Merge lp:~stgraber/ubuntu/saucy/nfs-utils/debian-merge into lp:debian/nfs-utils
- Saucy (13.10)
- debian-merge
- Merge into sid
Status: | Superseded |
---|---|
Proposed branch: | lp:~stgraber/ubuntu/saucy/nfs-utils/debian-merge |
Merge into: | lp:debian/nfs-utils |
Diff against target: |
3941 lines (+2798/-366) 33 files modified
.pc/19-iscsiadm-path.patch/utils/osd_login/osd_login (+0/-118) .pc/20-remove-autogenerated-man.patch/utils/nfsdcltrack/nfsdcltrack.man (+0/-211) .pc/20-ticket-expired-error.patch/utils/gssd/gssd.c (+200/-0) .pc/20-ticket-expired-error.patch/utils/gssd/gssd.h (+106/-0) .pc/20-ticket-expired-error.patch/utils/gssd/gssd.man (+288/-0) .pc/20-ticket-expired-error.patch/utils/gssd/gssd_proc.c (+1261/-0) .pc/applied-patches (+1/-0) debian/changelog (+463/-0) debian/control (+4/-3) debian/idmapd.conf (+1/-1) debian/nfs-common.default (+0/-3) debian/nfs-common.dirs (+0/-1) debian/nfs-common.gssd-mounting.upstart (+57/-0) debian/nfs-common.gssd.upstart (+86/-0) debian/nfs-common.idmapd-mounting.upstart (+27/-0) debian/nfs-common.idmapd.upstart (+46/-0) debian/nfs-common.init (+2/-1) debian/nfs-common.postinst (+38/-10) debian/nfs-common.postrm (+0/-1) debian/nfs-common.preinst (+33/-0) debian/nfs-common.prerm (+0/-7) debian/nfs-common.statd-mounting.upstart (+30/-0) debian/nfs-common.statd.upstart (+43/-0) debian/nfs-kernel-server.default (+4/-1) debian/nfs-kernel-server.init (+5/-3) debian/nfs-kernel-server.postinst (+0/-1) debian/patches/20-ticket-expired-error.patch (+79/-0) debian/patches/series (+1/-0) debian/rules (+9/-2) utils/gssd/gssd.c (+6/-2) utils/gssd/gssd.h (+1/-0) utils/gssd/gssd.man (+6/-0) utils/gssd/gssd_proc.c (+1/-1) |
To merge this branch: | bzr merge lp:~stgraber/ubuntu/saucy/nfs-utils/debian-merge |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Steve Langasek | Pending | ||
Review via email: mp+165699@code.launchpad.net |
This proposal has been superseded by a proposal from 2013-05-24.
Commit message
Description of the change
Merge for nfs-utils, confirmed to build properly on amd64.
Unmerged revisions
- 72. By Stéphane Graber
-
Merge from Debian
- 71. By Steve Langasek
-
restore bug reference
- 70. By Stéphane Graber
-
[ Steve Langasek ]
* Adjust upstart jobs to treat TYPE=nfs and TYPE=nfs4 mounts identically,
since TYPE=nfs4 is considered deprecated.
* Fix various boot-time race conditions between mountall and nfs-utils by
moving handling of the 'mounting' events to separate gssd-mounting and
idmapd-mounting jobs. Requires mountall 2.41 or better to avoid deadlock
on boot. LP: #643289, LP: #611397.
* Fix the stop conditions: never stop on 'runlevel [06]' since that gives
the system no time to cleanly unmount nfs mounts; instead, stop only on
the unmounted-remote- filesystems event.
* Newer versions of gssd don't talk to portmap, so don't make the upstart
job depend on it.
* Add an instance to statd-mounting, and change it to just wait for statd
instead of trying to trigger it potentially out of order. This also means
we don't need to try to force portmap to start from statd.[ Matthew L. Dailey ]
* Add "-e" (ticket expiry is error) option to rpc.gssd to prevent hangs due
to EKEYEXPIRED error from kernel on ticket expiry. LP: #794112 - 69. By Steve Langasek
-
document bug closure
- 68. By Steve Langasek
-
document bug closures
- 67. By Steve Langasek
-
Since the -mounting jobs no longer try to start gssd/statd, anything that would
make these services exit without respawning must also cause our -mounting job
to exit. - 66. By Steve Langasek
-
Add an instance to statd-mounting, and change it to just wait for statd
instead of trying to trigger it potentially out of order. This also means
we don't need to try to force portmap to start from statd. - 65. By Steve Langasek
-
Newer versions of gssd don't talk to portmap, so don't make the upstart
job depend on it. - 64. By Steve Langasek
-
Put the mountall dep on the right package
- 63. By Steve Langasek
-
Fix the stop conditions: never stop on 'runlevel [06]' since that gives
the system no time to cleanly unmount nfs mounts; instead, stop only on
the unmounted-remote- filesystems event.
Preview Diff
1 | === added directory '.pc/19-iscsiadm-path.patch' |
2 | === removed directory '.pc/19-iscsiadm-path.patch' |
3 | === added directory '.pc/19-iscsiadm-path.patch/utils' |
4 | === removed directory '.pc/19-iscsiadm-path.patch/utils' |
5 | === added directory '.pc/19-iscsiadm-path.patch/utils/osd_login' |
6 | === removed directory '.pc/19-iscsiadm-path.patch/utils/osd_login' |
7 | === added file '.pc/19-iscsiadm-path.patch/utils/osd_login/osd_login' |
8 | --- .pc/19-iscsiadm-path.patch/utils/osd_login/osd_login 1970-01-01 00:00:00 +0000 |
9 | +++ .pc/19-iscsiadm-path.patch/utils/osd_login/osd_login 2013-05-24 21:14:25 +0000 |
10 | @@ -0,0 +1,118 @@ |
11 | +#!/bin/bash |
12 | +# |
13 | +# osd_login : This script is part of the autologin feature |
14 | +# mandated by the pnfs-objects standard. |
15 | +# It is called from objlayoutdriver.ko in the kernel. |
16 | + |
17 | +# Copyright (C) 2012, Sachin Bhamare <sbhamare@panasas.com> |
18 | +# Copyright (C) 2012, Boaz Harrosh <bharrosh@panasas.com> |
19 | +# |
20 | +# This program is free software; you can redistribute it and/or modify |
21 | +# it under the terms of the GNU General Public License version 2 as |
22 | +# published by the Free Software Foundation. |
23 | +# |
24 | +# This program is distributed in the hope that it will be useful, |
25 | +# but WITHOUT ANY WARRANTY; without even the implied warranty of |
26 | +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
27 | +# GNU General Public License for more details. |
28 | +# |
29 | +# You should have received a copy of the GNU General Public License |
30 | +# along with this program; if not, write to the Free Software |
31 | +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, |
32 | +# MA 02110-1301 USA |
33 | + |
34 | +umask 022 |
35 | + |
36 | +PATH="/sbin:/usr/sbin:/bin:/usr/bin" |
37 | + |
38 | +iscsiadm=/sbin/iscsiadm |
39 | + |
40 | +PARENT_PID=$BASHPID |
41 | +WATCHDOG_TIMEOUT=15 |
42 | + |
43 | +protocol="" |
44 | +portal="" |
45 | +uri="" |
46 | +osdname="" |
47 | +systemid="" |
48 | + |
49 | +usage() |
50 | +{ |
51 | + echo "Usage: $0 -u <URI> -o <OSDNAME> -s <SYSTEMID>" |
52 | + echo "Options:" |
53 | + echo "-u target uri e.g. iscsi://<ip>:<port>" |
54 | + echo "-o osdname of the target OSD" |
55 | + echo "-s systemid of the target OSD" |
56 | +} |
57 | + |
58 | +parse_cmdline() |
59 | +{ |
60 | + argc=$# |
61 | + if [ $# -lt 3 ]; then |
62 | + usage |
63 | + exit 1 |
64 | + fi |
65 | + |
66 | + # parse the input arguments |
67 | + while getopts "u:o:s:" options; do |
68 | + case $options in |
69 | + u ) uri=$OPTARG;; |
70 | + o ) osdname=$OPTARG;; |
71 | + s ) systemid=$OPTARG;; |
72 | + \? ) usage |
73 | + exit 1;; |
74 | + * ) usage |
75 | + exit 1;; |
76 | + esac |
77 | + done |
78 | + |
79 | + echo "-u : $uri" |
80 | + echo "-o : $osdname" |
81 | + echo "-s : $systemid" |
82 | + |
83 | + protocol=`echo $uri | awk -F ':' '{print $1}'` |
84 | + portal=`echo $uri | awk -F '//' '{print $2}'` |
85 | +} |
86 | + |
87 | +watchdog() |
88 | +{ |
89 | + timeout=$1 |
90 | + portal=$2 |
91 | + |
92 | + sleep $timeout |
93 | + if kill -9 $PARENT_PID; then |
94 | + echo "watchdog : Timed out (>$timeout seconds) while login into $portal" | logger -t "osd_login" |
95 | + fi |
96 | + echo "watchdog: exiting .." |
97 | + exit 2 |
98 | +} |
99 | + |
100 | +login_iscsi_osd() |
101 | +{ |
102 | + echo "login into: $1" |
103 | + if ! $iscsiadm -m discovery -o nonpersistent -t sendtargets -p $1 --login; then |
104 | + echo "$iscsiadm -m discovery -t sendtargets -p $1 --login returned error $? !" |
105 | + sleep 1; |
106 | + fi |
107 | +} |
108 | + |
109 | +echo "============= osd_login =========" |
110 | +echo "progname : $0" |
111 | +parse_cmdline "$@" |
112 | +echo "protocol: $protocol" |
113 | +echo "portal: $portal" |
114 | + |
115 | +watchdog $WATCHDOG_TIMEOUT $portal & |
116 | +watchdog_pid=$! |
117 | + |
118 | +case $protocol in |
119 | +iscsi) |
120 | + login_iscsi_osd $portal |& logger -t "osd_login" |
121 | + ;; |
122 | +*) |
123 | + echo "Error: protocol $protocol not supported !" | logger -t "osd_login" |
124 | + ;; |
125 | +esac |
126 | + |
127 | +kill -9 $watchdog_pid |
128 | +exit 0 |
129 | |
130 | === removed file '.pc/19-iscsiadm-path.patch/utils/osd_login/osd_login' |
131 | --- .pc/19-iscsiadm-path.patch/utils/osd_login/osd_login 2012-05-25 20:41:58 +0000 |
132 | +++ .pc/19-iscsiadm-path.patch/utils/osd_login/osd_login 1970-01-01 00:00:00 +0000 |
133 | @@ -1,118 +0,0 @@ |
134 | -#!/bin/bash |
135 | -# |
136 | -# osd_login : This script is part of the autologin feature |
137 | -# mandated by the pnfs-objects standard. |
138 | -# It is called from objlayoutdriver.ko in the kernel. |
139 | - |
140 | -# Copyright (C) 2012, Sachin Bhamare <sbhamare@panasas.com> |
141 | -# Copyright (C) 2012, Boaz Harrosh <bharrosh@panasas.com> |
142 | -# |
143 | -# This program is free software; you can redistribute it and/or modify |
144 | -# it under the terms of the GNU General Public License version 2 as |
145 | -# published by the Free Software Foundation. |
146 | -# |
147 | -# This program is distributed in the hope that it will be useful, |
148 | -# but WITHOUT ANY WARRANTY; without even the implied warranty of |
149 | -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
150 | -# GNU General Public License for more details. |
151 | -# |
152 | -# You should have received a copy of the GNU General Public License |
153 | -# along with this program; if not, write to the Free Software |
