From nobody Sat Jan 07 21:50:46 2023
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NqDRC0yqXz2pCfc;
	Sat,  7 Jan 2023 21:50:47 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4NqDRC0WVnz3w78;
	Sat,  7 Jan 2023 21:50:47 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1673128247;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=Dsld4RFhX/cG6GKJyOzkR4ebiv+t9lA6diRoltaJB7A=;
	b=oIx615vQDJYzeUZ6aDgQ89Xq0vt+pnLDjDBbZo0u5eDdS6L3cOIY4F0YHVc6Pu9iLVLpaD
	VFtv5gfNVNNuHeROtmvYry3y5kPia1qnvZ3g6PaerSnC4Yghzvecps8A9/0l4zz2+N5yuR
	yzJSgeeuGLDZPO943/5VFCIEa505Dx3Y92qi0isPWiTZQmBfQOtR9HWVnSSfullMQhlx1b
	PxwQsx8gTYaVp0k0uIgkK3aie3p0eagCsYYPk/l9yLrBkxVLU6fhqk1lA5Hxe1NDk9WVQ1
	wDqbvqJmSAcPITgTfNyTrirxdyygURVYtEdncMP35QP0TbQxHbbLTXh+oBMiVQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1673128247;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=Dsld4RFhX/cG6GKJyOzkR4ebiv+t9lA6diRoltaJB7A=;
	b=cbmjMtbUzFFMntUWb8CneMVt0Ocqo1zT7XCVdutn1p33JhVG5DlO34FTn4h+PtOa6N0JaA
	Zpqoi+Qoa3DBGO+sIWTuWfRAIBKJ0K+g2D0Ins3xYreYnn8FbIrYRCgkHSdXuc5wtNWj5v
	4kzbFFac8qIJVpB7gyhu8fJM5i9oxcllcTbkvHQKCFVBAYTt8NZZIw1RAfheylCXqq10vY
	uz041m87BMO5W9A7gobeRU0SnP7IQFlzWn73Y5ssVPA+ZB92DA/yNMfFNLE1rbBpO3PKBJ
	kjhcIIhxTis3lM3u/1kofo4u8hGjz4UbPZtY+UJCRgMc7+twQYs+NwXsFurMXQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1673128247; a=rsa-sha256; cv=none;
	b=rbqL9ZPlYvKcwdb7EaLbc+T74F/V79Uyurb5cASFNaY1KBTVljZ1ChapdwSP07iAZv7Rnn
	Hx8/mya755IA7zOAG6avSF4svR9JTM4J5BapB4TlByaGyfaSpLN8Z9SbfC2OXONiuv4cTd
	e+fiL7kppocdt++n/rZhwwCOzzGv91s7PQLOTg6hJ52ZMR6lLzZTXKtZH3JIfqfVP+WFin
	e+GgvCXnd7BYMJpVB4khYcewnDQczCy3wfxsgWN4XBsRPWBsz1hD/U51lF8asZ4Nd1W2oJ
	g/dNG7xmZVMrOhb8GQbEMK2N4+QwEB0XISvvZJCigd3lsVA2wpwWaMevMApyaQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NqDRB6hfZzQKh;
	Sat,  7 Jan 2023 21:50:46 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 307LokMZ093593;
	Sat, 7 Jan 2023 21:50:46 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 307LokNm093592;
	Sat, 7 Jan 2023 21:50:46 GMT
	(envelope-from git)
Date: Sat, 7 Jan 2023 21:50:46 GMT
Message-Id: <202301072150.307LokNm093592@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Rick Macklem <rmacklem@FreeBSD.org>
Subject: git: c33509d49a6f - main - gssd: Fix handling of the gssname=<name> NFS mount option
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-main@freebsd.org
X-BeenThere: dev-commits-src-main@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: rmacklem
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: c33509d49a6fdcf86ef280a78f428d3cb7012c4a
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=c33509d49a6fdcf86ef280a78f428d3cb7012c4a

commit c33509d49a6fdcf86ef280a78f428d3cb7012c4a
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2023-01-07 21:49:25 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2023-01-07 21:49:25 +0000

    gssd: Fix handling of the gssname=<name> NFS mount option
    
    If an NFS mount using "sec=krb5[ip],gssname=<name>" is
    done, the gssd daemon fails.  There is a long delay
    (several seconds) in the gss_acquire_cred() call and then
    it returns success, but the credentials returned are
    junk.
    
    I have no idea how long this has been broken, due to some
    change in the Heimdal gssapi library call, but I suspect
    it has been quite some time.
    
    Anyhow, it turns out that replacing the "desired_name"
    argument with GSS_C_NO_NAME fixes the problem.
    Replacing the argument should not be a problem, since the
    TGT for the host based initiator credential in the default
    keytab file should be the only TGT in the gssd'd credential
    cache (which is not the one for uid 0).
    
    I will try and determine if FreeBSD13 and/or FreeBSD12
    needs this same fix and will MFC if they need the fix.
    
    This problem only affected Kerberized NFS mounts when the
    "gssname" mount option was used.  Other Kerberized NFS
    mount cases already used GSS_C_NO_NAME and work ok.
    A workaround if you do not have this patch is to do a
    "kinit -k host/FQDN" as root on the machine, followed by
    the Kerberized NFS mount without the "gssname" mount
    option.
    
    MFC after:      1 month
---
 usr.sbin/gssd/gssd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/usr.sbin/gssd/gssd.c b/usr.sbin/gssd/gssd.c
index 5589da37c195..ee77471bf05b 100644
--- a/usr.sbin/gssd/gssd.c
+++ b/usr.sbin/gssd/gssd.c
@@ -847,7 +847,7 @@ gssd_acquire_cred_1_svc(acquire_cred_args *argp, acquire_cred_res *result, struc
 	}
 
 	result->major_status = gss_acquire_cred(&result->minor_status,
-	    desired_name, argp->time_req, argp->desired_mechs,
+	    GSS_C_NO_NAME, argp->time_req, argp->desired_mechs,
 	    argp->cred_usage, &cred, &result->actual_mechs, &result->time_rec);
 	gssd_verbose_out("gssd_acquire_cred: done major=0x%x minor=%d\n",
 	    (unsigned int)result->major_status, (int)result->minor_status);