd.c:279 FILE:/tmp/krb5cc_1001
> > init_sec_context_args
> uid: 1001
> cred: 0
> ctx: 0
> name: 5848115787646107650
> req_flags: 5848115787646107650
> > gss_resources
> i=0
> gr_id :5848115787646107650
> gr_res :0x28203060
> /usr/src/usr.sbin/gssd/gssd.c:307 argp->name
> /usr/src/usr.sbin/gssd/gssd.c:309 name=673198176
> /usr/src/usr.sbin/gssd/gssd.c:310 name=0x28203060
> 0 resources allocated
> 1 resources allocated
> /usr/src/usr.sbin/gssd/gssd.c:279 FILE:/tmp/krb5cc_1001
> > init_sec_context_args
> uid: 1001
> cred: 0
> ctx: 0
> name: 5848115787646107651
> req_flags: 5848115787646107650
> > gss_resources
> i=0
> gr_id :5848115787646107651
> gr_res :0x28203060
> /usr/src/usr.sbin/gssd/gssd.c:307 argp->name
> /usr/src/usr.sbin/gssd/gssd.c:309 name=673198176
> /usr/src/usr.sbin/gssd/gssd.c:310 name=0x28203060
> 0 resources allocated
>
> here is what happens with a kerberos ticket:
>
> 1 resources allocated
> /usr/src/usr.sbin/gssd/gssd.c:279 FILE:/tmp/krb5cc_1001
> > init_sec_context_args
> uid: 1001
> cred: 0
> ctx: 0
> name: 5848116041049178113
> req_flags: 5848116041049178114
> > gss_resources
> i=0
> gr_id :5848116041049178113
> gr_res :0x28203060
> /usr/src/usr.sbin/gssd/gssd.c:307 argp->name
> /usr/src/usr.sbin/gssd/gssd.c:309 name=673198176
> /usr/src/usr.sbin/gssd/gssd.c:310 name=0x28203060
> 2 resources allocated
> /usr/src/usr.sbin/gssd/gssd.c:335 GSS_S_CONTINUE_NEEDED
> 1 resources allocated
> 0 resources allocated
> 1 resources allocated
> /usr/src/usr.sbin/gssd/gssd.c:279 FILE:/tmp/krb5cc_1001
> > init_sec_context_args
> uid: 1001
> cred: 0
> ctx: 0
> name: 5848116041049178115
> req_flags: 5848116041049178114
> > gss_resources
> i=0
> gr_id :5848116041049178115
> gr_res :0x28203060
> /usr/src/usr.sbin/gssd/gssd.c:307 argp->name
> /usr/src/usr.sbin/gssd/gssd.c:309 name=673198176
> /usr/src/usr.sbin/gssd/gssd.c:310 name=0x28203060
> 2 resources allocated
> /usr/src/usr.sbin/gssd/gssd.c:335 GSS_S_CONTINUE_NEEDED
> 1 resources allocated
> 0 resources allocated
> 1 resources allocated
> /usr/src/usr.sbin/gssd/gssd.c:279 FILE:/tmp/krb5cc_1001
> > init_sec_context_args
> uid: 1001
> cred: 0
> ctx: 0
> name: 5848116041049178117
> req_flags: 5848116041049178114
> > gss_resources
> i=0
> gr_id :5848116041049178117
> gr_res :0x28203060
> /usr/src/usr.sbin/gssd/gssd.c:307 argp->name
> /usr/src/usr.sbin/gssd/gssd.c:309 name=673198176
> /usr/src/usr.sbin/gssd/gssd.c:310 name=0x28203060
> 2 resources allocated
> /usr/src/usr.sbin/gssd/gssd.c:335 GSS_S_CONTINUE_NEEDED
> 1 resources allocated
> 0 resources allocated
>
In the last post, I forgot to mention...