154 | -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, |
155 | -# MA 02110-1301 USA |
156 | - |
157 | -umask 022 |
158 | - |
159 | -PATH="/sbin:/usr/sbin:/bin:/usr/bin" |
160 | - |
161 | -iscsiadm=/sbin/iscsiadm |
162 | - |
163 | -PARENT_PID=$BASHPID |
164 | -WATCHDOG_TIMEOUT=15 |
165 | - |
166 | -protocol="" |
167 | -portal="" |
168 | -uri="" |
169 | -osdname="" |
170 | -systemid="" |
171 | - |
172 | -usage() |
173 | -{ |
174 | - echo "Usage: $0 -u <URI> -o <OSDNAME> -s <SYSTEMID>" |
175 | - echo "Options:" |
176 | - echo "-u target uri e.g. iscsi://<ip>:<port>" |
177 | - echo "-o osdname of the target OSD" |
178 | - echo "-s systemid of the target OSD" |
179 | -} |
180 | - |
181 | -parse_cmdline() |
182 | -{ |
183 | - argc=$# |
184 | - if [ $# -lt 3 ]; then |
185 | - usage |
186 | - exit 1 |
187 | - fi |
188 | - |
189 | - # parse the input arguments |
190 | - while getopts "u:o:s:" options; do |
191 | - case $options in |
192 | - u ) uri=$OPTARG;; |
193 | - o ) osdname=$OPTARG;; |
194 | - s ) systemid=$OPTARG;; |
195 | - \? ) usage |
196 | - exit 1;; |
197 | - * ) usage |
198 | - exit 1;; |
199 | - esac |
200 | - done |
201 | - |
202 | - echo "-u : $uri" |
203 | - echo "-o : $osdname" |
204 | - echo "-s : $systemid" |
205 | - |
206 | - protocol=`echo $uri | awk -F ':' '{print $1}'` |
207 | - portal=`echo $uri | awk -F '//' '{print $2}'` |
208 | -} |
209 | - |
210 | -watchdog() |
211 | -{ |
212 | - timeout=$1 |
213 | - portal=$2 |
214 | - |
215 | - sleep $timeout |
216 | - if kill -9 $PARENT_PID; then |
217 | - echo "watchdog : Timed out (>$timeout seconds) while login into $portal" | logger -t "osd_login" |
218 | - fi |
219 | - echo "watchdog: exiting .." |
220 | - exit 2 |
221 | -} |
222 | - |
223 | -login_iscsi_osd() |
224 | -{ |
225 | - echo "login into: $1" |
226 | - if ! $iscsiadm -m discovery -o nonpersistent -t sendtargets -p $1 --login; then |
227 | - echo "$iscsiadm -m discovery -t sendtargets -p $1 --login returned error $? !" |
228 | - sleep 1; |
229 | - fi |
230 | -} |
231 | - |
232 | -echo "============= osd_login =========" |
233 | -echo "progname : $0" |
234 | -parse_cmdline "$@" |
235 | -echo "protocol: $protocol" |
236 | -echo "portal: $portal" |
237 | - |
238 | -watchdog $WATCHDOG_TIMEOUT $portal & |
239 | -watchdog_pid=$! |
240 | - |
241 | -case $protocol in |
242 | -iscsi) |
243 | - login_iscsi_osd $portal |& logger -t "osd_login" |
244 | - ;; |
245 | -*) |
246 | - echo "Error: protocol $protocol not supported !" | logger -t "osd_login" |
247 | - ;; |
248 | -esac |
249 | - |
250 | -kill -9 $watchdog_pid |
251 | -exit 0 |
252 | |
253 | === added directory '.pc/20-remove-autogenerated-man.patch' |
254 | === removed directory '.pc/20-remove-autogenerated-man.patch' |
255 | === added directory '.pc/20-remove-autogenerated-man.patch/utils' |
256 | === removed directory '.pc/20-remove-autogenerated-man.patch/utils' |
257 | === added directory '.pc/20-remove-autogenerated-man.patch/utils/nfsdcltrack' |
258 | === removed directory '.pc/20-remove-autogenerated-man.patch/utils/nfsdcltrack' |
259 | === added file '.pc/20-remove-autogenerated-man.patch/utils/nfsdcltrack/nfsdcltrack.man' |
260 | --- .pc/20-remove-autogenerated-man.patch/utils/nfsdcltrack/nfsdcltrack.man 1970-01-01 00:00:00 +0000 |
261 | +++ .pc/20-remove-autogenerated-man.patch/utils/nfsdcltrack/nfsdcltrack.man 2013-05-24 21:14:25 +0000 |
262 | @@ -0,0 +1,211 @@ |
263 | +.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.16) |
264 | +.\" |
265 | +.\" Standard preamble: |
266 | +.\" ======================================================================== |
267 | +.de Sp \" Vertical space (when we can't use .PP) |
268 | +.if t .sp .5v |
269 | +.if n .sp |
270 | +.. |
271 | +.de Vb \" Begin verbatim text |
272 | +.ft CW |
273 | +.nf |
274 | +.ne \\$1 |
275 | +.. |
276 | +.de Ve \" End verbatim text |
277 | +.ft R |
278 | +.fi |
279 | +.. |
280 | +.\" Set up some character translations and predefined strings. \*(-- will |
281 | +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left |
282 | +.\" double quote, and \*(R" will give a right double quote. \*(C+ will |
283 | +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and |
284 | +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, |
285 | +.\" nothing in troff, for use with C<>. |
286 | +.tr \(*W- |
287 | +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' |
288 | +.ie n \{\ |
289 | +. ds -- \(*W- |
290 | +. ds PI pi |
291 | +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch |
292 | +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch |
293 | +. ds L" "" |
294 | +. ds R" "" |
295 | +. ds C` "" |
296 | +. ds C' "" |
297 | +'br\} |
298 | +.el\{\ |
299 | +. ds -- \|\(em\| |
300 | +. ds PI \(*p |
301 | +. ds L" `` |
302 | +. ds R" '' |
303 | +'br\} |
304 | +.\" |
305 | +.\" Escape single quotes in literal strings from groff's Unicode transform. |
306 | +.ie \n(.g .ds Aq \(aq |
307 | +.el .ds Aq ' |
308 | +.\" |
309 | +.\" If the F register is turned on, we'll generate index entries on stderr for |
310 | +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index |
311 | +.\" entries marked with X<> in POD. Of course, you'll have to process the |
312 | +.\" output yourself in some meaningful fashion. |
313 | +.ie \nF \{\ |
314 | +. de IX |
315 | +. tm Index:\\$1\t\\n%\t"\\$2" |
316 | +.. |
317 | +. nr % 0 |
318 | +. rr F |
319 | +.\} |
320 | +.el \{\ |
321 | +. de IX |
322 | +.. |
323 | +.\} |
324 | +.\" |
325 | +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). |
326 | +.\" Fear. Run. Save yourself. No user-serviceable parts. |
327 | +. \" fudge factors for nroff and troff |
328 | +.if n \{\ |
329 | +. ds #H 0 |
330 | +. ds #V .8m |
331 | +. ds #F .3m |
332 | +. ds #[ \f1 |
333 | +. ds #] \fP |
334 | +.\} |
335 | +.if t \{\ |
336 | +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) |
337 | +. ds #V .6m |
338 | +. ds #F 0 |
339 | +. ds #[ \& |
340 | +. ds #] \& |
341 | +.\} |
342 | +. \" simple accents for nroff and troff |
343 | +.if n \{\ |
344 | +. ds ' \& |
345 | +. ds ` \& |
346 | +. ds ^ \& |
347 | +. ds , \& |
348 | +. ds ~ ~ |
349 | +. ds / |
350 | +.\} |
351 | +.if t \{\ |
352 | +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" |
353 | +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' |
354 | +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' |
355 | +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' |
356 | +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' |
357 | +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' |
358 | +.\} |
359 | +. \" troff and (daisy-wheel) nroff accents |
360 | +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' |
361 | +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' |
362 | +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] |
363 | +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' |
364 | +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' |
365 | +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] |
366 | +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] |
367 | +.ds ae a\h'-(\w'a'u*4/10)'e |
368 | +.ds Ae A\h'-(\w'A'u*4/10)'E |
369 | +. \" corrections for vroff |
370 | +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' |
371 | +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' |
372 | +. \" for low resolution devices (crt and lpr) |
373 | +.if \n(.H>23 .if \n(.V>19 \ |
374 | +\{\ |
375 | +. ds : e |
376 | +. ds 8 ss |
377 | +. ds o a |
378 | +. ds d- d\h'-1'\(ga |
379 | +. ds D- D\h'-1'\(hy |
380 | +. ds th \o'bp' |
381 | +. ds Th \o'LP' |
382 | +. ds ae ae |
383 | +. ds Ae AE |
384 | +.\} |
385 | +.rm #[ #] #H #V #F C |
386 | +.\" ======================================================================== |
387 | +.\" |
388 | +.IX Title "NFSDCLTRACK 8" |
389 | +.TH NFSDCLTRACK 8 "2012-10-24" "" "" |
390 | +.\" For nroff, turn off justification. Always turn off hyphenation; it makes |
391 | +.\" way too many mistakes in technical documents. |
392 | +.if n .ad l |
393 | +.nh |
394 | +.SH "NAME" |
395 | +nfsdcltrack \- NFSv4 Client Tracking Callout Program |
396 | +.SH "SYNOPSIS" |
397 | +.IX Header "SYNOPSIS" |
398 | +nfsdcltrack [\-d] [\-f] [\-s stable storage dir] <command> <args...> |
399 | +.SH "DESCRIPTION" |
400 | +.IX Header "DESCRIPTION" |
401 | +nfsdcltack is the NFSv4 client tracking callout program. It is not necessary |
402 | +to install this daemon on machines that are not acting as NFSv4 servers. |
403 | +.PP |
404 | +When a network partition is combined with a server reboot, there are |
405 | +edge conditions that can cause the server to grant lock reclaims when |
406 | +other clients have taken conflicting locks in the interim. A more detailed |
407 | +explanation of this issue is described in \s-1RFC\s0 3530, section 8.6.3. |
408 | +.PP |
409 | +In order to prevent these problems, the server must track a small amount |
410 | +of per-client information on stable storage. This program provides the |
411 | +userspace piece of that functionality. When the kernel needs to manipulate |
412 | +the database that stores this info, it will execute this program to handle |
413 | +it. |
414 | +.SH "OPTIONS" |
415 | +.IX Header "OPTIONS" |
416 | +.IP "\fB\-d\fR, \fB\-\-debug\fR" 4 |
417 | +.IX Item "-d, --debug" |
418 | +Enable debug level logging. |
419 | +.IP "\fB\-f\fR, \fB\-\-foreground\fR" 4 |
420 | +.IX Item "-f, --foreground" |
421 | +Log to stderr instead of syslog. |
422 | +.IP "\fB\-s\fR \fIstoragedir\fR, \fB\-\-storagedir\fR=\fIstorage_dir\fR" 4 |
423 | +.IX Item "-s storagedir, --storagedir=storage_dir" |
