Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / kernel / shift / mainline / 414ca017a54d26c3a58ed1504884e51448d22ae1^! / . / fs / nfsd / nfs4state.c
commit414ca017a54d26c3a58ed1504884e51448d22ae1[log] [tgz]
authorJ. Bruce Fields <bfields@redhat.com>Fri Nov 20 10:48:02 2015 -0500
committerJ. Bruce Fields <bfields@redhat.com>Tue Nov 24 11:36:31 2015 -0700
treee76eb79e0573b50eed71b8fe5a20696f702fde82
parent920dd9bb7d7cf9ae339e15240326a28a22f08a74 [diff] [blame]
nfsd4: fix gss-proxy 4.1 mounts for some AD principals

The principal name on a gss cred is used to setup the NFSv4.0 callback,
which has to have a client principal name to authenticate to.

That code wants the name to be in the form servicetype@hostname.
rpc.svcgssd passes down such names (and passes down no principal name at
all in the case the principal isn't a service principal).

gss-proxy always passes down the principal name, and passes it down in
the form servicetype/hostname@REALM.  So we've been munging the name
gss-proxy passes down into the format the NFSv4.0 callback code expects,
or throwing away the name if we can't.

Since the introduction of the MACH_CRED enforcement in NFSv4.1, we've
also been using the principal name to verify that certain operations are
done as the same principal as was used on the original EXCHANGE_ID call.

For that application, the original name passed down by gss-proxy is also
useful.

Lack of that name in some cases was causing some kerberized NFSv4.1
mount failures in an Active Directory environment.

This fix only works in the gss-proxy case.  The fix for legacy
rpc.svcgssd would be more involved, and rpc.svcgssd already has other
problems in the AD case.

Reported-and-tested-by: James Ralston <ralston@pobox.com>
Acked-by: Simo Sorce <simo@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>

diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index ed58ced..113ecbf 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c

@@ -1875,6 +1875,10 @@
 	ret = strdup_if_nonnull(&target->cr_principal, source->cr_principal);
 	if (ret)
 		return ret;
+	ret = strdup_if_nonnull(&target->cr_raw_principal,
+					source->cr_raw_principal);
+	if (ret)
+		return ret;
 	target->cr_flavor = source->cr_flavor;
 	target->cr_uid = source->cr_uid;
 	target->cr_gid = source->cr_gid;
@@ -1978,6 +1982,9 @@
 		return false;
 	if (!svc_rqst_integrity_protected(rqstp))
 		return false;
+	if (cl->cl_cred.cr_raw_principal)
+		return 0 == strcmp(cl->cl_cred.cr_raw_principal,
+						cr->cr_raw_principal);
 	if (!cr->cr_principal)
 		return false;
 	return 0 == strcmp(cl->cl_cred.cr_principal, cr->cr_principal);
@@ -2390,7 +2397,8 @@
 		 * Which is a bug, really.  Anyway, we can't enforce
 		 * MACH_CRED in that case, better to give up now:
 		 */
-		if (!new->cl_cred.cr_principal) {
+		if (!new->cl_cred.cr_principal &&
+					!new->cl_cred.cr_raw_principal) {
 			status = nfserr_serverfault;
 			goto out_nolock;
 		}