RFC2203 describes what the stuff in the Null RPCs looks like
and it isn't a particularily large or hard to read RFC, so
you might want to take a look at it.
rick
> here is what I have changed:
>
> --- gssd.c.orig 2013-02-23 11:13:20.000000000 +0100
> +++ gssd.c 2013-02-23 12:34:33.000000000 +0100
> @@ -238,6 +238,33 @@
> return (TRUE);
> }
>
> +static void
> +dump_resources(FILE *s)
> +{
> + struct gss_resource *gr;
> + int i;
> +
> + fprintf(s, "> gss_resources\n");
> +
> + i = 0;
> + LIST_FOREACH(gr, &gss_resources, gr_link) {
> + fprintf(s, "i=%d\n", i);
> + fprintf(s, "gr_id :%llu\n", gr->gr_id);
> + fprintf(s, "gr_res :%p\n", gr->gr_res);
> + }
> +}
> +
> +void
> +dump_init_sec_context_args(FILE *s, init_sec_context_args *p)
> +{
> + fprintf(s, "> init_sec_context_args\n");
> + fprintf(s, "uid: %d\n", p->uid);
> + fprintf(s, "cred: %llu\n", p->cred);
> + fprintf(s, "ctx: %llu\n", p->ctx);
> + fprintf(s, "name: %llu\n", p->name);
> + fprintf(s, "req_flags: %llu\n", p->req_flags);
> +}
> +
> bool_t
> gssd_init_sec_context_1_svc(init_sec_context_args *argp,
> init_sec_context_res *result, struct svc_req *rqstp)
> {
> @@ -248,27 +275,42 @@
>
> snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d",
> (int) argp->uid);
> +
> + printf("%s:%d %s\n", __FILE__, __LINE__, ccname);
> + dump_init_sec_context_args(stdout, argp);
> + dump_resources(stdout);
> +
> setenv("KRB5CCNAME", ccname, TRUE);
>
> memset(result, 0, sizeof(*result));
> if (argp->cred) {
> + printf("%s:%d argp->cred\n", __FILE__, __LINE__);
> cred = gssd_find_resource(argp->cred);
> + printf("%s:%d cred=%llu\n", __FILE__, __LINE__, cred);
> if (!cred) {
> result->major_status = GSS_S_CREDENTIALS_EXPIRED;
> + printf("%s:%d GSS_S_CREDENTIALS_EXPIRED\n", __FILE__, __LINE__);
> return (TRUE);
> }
> }
> if (argp->ctx) {
> + printf("%s:%d argp->ctx\n", __FILE__, __LINE__);
> ctx = gssd_find_resource(argp->ctx);
> + printf("%s:%d ctx=%llu\n", __FILE__, __LINE__, ctx);
> if (!ctx) {
> result->major_status = GSS_S_CONTEXT_EXPIRED;
> + printf("%s:%d GSS_S_CONTEXT_EXPIRED\n", __FILE__, __LINE__);
> return (TRUE);
> }
> }
> if (argp->name) {
> + printf("%s:%d argp->name\n", __FILE__, __LINE__);
> name = gssd_find_resource(argp->name);
> + printf("%s:%d name=%llu\n", __FILE__, __LINE__, name);
> + printf("%s:%d name=%p\n", __FILE__, __LINE__, name);
> if (!name) {
> result->major_status = GSS_S_BAD_NAME;
> + printf("%s:%d GSS_S_BAD_NAME\n", __FILE__, __LINE__);
> return (TRUE);
> }
> }
> @@ -286,6 +328,11 @@
> result->ctx = argp->ctx;
> else
> result->ctx = gssd_make_resource(ctx);
> +
> + if (result->major_status == GSS_S_COMPLETE)
> + printf("%s:%d GSS_S_COMPLETE\n", __FILE__, __LINE__);
> + else
> + printf("%s:%d GSS_S_CONTINUE_NEEDED\n", __FILE__, __LINE__);
> }
>
> return (TRUE);
>
> Ideas?
>
> Thank you,
> Momchil
More information about the freebsd-fs
mailing list