424 | +Directory where stable storage information should be kept. The default |
425 | +value is \fI/var/lib/nfs/nfsdcltrack\fR. |
426 | +.SH "COMMANDS" |
427 | +.IX Header "COMMANDS" |
428 | +nfsdcltrack requires a command for each invocation. Supported commands |
429 | +are: |
430 | +.IP "\fBinit\fR" 4 |
431 | +.IX Item "init" |
432 | +Initialize the database. This command requires no argument. |
433 | +.IP "\fBcreate\fR" 4 |
434 | +.IX Item "create" |
435 | +Create a new client record (or update the timestamp on an existing one). This command requires a hex-encoded nfs_client_id4 as an argument. |
436 | +.IP "\fBremove\fR" 4 |
437 | +.IX Item "remove" |
438 | +Remove a client record from the database. This command requires a hex-encoded nfs_client_id4 as an argument. |
439 | +.IP "\fBcheck\fR" 4 |
440 | +.IX Item "check" |
441 | +Check to see if a nfs_client_id4 is allowed to reclaim. This command requires a hex-encoded nfs_client_id4 as an argument. |
442 | +.IP "\fBgracedone\fR" 4 |
443 | +.IX Item "gracedone" |
444 | +Remove any unreclaimed client records from the database. This command requires a epoch boot time as an argument. |
445 | +.SH "LEGACY TRANSITION MECHANISM" |
446 | +.IX Header "LEGACY TRANSITION MECHANISM" |
447 | +The Linux kernel NFSv4 server has historically tracked this information |
448 | +on stable storage by manipulating information on the filesystem |
449 | +directly, in the directory to which \fI/proc/fs/nfsd/nfsv4recoverydir\fR |
450 | +points. If the kernel passes the correct information, then nfsdcltrack |
451 | +can use it to allow a seamless transition from the old client tracking |
452 | +scheme to the new one. |
453 | +.PP |
454 | +On a \fBcheck\fR operation, if there is no record of the client in the |
455 | +database, nfsdcltrack will look to see if the \fB\s-1NFSDCLTRACK_LEGACY_RECDIR\s0\fR |
456 | +environment variable is set. If it is, then it will fetch that value and |
457 | +see if a directory exists by that name. If it does, then the check |
458 | +operation will succeed and the directory will be removed. |
459 | +.PP |
460 | +On a \fBgracedone\fR operation, nfsdcltrack will look to see if the |
461 | +\&\fB\s-1NFSDCLTRACK_LEGACY_TOPDIR\s0\fR environment variable is set. If it is, then |
462 | +it will attempt to clean out that directory prior to exiting. |
463 | +.PP |
464 | +Note that this transition is one-way. If the machine subsequently reboots |
465 | +back into an older kernel that does not support the nfsdcltrack upcall |
466 | +then the clients will not be able to recover their state. |
467 | +.SH "NOTES" |
468 | +.IX Header "NOTES" |
469 | +This program requires a kernel that supports the nfsdcltrack usermodehelper |
470 | +upcall. This support was first added to mainline kernels in 3.8. |
471 | +.SH "AUTHORS" |
472 | +.IX Header "AUTHORS" |
473 | +nfsdcltrack was developed by Jeff Layton <jlayton@redhat.com>. |
474 | |
475 | === removed file '.pc/20-remove-autogenerated-man.patch/utils/nfsdcltrack/nfsdcltrack.man' |
476 | --- .pc/20-remove-autogenerated-man.patch/utils/nfsdcltrack/nfsdcltrack.man 2013-05-14 00:46:42 +0000 |
477 | +++ .pc/20-remove-autogenerated-man.patch/utils/nfsdcltrack/nfsdcltrack.man 1970-01-01 00:00:00 +0000 |
478 | @@ -1,211 +0,0 @@ |
479 | -.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.16) |
480 | -.\" |
481 | -.\" Standard preamble: |
482 | -.\" ======================================================================== |
483 | -.de Sp \" Vertical space (when we can't use .PP) |
484 | -.if t .sp .5v |
485 | -.if n .sp |
486 | -.. |
487 | -.de Vb \" Begin verbatim text |
488 | -.ft CW |
489 | -.nf |
490 | -.ne \\$1 |
491 | -.. |
492 | -.de Ve \" End verbatim text |
493 | -.ft R |
494 | -.fi |
495 | -.. |
496 | -.\" Set up some character translations and predefined strings. \*(-- will |
497 | -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left |
498 | -.\" double quote, and \*(R" will give a right double quote. \*(C+ will |
499 | -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and |
500 | -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, |
501 | -.\" nothing in troff, for use with C<>. |
502 | -.tr \(*W- |
503 | -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' |
504 | -.ie n \{\ |
505 | -. ds -- \(*W- |
506 | -. ds PI pi |
507 | -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch |
508 | -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch |
509 | -. ds L" "" |
510 | -. ds R" "" |
511 | -. ds C` "" |
512 | -. ds C' "" |
513 | -'br\} |
514 | -.el\{\ |
515 | -. ds -- \|\(em\| |
516 | -. ds PI \(*p |
517 | -. ds L" `` |
518 | -. ds R" '' |
519 | -'br\} |
520 | -.\" |
521 | -.\" Escape single quotes in literal strings from groff's Unicode transform. |
522 | -.ie \n(.g .ds Aq \(aq |
523 | -.el .ds Aq ' |
524 | -.\" |
525 | -.\" If the F register is turned on, we'll generate index entries on stderr for |
526 | -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index |
527 | -.\" entries marked with X<> in POD. Of course, you'll have to process the |
528 | -.\" output yourself in some meaningful fashion. |
529 | -.ie \nF \{\ |
530 | -. de IX |
531 | -. tm Index:\\$1\t\\n%\t"\\$2" |
532 | -.. |
533 | -. nr % 0 |
534 | -. rr F |
535 | -.\} |
536 | -.el \{\ |
537 | -. de IX |
538 | -.. |
539 | -.\} |
540 | -.\" |
541 | -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). |
542 | -.\" Fear. Run. Save yourself. No user-serviceable parts. |
543 | -. \" fudge factors for nroff and troff |
544 | -.if n \{\ |
545 | -. ds #H 0 |
546 | -. ds #V .8m |
547 | -. ds #F .3m |
548 | -. ds #[ \f1 |
549 | -. ds #] \fP |
550 | -.\} |
551 | -.if t \{\ |
552 | -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) |
553 | -. ds #V .6m |
554 | -. ds #F 0 |
555 | -. ds #[ \& |
556 | -. ds #] \& |
557 | -.\} |
558 | -. \" simple accents for nroff and troff |
559 | -.if n \{\ |
560 | -. ds ' \& |
561 | -. ds ` \& |
562 | -. ds ^ \& |
563 | -. ds , \& |
564 | -. ds ~ ~ |
565 | -. ds / |
566 | -.\} |
567 | -.if t \{\ |
568 | -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" |
569 | -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' |
570 | -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' |
571 | -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' |
572 | -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' |
573 | -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' |
574 | -.\} |
575 | -. \" troff and (daisy-wheel) nroff accents |
576 | -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' |
577 | -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' |
578 | -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] |
579 | -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' |
580 | -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' |
581 | -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] |
582 | -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] |
583 | -.ds ae a\h'-(\w'a'u*4/10)'e |
584 | -.ds Ae A\h'-(\w'A'u*4/10)'E |
585 | -. \" corrections for vroff |
586 | -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' |
587 | -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' |
588 | -. \" for low resolution devices (crt and lpr) |
589 | -.if \n(.H>23 .if \n(.V>19 \ |
590 | -\{\ |
591 | -. ds : e |
592 | -. ds 8 ss |
593 | -. ds o a |
594 | -. ds d- d\h'-1'\(ga |
595 | -. ds D- D\h'-1'\(hy |
596 | -. ds th \o'bp' |
597 | -. ds Th \o'LP' |
598 | -. ds ae ae |
599 | -. ds Ae AE |
600 | -.\} |
601 | -.rm #[ #] #H #V #F C |
602 | -.\" ======================================================================== |
603 | -.\" |
604 | -.IX Title "NFSDCLTRACK 8" |
605 | -.TH NFSDCLTRACK 8 "2012-10-24" "" "" |
606 | -.\" For nroff, turn off justification. Always turn off hyphenation; it makes |
607 | -.\" way too many mistakes in technical documents. |
608 | -.if n .ad l |
609 | -.nh |
610 | -.SH "NAME" |
611 | -nfsdcltrack \- NFSv4 Client Tracking Callout Program |
612 | -.SH "SYNOPSIS" |
613 | -.IX Header "SYNOPSIS" |
614 | -nfsdcltrack [\-d] [\-f] [\-s stable storage dir] <command> <args...> |
615 | -.SH "DESCRIPTION" |
616 | -.IX Header "DESCRIPTION" |
617 | -nfsdcltack is the NFSv4 client tracking callout program. It is not necessary |
618 | -to install this daemon on machines that are not acting as NFSv4 servers. |
619 | -.PP |
620 | -When a network partition is combined with a server reboot, there are |
621 | -edge conditions that can cause the server to grant lock reclaims when |
622 | -other clients have taken conflicting locks in the interim. A more detailed |
623 | -explanation of this issue is described in \s-1RFC\s0 3530, section 8.6.3. |
624 | -.PP |
625 | -In order to prevent these problems, the server must track a small amount |
626 | -of per-client information on stable storage. This program provides the |
627 | -userspace piece of that functionality. When the kernel needs to manipulate |
628 | -the database that stores this info, it will execute this program to handle |
629 | -it. |
630 | -.SH "OPTIONS" |
631 | -.IX Header "OPTIONS" |
632 | -.IP "\fB\-d\fR, \fB\-\-debug\fR" 4 |
633 | -.IX Item "-d, --debug" |
634 | -Enable debug level logging. |
635 | -.IP "\fB\-f\fR, \fB\-\-foreground\fR" 4 |
636 | -.IX Item "-f, --foreground" |
637 | -Log to stderr instead of syslog. |
638 | -.IP "\fB\-s\fR \fIstoragedir\fR, \fB\-\-storagedir\fR=\fIstorage_dir\fR" 4 |
639 | -.IX Item "-s storagedir, --storagedir=storage_dir" |
640 | -Directory where stable storage information should be kept. The default |
641 | -value is \fI/var/lib/nfs/nfsdcltrack\fR. |
642 | -.SH "COMMANDS" |
643 | -.IX Header "COMMANDS" |
