git: c33509d49a6f - main - gssd: Fix handling of the gssname=<name> NFS mount option

Reply: Benjamin Kaduk : "Re: git: c33509d49a6f - main - gssd: Fix handling of the gssname=<name> NFS mount option"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Rick Macklem <rmacklem_at_FreeBSD.org>
Date: Sat, 07 Jan 2023 21:50:46 UTC

The branch main has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=c33509d49a6fdcf86ef280a78f428d3cb7012c4a

commit c33509d49a6fdcf86ef280a78f428d3cb7012c4a
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2023-01-07 21:49:25 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2023-01-07 21:49:25 +0000

    gssd: Fix handling of the gssname=<name> NFS mount option
    
    If an NFS mount using "sec=krb5[ip],gssname=<name>" is
    done, the gssd daemon fails.  There is a long delay
    (several seconds) in the gss_acquire_cred() call and then
    it returns success, but the credentials returned are
    junk.
    
    I have no idea how long this has been broken, due to some
    change in the Heimdal gssapi library call, but I suspect
    it has been quite some time.
    
    Anyhow, it turns out that replacing the "desired_name"
    argument with GSS_C_NO_NAME fixes the problem.
    Replacing the argument should not be a problem, since the
    TGT for the host based initiator credential in the default
    keytab file should be the only TGT in the gssd'd credential
    cache (which is not the one for uid 0).
    
    I will try and determine if FreeBSD13 and/or FreeBSD12
    needs this same fix and will MFC if they need the fix.
    
    This problem only affected Kerberized NFS mounts when the
    "gssname" mount option was used.  Other Kerberized NFS
    mount cases already used GSS_C_NO_NAME and work ok.
    A workaround if you do not have this patch is to do a
    "kinit -k host/FQDN" as root on the machine, followed by
    the Kerberized NFS mount without the "gssname" mount
    option.
    
    MFC after:      1 month
---
 usr.sbin/gssd/gssd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/usr.sbin/gssd/gssd.c b/usr.sbin/gssd/gssd.c
index 5589da37c195..ee77471bf05b 100644
--- a/usr.sbin/gssd/gssd.c
+++ b/usr.sbin/gssd/gssd.c
@@ -847,7 +847,7 @@ gssd_acquire_cred_1_svc(acquire_cred_args *argp, acquire_cred_res *result, struc
 	}
 
 	result->major_status = gss_acquire_cred(&result->minor_status,
-	    desired_name, argp->time_req, argp->desired_mechs,
+	    GSS_C_NO_NAME, argp->time_req, argp->desired_mechs,
 	    argp->cred_usage, &cred, &result->actual_mechs, &result->time_rec);
 	gssd_verbose_out("gssd_acquire_cred: done major=0x%x minor=%d\n",
 	    (unsigned int)result->major_status, (int)result->minor_status);