644 | -nfsdcltrack requires a command for each invocation. Supported commands |
645 | -are: |
646 | -.IP "\fBinit\fR" 4 |
647 | -.IX Item "init" |
648 | -Initialize the database. This command requires no argument. |
649 | -.IP "\fBcreate\fR" 4 |
650 | -.IX Item "create" |
651 | -Create a new client record (or update the timestamp on an existing one). This command requires a hex-encoded nfs_client_id4 as an argument. |
652 | -.IP "\fBremove\fR" 4 |
653 | -.IX Item "remove" |
654 | -Remove a client record from the database. This command requires a hex-encoded nfs_client_id4 as an argument. |
655 | -.IP "\fBcheck\fR" 4 |
656 | -.IX Item "check" |
657 | -Check to see if a nfs_client_id4 is allowed to reclaim. This command requires a hex-encoded nfs_client_id4 as an argument. |
658 | -.IP "\fBgracedone\fR" 4 |
659 | -.IX Item "gracedone" |
660 | -Remove any unreclaimed client records from the database. This command requires a epoch boot time as an argument. |
661 | -.SH "LEGACY TRANSITION MECHANISM" |
662 | -.IX Header "LEGACY TRANSITION MECHANISM" |
663 | -The Linux kernel NFSv4 server has historically tracked this information |
664 | -on stable storage by manipulating information on the filesystem |
665 | -directly, in the directory to which \fI/proc/fs/nfsd/nfsv4recoverydir\fR |
666 | -points. If the kernel passes the correct information, then nfsdcltrack |
667 | -can use it to allow a seamless transition from the old client tracking |
668 | -scheme to the new one. |
669 | -.PP |
670 | -On a \fBcheck\fR operation, if there is no record of the client in the |
671 | -database, nfsdcltrack will look to see if the \fB\s-1NFSDCLTRACK_LEGACY_RECDIR\s0\fR |
672 | -environment variable is set. If it is, then it will fetch that value and |
673 | -see if a directory exists by that name. If it does, then the check |
674 | -operation will succeed and the directory will be removed. |
675 | -.PP |
676 | -On a \fBgracedone\fR operation, nfsdcltrack will look to see if the |
677 | -\&\fB\s-1NFSDCLTRACK_LEGACY_TOPDIR\s0\fR environment variable is set. If it is, then |
678 | -it will attempt to clean out that directory prior to exiting. |
679 | -.PP |
680 | -Note that this transition is one-way. If the machine subsequently reboots |
681 | -back into an older kernel that does not support the nfsdcltrack upcall |
682 | -then the clients will not be able to recover their state. |
683 | -.SH "NOTES" |
684 | -.IX Header "NOTES" |
685 | -This program requires a kernel that supports the nfsdcltrack usermodehelper |
686 | -upcall. This support was first added to mainline kernels in 3.8. |
687 | -.SH "AUTHORS" |
688 | -.IX Header "AUTHORS" |
689 | -nfsdcltrack was developed by Jeff Layton <jlayton@redhat.com>. |
690 | |
691 | === added directory '.pc/20-ticket-expired-error.patch' |
692 | === added directory '.pc/20-ticket-expired-error.patch/utils' |
693 | === added directory '.pc/20-ticket-expired-error.patch/utils/gssd' |
694 | === added file '.pc/20-ticket-expired-error.patch/utils/gssd/gssd.c' |
695 | --- .pc/20-ticket-expired-error.patch/utils/gssd/gssd.c 1970-01-01 00:00:00 +0000 |
696 | +++ .pc/20-ticket-expired-error.patch/utils/gssd/gssd.c 2013-05-24 21:14:25 +0000 |
697 | @@ -0,0 +1,200 @@ |
698 | +/* |
699 | + gssd.c |
700 | + |
701 | + Copyright (c) 2000 The Regents of the University of Michigan. |
702 | + All rights reserved. |
703 | + |
704 | + Copyright (c) 2000 Dug Song <dugsong@UMICH.EDU>. |
705 | + Copyright (c) 2002 Andy Adamson <andros@UMICH.EDU>. |
706 | + Copyright (c) 2002 Marius Aamodt Eriksen <marius@UMICH.EDU>. |
707 | + All rights reserved, all wrongs reversed. |
708 | + |
709 | + Redistribution and use in source and binary forms, with or without |
710 | + modification, are permitted provided that the following conditions |
711 | + are met: |
712 | + |
713 | + 1. Redistributions of source code must retain the above copyright |
714 | + notice, this list of conditions and the following disclaimer. |
715 | + 2. Redistributions in binary form must reproduce the above copyright |
716 | + notice, this list of conditions and the following disclaimer in the |
717 | + documentation and/or other materials provided with the distribution. |
718 | + 3. Neither the name of the University nor the names of its |
719 | + contributors may be used to endorse or promote products derived |
720 | + from this software without specific prior written permission. |
721 | + |
722 | + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED |
723 | + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF |
724 | + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE |
725 | + DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE |
726 | + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
727 | + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
728 | + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR |
729 | + BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF |
730 | + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING |
731 | + NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS |
732 | + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
733 | + |
734 | +*/ |
735 | + |
736 | +#ifdef HAVE_CONFIG_H |
737 | +#include <config.h> |
738 | +#endif /* HAVE_CONFIG_H */ |
739 | + |
740 | +#include <sys/param.h> |
741 | +#include <sys/socket.h> |
742 | +#include <rpc/rpc.h> |
743 | + |
744 | +#include <unistd.h> |
745 | +#include <err.h> |
746 | +#include <stdio.h> |
747 | +#include <stdlib.h> |
748 | +#include <string.h> |
749 | +#include <signal.h> |
750 | +#include "gssd.h" |
751 | +#include "err_util.h" |
752 | +#include "gss_util.h" |
753 | +#include "krb5_util.h" |
754 | + |
755 | +char pipefs_dir[PATH_MAX] = GSSD_PIPEFS_DIR; |
756 | +char keytabfile[PATH_MAX] = GSSD_DEFAULT_KEYTAB_FILE; |
757 | +char ccachedir[PATH_MAX] = GSSD_DEFAULT_CRED_DIR ":" GSSD_USER_CRED_DIR; |
758 | +char *ccachesearch[GSSD_MAX_CCACHE_SEARCH + 1]; |
759 | +int use_memcache = 0; |
760 | +int root_uses_machine_creds = 1; |
761 | +unsigned int context_timeout = 0; |
762 | +char *preferred_realm = NULL; |
763 | + |
764 | +void |
765 | +sig_die(int signal) |
766 | +{ |
767 | + /* destroy krb5 machine creds */ |
768 | + if (root_uses_machine_creds) |
769 | + gssd_destroy_krb5_machine_creds(); |
770 | + printerr(1, "exiting on signal %d\n", signal); |
771 | + exit(0); |
772 | +} |
773 | + |
774 | +void |
775 | +sig_hup(int signal) |
776 | +{ |
777 | + /* don't exit on SIGHUP */ |
778 | + printerr(1, "Received SIGHUP(%d)... Ignoring.\n", signal); |
779 | + return; |
780 | +} |
781 | + |
782 | +static void |
783 | +usage(char *progname) |
784 | +{ |
785 | + fprintf(stderr, "usage: %s [-f] [-l] [-M] [-n] [-v] [-r] [-p pipefsdir] [-k keytab] [-d ccachedir] [-t timeout] [-R preferred realm] [-D]\n", |
786 | + progname); |
787 | + exit(1); |
788 | +} |
789 | + |
790 | +int |
791 | +main(int argc, char *argv[]) |
792 | +{ |
793 | + int fg = 0; |
794 | + int verbosity = 0; |
795 | + int rpc_verbosity = 0; |
796 | + int opt; |
797 | + int i; |
798 | + extern char *optarg; |
799 | + char *progname; |
800 | + |
801 | + memset(ccachesearch, 0, sizeof(ccachesearch)); |
802 | + while ((opt = getopt(argc, argv, "DfvrlmnMp:k:d:t:R:")) != -1) { |
803 | + switch (opt) { |
804 | + case 'f': |
805 | + fg = 1; |
806 | + break; |
807 | + case 'm': |
808 | + /* Accept but ignore this. Now the default. */ |
809 | + break; |
810 | + case 'M': |
811 | + use_memcache = 1; |
812 | + break; |
813 | + case 'n': |
814 | + root_uses_machine_creds = 0; |
815 | + break; |
816 | + case 'v': |
817 | + verbosity++; |
818 | + break; |
819 | + case 'r': |
820 | + rpc_verbosity++; |
821 | + break; |
822 | + case 'p': |
823 | + strncpy(pipefs_dir, optarg, sizeof(pipefs_dir)); |
824 | + if (pipefs_dir[sizeof(pipefs_dir)-1] != '\0') |
825 | + errx(1, "pipefs path name too long"); |
826 | + break; |
827 | + case 'k': |
828 | + strncpy(keytabfile, optarg, sizeof(keytabfile)); |
829 | + if (keytabfile[sizeof(keytabfile)-1] != '\0') |
830 | + errx(1, "keytab path name too long"); |
831 | + break; |
832 | + case 'd': |
833 | + strncpy(ccachedir, optarg, sizeof(ccachedir)); |
834 | + if (ccachedir[sizeof(ccachedir)-1] != '\0') |
835 | + errx(1, "ccachedir path name too long"); |
836 | + break; |
837 | + case 't': |
838 | + context_timeout = atoi(optarg); |
839 | + break; |
840 | + case 'R': |
841 | + preferred_realm = strdup(optarg); |
842 | + break; |
843 | + case 'l': |
844 | +#ifdef HAVE_SET_ALLOWABLE_ENCTYPES |
845 | + limit_to_legacy_enctypes = 1; |
846 | +#else |
847 | + errx(1, "Encryption type limits not supported by Kerberos libraries."); |
848 | +#endif |
849 | + break; |
850 | + case 'D': |
851 | + avoid_dns = 0; |
852 | + break; |
853 | + default: |
854 | + usage(argv[0]); |
855 | + break; |
856 | + } |
857 | + } |
858 | + |
859 | + i = 0; |
860 | + ccachesearch[i++] = strtok(ccachedir, ":"); |
861 | + do { |
862 | + ccachesearch[i++] = strtok(NULL, ":"); |
863 | + } while (ccachesearch[i-1] != NULL && i < GSSD_MAX_CCACHE_SEARCH); |
864 | + |
865 | + if (preferred_realm == NULL) |
866 | + gssd_k5_get_default_realm(&preferred_realm); |
867 | + |
868 | + if ((progname = strrchr(argv[0], '/'))) |
869 | + progname++; |
870 | + else |
871 | + progname = argv[0]; |
872 | + |
873 | + initerr(progname, verbosity, fg); |
874 | +#ifdef HAVE_AUTHGSS_SET_DEBUG_LEVEL |
875 | + if (verbosity && rpc_verbosity == 0) |
876 | + rpc_verbosity = verbosity; |
877 | + authgss_set_debug_level(rpc_verbosity); |
878 | +#else |
879 | + if (rpc_verbosity > 0) |
880 | + printerr(0, "Warning: rpcsec_gss library does not " |
881 | + "support setting debug level\n"); |
882 | +#endif |
883 | + |
884 | + if (gssd_check_mechs() != 0) |
885 | + errx(1, "Problem with gssapi library"); |
886 | + |
887 | + if (!fg && daemon(0, 0) < 0) |
888 | + errx(1, "fork"); |
889 | + |
890 | + signal(SIGINT, sig_die); |
891 | + signal(SIGTERM, sig_die); |
892 | + signal(SIGHUP, sig_hup); |
893 | + |
894 | + gssd_run(); |
895 | + printerr(0, "gssd_run returned!\n"); |
896 | + abort(); |
897 | +} |
898 | |
899 | === added file '.pc/20-ticket-expired-error.patch/utils/gssd/gssd.h' |
900 | --- .pc/20-ticket-expired-error.patch/utils/gssd/gssd.h 1970-01-01 00:00:00 +0000 |
901 | +++ .pc/20-ticket-expired-error.patch/utils/gssd/gssd.h 2013-05-24 21:14:25 +0000 |
902 | @@ -0,0 +1,106 @@ |
903 | +/* |
904 | + Copyright (c) 2004 The Regents of the University of Michigan. |
905 | + All rights reserved. |
906 | + |
907 | + Redistribution and use in source and binary forms, with or without |
908 | + modification, are permitted provided that the following conditions |
909 | + are met: |
910 | + |
911 | + 1. Redistributions of source code must retain the above copyright |
912 | + notice, this list of conditions and the following disclaimer. |
913 | + 2. Redistributions in binary form must reproduce the above copyright |
914 | + notice, this list of conditions and the following disclaimer in the |
915 | + documentation and/or other materials provided with the distribution. |
916 | + 3. Neither the name of the University nor the names of its |
917 | + contributors may be used to endorse or promote products derived |
918 | + from this software without specific prior written permission. |
919 | + |
920 | + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED |
921 | + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF |
922 | + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE |
923 | + DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE |
924 | + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
925 | + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
926 | + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR |
927 | + BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF |
928 | + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING |
929 | + NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS |
930 | + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
931 | +*/ |
932 | + |
933 | +#ifndef _RPC_GSSD_H_ |
934 | +#define _RPC_GSSD_H_ |
935 | + |
936 | +#include <sys/types.h> |
937 | +#include <sys/queue.h> |
938 | +#include <gssapi/gssapi.h> |
939 | + |
940 | +#define MAX_FILE_NAMELEN 32 |
941 | +#define FD_ALLOC_BLOCK 256 |
942 | +#ifndef GSSD_PIPEFS_DIR |
943 | +#define GSSD_PIPEFS_DIR "/var/lib/nfs/rpc_pipefs" |
944 | +#endif |
945 | +#define INFO "info" |
946 | +#define KRB5 "krb5" |
947 | +#define DNOTIFY_SIGNAL (SIGRTMIN + 3) |
948 | + |
949 | +#define GSSD_DEFAULT_CRED_DIR "/tmp" |
950 | +#define GSSD_USER_CRED_DIR "/run/user/%U" |
951 | +#define GSSD_DEFAULT_CRED_PREFIX "krb5cc" |
952 | +#define GSSD_DEFAULT_MACHINE_CRED_SUFFIX "machine" |
953 | +#define GSSD_DEFAULT_KEYTAB_FILE "/etc/krb5.keytab" |
954 | +#define GSSD_SERVICE_NAME "nfs" |
955 | +#define GSSD_SERVICE_NAME_LEN 3 |
956 | +#define GSSD_MAX_CCACHE_SEARCH 16 |
957 | + |
958 | +/* |
959 | + * The gss mechanisms that we can handle |
960 | + */ |
961 | +enum {AUTHTYPE_KRB5, AUTHTYPE_LIPKEY}; |
962 | + |
963 | + |
964 | + |
965 | +extern char pipefs_dir[PATH_MAX]; |
966 | +extern char keytabfile[PATH_MAX]; |
967 | +extern char *ccachesearch[]; |
968 | +extern int use_memcache; |
969 | +extern int root_uses_machine_creds; |
970 | +extern unsigned int context_timeout; |
971 | +extern char *preferred_realm; |
972 | + |
973 | +TAILQ_HEAD(clnt_list_head, clnt_info) clnt_list; |
974 | + |
975 | +struct clnt_info { |
976 | + TAILQ_ENTRY(clnt_info) list; |
977 | + char *dirname; |
978 | + int dir_fd; |
979 | + char *servicename; |
980 | + char *servername; |
981 | + int prog; |
982 | + int vers; |
983 | + char *protocol; |
984 | + int krb5_fd; |
985 | + int krb5_poll_index; |
986 | + int krb5_close_me; |
987 | + int gssd_fd; |
988 | + int gssd_poll_index; |
989 | + int gssd_close_me; |
990 | + struct sockaddr_storage addr; |
991 | +}; |
992 | + |
993 | +TAILQ_HEAD(topdirs_list_head, topdirs_info) topdirs_list; |
994 | + |
995 | +struct topdirs_info { |
996 | + TAILQ_ENTRY(topdirs_info) list; |
997 | + char *dirname; |
998 | + int fd; |
999 | +}; |
1000 | + |
1001 | +void init_client_list(void); |
1002 | +int update_client_list(void); |
1003 | +void handle_krb5_upcall(struct clnt_info *clp); |
1004 | +void handle_gssd_upcall(struct clnt_info *clp); |
1005 | +void gssd_run(void); |
1006 | + |
1007 | + |
1008 | +#endif /* _RPC_GSSD_H_ */ |
1009 | |
1010 | === added file '.pc/20-ticket-expired-error.patch/utils/gssd/gssd.man' |
1011 | --- .pc/20-ticket-expired-error.patch/utils/gssd/gssd.man 1970-01-01 00:00:00 +0000 |
1012 | +++ .pc/20-ticket-expired-error.patch/utils/gssd/gssd.man 2013-05-24 21:14:25 +0000 |
1013 | @@ -0,0 +1,288 @@ |
1014 | +.\" |
1015 | +.\" rpc.gssd(8) |
1016 | +.\" |
1017 | +.\" Copyright (C) 2003 J. Bruce Fields <bfields@umich.edu> |
1018 | +.\" |
1019 | +.TH rpc.gssd 8 "20 Feb 2013" |
1020 | +.SH NAME |
1021 | +rpc.gssd \- RPCSEC_GSS daemon |
1022 | +.SH SYNOPSIS |
1023 | +.B rpc.gssd |
1024 | +.RB [ \-DfMnlvr ] |
1025 | +.RB [ \-k |
1026 | +.IR keytab ] |
1027 | +.RB [ \-p |
1028 | +.IR pipefsdir ] |
1029 | +.RB [ \-d |
1030 | +.IR ccachedir ] |
1031 | +.RB [ \-t |
1032 | +.IR timeout ] |
1033 | +.RB [ \-R |
1034 | +.IR realm ] |
1035 | +.SH INTRODUCTION |
1036 | +The RPCSEC_GSS protocol, defined in RFC 5403, is used to provide |
1037 | +strong security for RPC-based protocols such as NFS. |
1038 | +.P |
1039 | +Before exchanging RPC requests using RPCSEC_GSS, an RPC client must |
1040 | +establish a GSS |
1041 | +.IR "security context" . |
1042 | +A security context is shared state on each |
1043 | +end of a network transport that enables GSS-API security services. |
1044 | +.P |
1045 | +Security contexts are established using |
1046 | +.IR "security credentials" . |
1047 | +A credential grants temporary access to a secure network service, |
1048 | +much as a railway ticket grants temporary access to use a rail service. |
1049 | +.P |
1050 | +A user typically obtains a credential by providing a password to the |
1051 | +.BR kinit (1) |
1052 | +command, or via a PAM library at login time. |
1053 | +A credential acquired with a |
1054 | +.I user principal |
1055 | +is known as a |
1056 | +.I user credential |
1057 | +(see |
1058 | +.BR kerberos (1) |
1059 | +for more on principals). |
1060 | +.P |
1061 | +For certain operations, a credential is required |
1062 | +which represents no user, |
1063 | +is otherwise unprivileged, |
1064 | +and is always available. |
1065 | +This is referred to as a |
1066 | +.IR "machine credential" . |
1067 | +.P |
1068 | +Machine credentials are typically established using a |
1069 | +.IR "service principal" , |
1070 | +whose encrypted password, called its |
1071 | +.IR key , |
1072 | +is stored in a file, called a |
1073 | +.IR keytab , |
1074 | +to avoid requiring a user prompt. |
1075 | +A machine credential effectively does not expire because the system |
1076 | +can renew it as needed without user intervention. |
1077 | +.P |
1078 | +Once obtained, credentials are typically stored in local temporary files |
1079 | +with well-known pathnames. |
1080 | +.SH DESCRIPTION |
1081 | +To establish GSS security contexts using these credential files, |
1082 | +the Linux kernel RPC client depends on a userspace daemon called |
1083 | +.BR rpc.gssd . |
1084 | +The |
1085 | +.B rpc.gssd |
1086 | +daemon uses the rpc_pipefs filesystem to communicate with the kernel. |
1087 | +.SS User Credentials |
1088 | +When a user authenticates using a command such as |
1089 | +.BR kinit (1), |
1090 | +the resulting credential is stored in a file with a well-known name |
1091 | +constructed using the user's UID. |
1092 | +.P |
1093 | +To interact with an NFS server |
1094 | +on behalf of a particular Kerberos-authenticated user, |
1095 | +the Linux kernel RPC client requests that |
1096 | +.B rpc.gssd |
1097 | +initialize a security context with the credential |
1098 | +in that user's credential file. |
1099 | +.P |
1100 | +Typically, credential files are placed in |
1101 | +.IR /tmp . |
1102 | +However, |
1103 | +.B rpc.gssd |
1104 | +can search for credential files in more than one directory. |
1105 | +See the description of the |
1106 | +.B -d |
1107 | +option for details. |
1108 | +.SS Machine Credentials |
1109 | +A user credential is established by a user and |
1110 | +is then shared with the kernel and |
1111 | +.BR rpc.gssd . |
1112 | +A machine credential is established by |
1113 | +.B rpc.gssd |
1114 | +for the kernel when there is no user. |
1115 | +Therefore |
1116 | +.B rpc.gssd |
1117 | +must already have the materials on hand to establish this credential |
1118 | +without requiring user intervention. |
1119 | +.P |
1120 | +.B rpc.gssd |
1121 | +searches the local system's keytab for a principal and key to use |
1122 | +to establish the machine credential. |
1123 | +By default, |
1124 | +.B rpc.gssd |
1125 | +assumes the file |
1126 | +.I /etc/krb5.keytab |
1127 | +contains principals and keys that can be used to obtain machine credentials. |
1128 | +.P |
1129 | +.B rpc.gssd |
1130 | +searches in the following order for a principal to use. |
1131 | +The first matching credential is used. |
1132 | +For the search, <hostname> and <REALM> are replaced with the local |
1133 | +system's hostname and Kerberos realm. |
1134 | +.sp |
1135 | + <HOSTNAME>$@<REALM> |
1136 | +.br |
1137 | + root/<hostname>@<REALM> |
1138 | +.br |
1139 | + nfs/<hostname>@<REALM> |
1140 | +.br |
1141 | + host/<hostname>@<REALM> |
1142 | +.br |
1143 | + root/<anyname>@<REALM> |
1144 | +.br |
1145 | + nfs/<anyname>@<REALM> |
1146 | +.br |
1147 | + host/<anyname>@<REALM> |
1148 | +.sp |
1149 | +The <anyname> entries match on the service name and realm, but ignore the hostname. |
1150 | +These can be used if a principal matching the local host's name is not found. |
1151 | +.P |
1152 | +Note that the first principal in the search order is a user principal |
1153 | +that enables Kerberized NFS when the local system is joined |
1154 | +to an Active Directory domain using Samba. |
1155 | +A password for this principal must be provided in the local system's keytab. |
1156 | +.P |
1157 | +You can specify another keytab by using the |
1158 | +.B -k |
1159 | +option if |
1160 | +.I /etc/krb5.keytab |
1161 | +does not exist or does not provide one of these principals. |
1162 | +.SS Credentials for UID 0 |
1163 | +UID 0 is a special case. |
1164 | +By default |
1165 | +.B rpc.gssd |
1166 | +uses the system's machine credentials for UID 0 accesses |
1167 | +that require GSS authentication. |
1168 | +This limits the privileges of the root user |
1169 | +when accessing network resources that require authentication. |
1170 | +.P |
1171 | +Specify the |
1172 | +.B -n |
1173 | +option when starting |
1174 | +.B rpc.gssd |
1175 | +if you'd like to force the root user to obtain a user credential |
1176 | +rather than use the local system's machine credential. |
1177 | +.P |
1178 | +When |
1179 | +.B -n |
1180 | +is specified, |
1181 | +the kernel continues to request a GSS context established |
1182 | +with a machine credential for NFSv4 operations, |
1183 | +such as SETCLIENTID or RENEW, that manage state. |
1184 | +If |
1185 | +.B rpc.gssd |
1186 | +cannot obtain a machine credential (say, the local system has |
1187 | +no keytab), NFSv4 operations that require machine credentials will fail. |
1188 | +.SS Encryption types |
1189 | +A realm administrator can choose to add keys encoded in a number of different |
1190 | +encryption types to the local system's keytab. |
1191 | +For instance, a host/ principal might have keys for the |
1192 | +.BR aes256-cts-hmac-sha1-96 , |
1193 | +.BR aes128-cts-hmac-sha1-96 , |
1194 | +.BR des3-cbc-sha1 ", and" |
1195 | +.BR arcfour-hmac " encryption types." |
1196 | +This permits |
1197 | +.B rpc.gssd |
1198 | +to choose an appropriate encryption type that the target NFS server |
1199 | +supports. |
1200 | +.P |
1201 | +These encryption types are stronger than legacy single-DES encryption types. |
1202 | +To interoperate in environments where servers support |
1203 | +only weak encryption types, |
1204 | +you can restrict your client to use only single-DES encryption types |
1205 | +by specifying the |
1206 | +.B -l |
1207 | +option when starting |
1208 | +.BR rpc.gssd . |
1209 | +.SH OPTIONS |
1210 | +.TP |
1211 | +.B -D |
1212 | +DNS Reverse lookups are not used for determining the |
1213 | +server names pass to GSSAPI. This option will reverses that and forces |
1214 | +the use of DNS Reverse resolution of the server's IP address to |
1215 | +retrieve the server name to use in GSAPI authentication. |
1216 | +.TP |
1217 | +.B -f |
1218 | +Runs |
1219 | +.B rpc.gssd |
1220 | +in the foreground and sends output to stderr (as opposed to syslogd) |
1221 | +.TP |
1222 | +.B -n |
1223 | +When specified, UID 0 is forced to obtain user credentials |
1224 | +which are used instead of the local system's machine credentials. |
1225 | +.TP |
1226 | +.BI "-k " keytab |
1227 | +Tells |
1228 | +.B rpc.gssd |
1229 | +to use the keys found in |
1230 | +.I keytab |
1231 | +to obtain machine credentials. |
1232 | +The default value is |
1233 | +.IR /etc/krb5.keytab . |
1234 | +.TP |
1235 | +.B -l |
1236 | +When specified, restricts |
1237 | +.B rpc.gssd |
1238 | +to sessions to weak encryption types such as |
1239 | +.BR des-cbc-crc . |
1240 | +This option is available only when the local system's Kerberos library |
1241 | +supports settable encryption types. |
1242 | +.TP |
1243 | +.BI "-p " path |
1244 | +Tells |
1245 | +.B rpc.gssd |
1246 | +where to look for the rpc_pipefs filesystem. The default value is |
1247 | +.IR /var/lib/nfs/rpc_pipefs . |
1248 | +.TP |
1249 | +.BI "-d " search-path |
1250 | +This option specifies a colon separated list of directories that |
1251 | +.B rpc.gssd |
1252 | +searches for credential files. The default value is |
1253 | +.IR /tmp:/run/user/%U . |
1254 | +The literal sequence "%U" can be specified to substitue the UID |
1255 | +of the user for whom credentials are being searched. |
1256 | +.TP |
1257 | +.B -M |
1258 | +By default, machine credentials are stored in files in the first |
1259 | +directory in the credential directory search path (see the |
1260 | +.B -d |
1261 | +option). When |
1262 | +.B -M |
1263 | +is set, |
1264 | +.B rpc.gssd |
1265 | +stores machine credentials in memory instead. |
1266 | +.TP |
1267 | +.B -v |
1268 | +Increases the verbosity of the output (can be specified multiple times). |
1269 | +.TP |
1270 | +.B -r |
1271 | +If the RPCSEC_GSS library supports setting debug level, |
1272 | +increases the verbosity of the output (can be specified multiple times). |
1273 | +.TP |
1274 | +.BI "-R " realm |
1275 | +Kerberos tickets from this |
1276 | +.I realm |
1277 | +will be preferred when scanning available credentials cache files to be |
1278 | +used to create a context. By default, the default realm, as configured |
1279 | +in the Kerberos configuration file, is preferred. |
1280 | +.TP |
1281 | +.BI "-t " timeout |
1282 | +Timeout, in seconds, for kernel GSS contexts. This option allows you to force |
1283 | +new kernel contexts to be negotiated after |
1284 | +.I timeout |
1285 | +seconds, which allows changing Kerberos tickets and identities frequently. |
1286 | +The default is no explicit timeout, which means the kernel context will live |
1287 | +the lifetime of the Kerberos service ticket used in its creation. |
1288 | +.SH SEE ALSO |
1289 | +.BR rpc.svcgssd (8), |
1290 | +.BR kerberos (1), |
1291 | +.BR kinit (1), |
1292 | +.BR krb5.conf (5) |
1293 | +.SH AUTHORS |
1294 | +.br |
1295 | +Dug Song <dugsong@umich.edu> |
1296 | +.br |
1297 | +Andy Adamson <andros@umich.edu> |
1298 | +.br |
1299 | +Marius Aamodt Eriksen <marius@umich.edu> |
1300 | +.br |
1301 | +J. Bruce Fields <bfields@umich.edu> |
1302 | |
1303 | === added file '.pc/20-ticket-expired-error.patch/utils/gssd/gssd_proc.c' |
1304 | --- .pc/20-ticket-expired-error.patch/utils/gssd/gssd_proc.c 1970-01-01 00:00:00 +0000 |
1305 | +++ .pc/20-ticket-expired-error.patch/utils/gssd/gssd_proc.c 2013-05-24 21:14:25 +0000 |
1306 | @@ -0,0 +1,1261 @@ |
1307 | +/* |
1308 | + gssd_proc.c |
1309 | + |
1310 | + Copyright (c) 2000-2004 The Regents of the University of Michigan. |
1311 | + All rights reserved. |
1312 | + |
1313 | + Copyright (c) 2000 Dug Song <dugsong@UMICH.EDU>. |
1314 | + Copyright (c) 2001 Andy Adamson <andros@UMICH.EDU>. |
1315 | + Copyright (c) 2002 Marius Aamodt Eriksen <marius@UMICH.EDU>. |
1316 | + Copyright (c) 2002 Bruce Fields <bfields@UMICH.EDU> |
1317 | + Copyright (c) 2004 Kevin Coffman <kwc@umich.edu> |
1318 | + All rights reserved, all wrongs reversed. |
1319 | + |
1320 | + Redistribution and use in source and binary forms, with or without |
1321 | + modification, are permitted provided that the following conditions |
1322 | + are met: |
1323 | + |
1324 | + 1. Redistributions of source code must retain the above copyright |
1325 | + notice, this list of conditions and the following disclaimer. |
1326 | + 2. Redistributions in binary form must reproduce the above copyright |
1327 | + notice, this list of conditions and the following disclaimer in the |
1328 | + documentation and/or other materials provided with the distribution. |
1329 | + 3. Neither the name of the University nor the names of its |
1330 | + contributors may be used to endorse or promote products derived |
1331 | + from this software without specific prior written permission. |
1332 | + |
1333 | + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED |
1334 | + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF |
1335 | + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE |
1336 | + DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE |
1337 | + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
1338 | + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
1339 | + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR |
1340 | + BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF |
1341 | + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING |
1342 | + NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS |
1343 | + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
1344 | + |
1345 | +*/ |
1346 | + |
1347 | +#ifdef HAVE_CONFIG_H |
1348 | +#include <config.h> |
1349 | +#endif /* HAVE_CONFIG_H */ |
1350 | + |
1351 | +#ifndef _GNU_SOURCE |
1352 | +#define _GNU_SOURCE |
1353 | +#endif |
1354 | + |
1355 | +#include <sys/param.h> |
1356 | +#include <rpc/rpc.h> |
1357 | +#include <sys/stat.h> |
1358 | +#include <sys/socket.h> |
1359 | +#include <arpa/inet.h> |
1360 | +#include <sys/fsuid.h> |
1361 | +#include <sys/resource.h> |
1362 | + |
1363 | +#include <stdio.h> |
1364 | +#include <stdlib.h> |
1365 | +#include <pwd.h> |
1366 | +#include <grp.h> |
1367 | +#include <string.h> |
1368 | +#include <dirent.h> |
1369 | +#include <poll.h> |
1370 | +#include <fcntl.h> |
1371 | +#include <signal.h> |
1372 | +#include <unistd.h> |
1373 | +#include <errno.h> |
1374 | +#include <gssapi/gssapi.h> |
1375 | +#include <netdb.h> |
1376 | +#include <ctype.h> |
1377 | + |
1378 | +#include "gssd.h" |
1379 | +#include "err_util.h" |
1380 | +#include "gss_util.h" |
1381 | +#include "krb5_util.h" |
1382 | +#include "context.h" |
1383 | +#include "nfsrpc.h" |
1384 | +#include "nfslib.h" |
1385 | + |
1386 | +/* |
1387 | + * pollarray: |
1388 | + * array of struct pollfd suitable to pass to poll. initialized to |
1389 | + * zero - a zero struct is ignored by poll() because the events mask is 0. |
1390 | + * |
1391 | + * clnt_list: |
1392 | + * linked list of struct clnt_info which associates a clntXXX directory |
1393 | + * with an index into pollarray[], and other basic data about that client. |
1394 | + * |
1395 | + * Directory structure: created by the kernel |
1396 | + * {rpc_pipefs}/{dir}/clntXX : one per rpc_clnt struct in the kernel |
1397 | + * {rpc_pipefs}/{dir}/clntXX/krb5 : read uid for which kernel wants |
1398 | + * a context, write the resulting context |
1399 | + * {rpc_pipefs}/{dir}/clntXX/info : stores info such as server name |
1400 | + * {rpc_pipefs}/{dir}/clntXX/gssd : pipe for all gss mechanisms using |
1401 | + * a text-based string of parameters |
1402 | + * |
1403 | + * Algorithm: |
1404 | + * Poll all {rpc_pipefs}/{dir}/clntXX/YYYY files. When data is ready, |
1405 | + * read and process; performs rpcsec_gss context initialization protocol to |
1406 | + * get a cred for that user. Writes result to corresponding krb5 file |
1407 | + * in a form the kernel code will understand. |
1408 | + * In addition, we make sure we are notified whenever anything is |
1409 | + * created or destroyed in {rpc_pipefs} or in any of the clntXX directories, |
1410 | + * and rescan the whole {rpc_pipefs} when this happens. |
1411 | + */ |
1412 | + |
1413 | +struct pollfd * pollarray; |
1414 | + |
1415 | +unsigned long pollsize; /* the size of pollaray (in pollfd's) */ |
1416 | + |
1417 | +/* Avoid DNS reverse lookups on server names */ |
1418 | +int avoid_dns = 1; |
1419 | + |
1420 | +/* |
1421 | + * convert a presentation address string to a sockaddr_storage struct. Returns |
1422 | + * true on success or false on failure. |
1423 | + * |
1424 | + * Note that we do not populate the sin6_scope_id field here for IPv6 addrs. |
1425 | + * gssd nececessarily relies on hostname resolution and DNS AAAA records |
1426 | + * do not generally contain scope-id's. This means that GSSAPI auth really |
1427 | + * can't work with IPv6 link-local addresses. |
1428 | + * |
1429 | + * We *could* consider changing this if we did something like adopt the |
1430 | + * Microsoft "standard" of using the ipv6-literal.net domainname, but it's |
1431 | + * not really feasible at present. |
1432 | + */ |
1433 | +static int |
1434 | +addrstr_to_sockaddr(struct sockaddr *sa, const char *node, const char *port) |
1435 | +{ |
1436 | + int rc; |
1437 | + struct addrinfo *res; |
1438 | + struct addrinfo hints = { .ai_flags = AI_NUMERICHOST | AI_NUMERICSERV }; |
1439 | + |
1440 | +#ifndef IPV6_SUPPORTED |
1441 | + hints.ai_family = AF_INET; |
1442 | +#endif /* IPV6_SUPPORTED */ |
1443 | + |
1444 | + rc = getaddrinfo(node, port, &hints, &res); |
1445 | + if (rc) { |
1446 | + printerr(0, "ERROR: unable to convert %s|%s to sockaddr: %s\n", |
1447 | + node, port, rc == EAI_SYSTEM ? strerror(errno) : |
1448 | + gai_strerror(rc)); |
1449 | + return 0; |
1450 | + } |
1451 | + |
1452 | +#ifdef IPV6_SUPPORTED |
1453 | + /* |
1454 | + * getnameinfo ignores the scopeid. If the address turns out to have |
1455 | + * a non-zero scopeid, we can't use it -- the resolved host might be |
1456 | + * completely different from the one intended. |
1457 | + */ |
1458 | + if (res->ai_addr->sa_family == AF_INET6) { |
1459 | + struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)res->ai_addr; |
1460 | + if (sin6->sin6_scope_id) { |
1461 | + printerr(0, "ERROR: address %s has non-zero " |
1462 | + "sin6_scope_id!\n", node); |
1463 | + freeaddrinfo(res); |
1464 | + return 0; |
1465 | + } |
1466 | + } |
1467 | +#endif /* IPV6_SUPPORTED */ |
1468 | + |
1469 | + memcpy(sa, res->ai_addr, res->ai_addrlen); |
1470 | + freeaddrinfo(res); |
1471 | + return 1; |
1472 | +} |
1473 | + |
1474 | +/* |
1475 | + * convert a sockaddr to a hostname |
1476 | + */ |
1477 | +static char * |
1478 | +get_servername(const char *name, const struct sockaddr *sa, const char *addr) |
1479 | +{ |
1480 | + socklen_t addrlen; |
1481 | + int err; |
1482 | + char *hostname; |
1483 | + char hbuf[NI_MAXHOST]; |
1484 | + unsigned char buf[sizeof(struct in6_addr)]; |
1485 | + int servername = 0; |
1486 | + |
1487 | + if (avoid_dns) { |
1488 | + /* |
1489 | + * Determine if this is a server name, or an IP address. |
1490 | + * If it is an IP address, do the DNS lookup otherwise |
1491 | + * skip the DNS lookup. |
1492 | + */ |
1493 | + servername = 0; |
1494 | + if (strchr(name, '.') && inet_pton(AF_INET, name, buf) == 1) |
1495 | + servername = 1; /* IPv4 */ |
1496 | + else if (strchr(name, ':') && inet_pton(AF_INET6, name, buf) == 1) |
1497 | + servername = 1; /* or IPv6 */ |
1498 | + |
1499 | + if (servername) { |
1500 | + return strdup(name); |
1501 | + } |
1502 | + } |
1503 | + |
1504 | + switch (sa->sa_family) { |
1505 | + case AF_INET: |
1506 | + addrlen = sizeof(struct sockaddr_in); |
1507 | + break; |
1508 | +#ifdef IPV6_SUPPORTED |
1509 | + case AF_INET6: |
1510 | + addrlen = sizeof(struct sockaddr_in6); |
1511 | + break; |
1512 | +#endif /* IPV6_SUPPORTED */ |
1513 | + default: |
1514 | + printerr(0, "ERROR: unrecognized addr family %d\n", |
1515 | + sa->sa_family); |
1516 | + return NULL; |
1517 | + } |
1518 | + |
1519 | + err = getnameinfo(sa, addrlen, hbuf, sizeof(hbuf), NULL, 0, |
1520 | + NI_NAMEREQD); |
1521 | + if (err) { |
1522 | + printerr(0, "ERROR: unable to resolve %s to hostname: %s\n", |
1523 | + addr, err == EAI_SYSTEM ? strerror(err) : |
1524 | + gai_strerror(err)); |
1525 | + return NULL; |
1526 | + } |
1527 | + |
1528 | + hostname = strdup(hbuf); |
1529 | + |
1530 | + return hostname; |
1531 | +} |
1532 | + |
1533 | +/* XXX buffer problems: */ |
1534 | +static int |
1535 | +read_service_info(char *info_file_name, char **servicename, char **servername, |
1536 | + int *prog, int *vers, char **protocol, |
1537 | + struct sockaddr *addr) { |
1538 | +#define INFOBUFLEN 256 |
1539 | + char buf[INFOBUFLEN + 1]; |
1540 | + static char server[128]; |
1541 | + int nbytes; |
1542 | + static char service[128]; |
1543 | + static char address[128]; |
1544 | + char program[16]; |
1545 | + char version[16]; |
1546 | + char protoname[16]; |
1547 | + char port[128]; |
1548 | + char *p; |
1549 | + int fd = -1; |
1550 | + int numfields; |
1551 | + |
1552 | + *servicename = *servername = *protocol = NULL; |
1553 | + |
1554 | + if ((fd = open(info_file_name, O_RDONLY)) == -1) { |
1555 | + printerr(0, "ERROR: can't open %s: %s\n", info_file_name, |
1556 | + strerror(errno)); |
1557 | + goto fail; |
1558 | + } |
1559 | + if ((nbytes = read(fd, buf, INFOBUFLEN)) == -1) |
1560 | + goto fail; |
1561 | + close(fd); |
1562 | + buf[nbytes] = '\0'; |
1563 | + |
1564 | + numfields = sscanf(buf,"RPC server: %127s\n" |
1565 | + "service: %127s %15s version %15s\n" |
1566 | + "address: %127s\n" |
1567 | + "protocol: %15s\n", |
1568 | + server, |
1569 | + service, program, version, |
1570 | + address, |
1571 | + protoname); |
1572 | + |
1573 | + if (numfields == 5) { |
1574 | + strcpy(protoname, "tcp"); |
1575 | + } else if (numfields != 6) { |
1576 | + goto fail; |
1577 | + } |
1578 | + |
1579 | + port[0] = '\0'; |
1580 | + if ((p = strstr(buf, "port")) != NULL) |
1581 | + sscanf(p, "port: %127s\n", port); |
1582 | + |
1583 | + /* get program, and version numbers */ |
1584 | + *prog = atoi(program + 1); /* skip open paren */ |
1585 | + *vers = atoi(version); |
1586 | + |
1587 | + if (!addrstr_to_sockaddr(addr, address, port)) |
1588 | + goto fail; |
1589 | + |
1590 | + *servername = get_servername(server, addr, address); |
1591 | + if (*servername == NULL) |
1592 | + goto fail; |
1593 | + |
1594 | + nbytes = snprintf(buf, INFOBUFLEN, "%s@%s", service, *servername); |
1595 | + if (nbytes > INFOBUFLEN) |
1596 | + goto fail; |
1597 | + |
1598 | + if (!(*servicename = calloc(strlen(buf) + 1, 1))) |
1599 | + goto fail; |
1600 | + memcpy(*servicename, buf, strlen(buf)); |
1601 | + |
1602 | + if (!(*protocol = strdup(protoname))) |
1603 | + goto fail; |
1604 | + return 0; |
1605 | +fail: |
1606 | + printerr(0, "ERROR: failed to read service info\n"); |
1607 | + if (fd != -1) close(fd); |
1608 | + free(*servername); |
1609 | + free(*servicename); |
1610 | + free(*protocol); |
1611 | + *servicename = *servername = *protocol = NULL; |
1612 | + return -1; |
1613 | +} |
1614 | + |
1615 | +static void |
1616 | +destroy_client(struct clnt_info *clp) |
1617 | +{ |
1618 | + if (clp->krb5_poll_index != -1) |
1619 | + memset(&pollarray[clp->krb5_poll_index], 0, |
1620 | + sizeof(struct pollfd)); |
1621 | + if (clp->gssd_poll_index != -1) |
1622 | + memset(&pollarray[clp->gssd_poll_index], 0, |
1623 | + sizeof(struct pollfd)); |
1624 | + if (clp->dir_fd != -1) close(clp->dir_fd); |
1625 | + if (clp->krb5_fd != -1) close(clp->krb5_fd); |
1626 | + if (clp->gssd_fd != -1) close(clp->gssd_fd); |
1627 | + free(clp->dirname); |
1628 | + free(clp->servicename); |
1629 | + free(clp->servername); |
1630 | + free(clp->protocol); |
1631 | + free(clp); |
1632 | +} |
1633 | + |
1634 | +static struct clnt_info * |
1635 | +insert_new_clnt(void) |
1636 | +{ |
1637 | + struct clnt_info *clp = NULL; |
1638 | + |
1639 | + if (!(clp = (struct clnt_info *)calloc(1,sizeof(struct clnt_info)))) { |
1640 | + printerr(0, "ERROR: can't malloc clnt_info: %s\n", |
1641 | + strerror(errno)); |
1642 | + goto out; |
1643 | + } |
1644 | + clp->krb5_poll_index = -1; |
1645 | + clp->gssd_poll_index = -1; |
1646 | + clp->krb5_fd = -1; |
1647 | + clp->gssd_fd = -1; |
1648 | + clp->dir_fd = -1; |
1649 | + |
1650 | + TAILQ_INSERT_HEAD(&clnt_list, clp, list); |
1651 | +out: |
1652 | + return clp; |
1653 | +} |
1654 | + |
1655 | +static int |
1656 | +process_clnt_dir_files(struct clnt_info * clp) |
1657 | +{ |
1658 | + char name[PATH_MAX]; |
1659 | + char gname[PATH_MAX]; |
1660 | + char info_file_name[PATH_MAX]; |
1661 | + |
1662 | + if (clp->gssd_close_me) { |
1663 | + printerr(2, "Closing 'gssd' pipe for %s\n", clp->dirname); |
1664 | + close(clp->gssd_fd); |
1665 | + memset(&pollarray[clp->gssd_poll_index], 0, |
1666 | + sizeof(struct pollfd)); |
1667 | + clp->gssd_fd = -1; |
1668 | + clp->gssd_poll_index = -1; |
1669 | + clp->gssd_close_me = 0; |
1670 | + } |
1671 | + if (clp->krb5_close_me) { |
1672 | + printerr(2, "Closing 'krb5' pipe for %s\n", clp->dirname); |
1673 | + close(clp->krb5_fd); |
1674 | + memset(&pollarray[clp->krb5_poll_index], 0, |
1675 | + sizeof(struct pollfd)); |
1676 | + clp->krb5_fd = -1; |
1677 | + clp->krb5_poll_index = -1; |
1678 | + clp->krb5_close_me = 0; |
1679 | + } |
1680 | + |
1681 | + if (clp->gssd_fd == -1) { |
1682 | + snprintf(gname, sizeof(gname), "%s/gssd", clp->dirname); |
1683 | + clp->gssd_fd = open(gname, O_RDWR); |
1684 | + } |
1685 | + if (clp->gssd_fd == -1) { |
1686 | + if (clp->krb5_fd == -1) { |
1687 | + snprintf(name, sizeof(name), "%s/krb5", clp->dirname); |
1688 | + clp->krb5_fd = open(name, O_RDWR); |
1689 | + } |
1690 | + |
1691 | + /* If we opened a gss-specific pipe, let's try opening |
1692 | + * the new upcall pipe again. If we succeed, close |
1693 | + * gss-specific pipe(s). |
1694 | + */ |
1695 | + if (clp->krb5_fd != -1) { |
1696 | + clp->gssd_fd = open(gname, O_RDWR); |
1697 | + if (clp->gssd_fd != -1) { |
1698 | + if (clp->krb5_fd != -1) |
1699 | + close(clp->krb5_fd); |
1700 | + clp->krb5_fd = -1; |
1701 | + } |
1702 | + } |
1703 | + } |
1704 | + |
1705 | + if ((clp->krb5_fd == -1) && (clp->gssd_fd == -1)) |
1706 | + return -1; |
1707 | + snprintf(info_file_name, sizeof(info_file_name), "%s/info", |
1708 | + clp->dirname); |
1709 | + if ((clp->servicename == NULL) && |
1710 | + read_service_info(info_file_name, &clp->servicename, |
1711 | + &clp->servername, &clp->prog, &clp->vers, |
1712 | + &clp->protocol, (struct sockaddr *) &clp->addr)) |
1713 | + return -1; |
1714 | + return 0; |
1715 | +} |
1716 | + |
1717 | +static int |
1718 | +get_poll_index(int *ind) |
1719 | +{ |
1720 | + unsigned int i; |
1721 | + |
1722 | + *ind = -1; |
1723 | + for (i=0; i<pollsize; i++) { |
1724 | + if (pollarray[i].events == 0) { |
1725 | + *ind = i; |
1726 | + break; |
1727 | + } |
1728 | + } |
1729 | + if (*ind == -1) { |
1730 | + printerr(0, "ERROR: No pollarray slots open\n"); |
1731 | + return -1; |
1732 | + } |
1733 | + return 0; |
1734 | +} |
1735 | + |
1736 | + |
1737 | +static int |
1738 | +insert_clnt_poll(struct clnt_info *clp) |
1739 | +{ |
1740 | + if ((clp->gssd_fd != -1) && (clp->gssd_poll_index == -1)) { |
1741 | + if (get_poll_index(&clp->gssd_poll_index)) { |
1742 | + printerr(0, "ERROR: Too many gssd clients\n"); |
1743 | + return -1; |
1744 | + } |
1745 | + pollarray[clp->gssd_poll_index].fd = clp->gssd_fd; |
1746 | + pollarray[clp->gssd_poll_index].events |= POLLIN; |
1747 | + } |
1748 | + |
1749 | + if ((clp->krb5_fd != -1) && (clp->krb5_poll_index == -1)) { |
1750 | + if (get_poll_index(&clp->krb5_poll_index)) { |
1751 | + printerr(0, "ERROR: Too many krb5 clients\n"); |
1752 | + return -1; |
1753 | + } |
1754 | + pollarray[clp->krb5_poll_index].fd = clp->krb5_fd; |
1755 | + pollarray[clp->krb5_poll_index].events |= POLLIN; |
1756 | + } |
1757 | + |
1758 | + return 0; |
1759 | +} |
1760 | + |
1761 | +static void |
1762 | +process_clnt_dir(char *dir, char *pdir) |
1763 | +{ |
1764 | + struct clnt_info * clp; |
1765 | + |
1766 | + if (!(clp = insert_new_clnt())) |
1767 | + goto fail_destroy_client; |
1768 | + |
1769 | + /* An extra for the '/', and an extra for the null */ |
1770 | + if (!(clp->dirname = calloc(strlen(dir) + strlen(pdir) + 2, 1))) { |
1771 | + goto fail_destroy_client; |
1772 | + } |
1773 | + sprintf(clp->dirname, "%s/%s", pdir, dir); |
1774 | + if ((clp->dir_fd = open(clp->dirname, O_RDONLY)) == -1) { |
1775 | + printerr(0, "ERROR: can't open %s: %s\n", |
1776 | + clp->dirname, strerror(errno)); |
1777 | + goto fail_destroy_client; |
1778 | + } |
1779 | + fcntl(clp->dir_fd, F_SETSIG, DNOTIFY_SIGNAL); |
1780 | + fcntl(clp->dir_fd, F_NOTIFY, DN_CREATE | DN_DELETE | DN_MULTISHOT); |
1781 | + |
1782 | + if (process_clnt_dir_files(clp)) |
1783 | + goto fail_keep_client; |
1784 | + |
1785 | + if (insert_clnt_poll(clp)) |
1786 | + goto fail_destroy_client; |
1787 | + |
1788 | + return; |
1789 | + |
1790 | +fail_destroy_client: |
1791 | + if (clp) { |
1792 | + TAILQ_REMOVE(&clnt_list, clp, list); |
1793 | + destroy_client(clp); |
1794 | + } |
1795 | +fail_keep_client: |
1796 | + /* We couldn't find some subdirectories, but we keep the client |
1797 | + * around in case we get a notification on the directory when the |
1798 | + * subdirectories are created. */ |
1799 | + return; |
1800 | +} |
1801 | + |
1802 | +void |
1803 | +init_client_list(void) |
1804 | +{ |
1805 | + struct rlimit rlim; |
1806 | + TAILQ_INIT(&clnt_list); |
1807 | + /* Eventually plan to grow/shrink poll array: */ |
1808 | + pollsize = FD_ALLOC_BLOCK; |
1809 | + if (getrlimit(RLIMIT_NOFILE, &rlim) == 0 && |
1810 | + rlim.rlim_cur != RLIM_INFINITY) |
1811 | + pollsize = rlim.rlim_cur; |
1812 | + pollarray = calloc(pollsize, sizeof(struct pollfd)); |
1813 | +} |
1814 | + |
1815 | +/* |
1816 | + * This is run after a DNOTIFY signal, and should clear up any |
1817 | + * directories that are no longer around, and re-scan any existing |
1818 | + * directories, since the DNOTIFY could have been in there. |
1819 | + */ |
1820 | +static void |
1821 | +update_old_clients(struct dirent **namelist, int size, char *pdir) |
1822 | +{ |
1823 | + struct clnt_info *clp; |
1824 | + void *saveprev; |
1825 | + int i, stillhere; |
1826 | + char fname[PATH_MAX]; |
1827 | + |
1828 | + for (clp = clnt_list.tqh_first; clp != NULL; clp = clp->list.tqe_next) { |
1829 | + /* only compare entries in the global list that are from the |
1830 | + * same pipefs parent directory as "pdir" |
1831 | + */ |
1832 | + if (strncmp(clp->dirname, pdir, strlen(pdir)) != 0) continue; |
1833 | + |
1834 | + stillhere = 0; |
1835 | + for (i=0; i < size; i++) { |
1836 | + snprintf(fname, sizeof(fname), "%s/%s", |
1837 | + pdir, namelist[i]->d_name); |
1838 | + if (strcmp(clp->dirname, fname) == 0) { |
1839 | + stillhere = 1; |
1840 | + break; |
1841 | + } |
1842 | + } |
1843 | + if (!stillhere) { |
1844 | + printerr(2, "destroying client %s\n", clp->dirname); |
1845 | + saveprev = clp->list.tqe_prev; |
1846 | + TAILQ_REMOVE(&clnt_list, clp, list); |
1847 | + destroy_client(clp); |
1848 | + clp = saveprev; |
1849 | + } |
1850 | + } |
1851 | + for (clp = clnt_list.tqh_first; clp != NULL; clp = clp->list.tqe_next) { |
1852 | + if (!process_clnt_dir_files(clp)) |
1853 | + insert_clnt_poll(clp); |
1854 | + } |
1855 | +} |
1856 | + |
1857 | +/* Search for a client by directory name, return 1 if found, 0 otherwise */ |
1858 | +static int |
1859 | +find_client(char *dirname, char *pdir) |
1860 | +{ |
1861 | + struct clnt_info *clp; |
1862 | + char fname[PATH_MAX]; |
1863 | + |
1864 | + for (clp = clnt_list.tqh_first; clp != NULL; clp = clp->list.tqe_next) { |
1865 | + snprintf(fname, sizeof(fname), "%s/%s", pdir, dirname); |
1866 | + if (strcmp(clp->dirname, fname) == 0) |
1867 | + return 1; |
1868 | + } |
1869 | + return 0; |
1870 | +} |
1871 | + |
1872 | +static int |
1873 | +process_pipedir(char *pipe_name) |
1874 | +{ |
1875 | + struct dirent **namelist; |
1876 | + int i, j; |
1877 | + |
1878 | + if (chdir(pipe_name) < 0) { |
1879 | + printerr(0, "ERROR: can't chdir to %s: %s\n", |
1880 | + pipe_name, strerror(errno)); |
1881 | + return -1; |
1882 | + } |
1883 | + |
1884 | + j = scandir(pipe_name, &namelist, NULL, alphasort); |
1885 | + if (j < 0) { |
1886 | + printerr(0, "ERROR: can't scandir %s: %s\n", |
1887 | + pipe_name, strerror(errno)); |
1888 | + return -1; |
1889 | + } |
1890 | + |
1891 | + update_old_clients(namelist, j, pipe_name); |
1892 | + for (i=0; i < j; i++) { |
1893 | + if (!strncmp(namelist[i]->d_name, "clnt", 4) |
1894 | + && !find_client(namelist[i]->d_name, pipe_name)) |
1895 | + process_clnt_dir(namelist[i]->d_name, pipe_name); |
1896 | + free(namelist[i]); |
1897 | + } |
1898 | + |
1899 | + free(namelist); |
1900 | + |
1901 | + return 0; |
1902 | +} |
1903 | + |
1904 | +/* Used to read (and re-read) list of clients, set up poll array. */ |
1905 | +int |
1906 | +update_client_list(void) |
1907 | +{ |
1908 | + int retval = -1; |
1909 | + struct topdirs_info *tdi; |
1910 | + |
1911 | + TAILQ_FOREACH(tdi, &topdirs_list, list) { |
1912 | + retval = process_pipedir(tdi->dirname); |
1913 | + if (retval) |
1914 | + printerr(1, "WARNING: error processing %s\n", |
1915 | + tdi->dirname); |
1916 | + |
1917 | + } |
1918 | + return retval; |
1919 | +} |
1920 | + |
1921 | +/* Encryption types supported by the kernel rpcsec_gss code */ |
1922 | +int num_krb5_enctypes = 0; |
1923 | +krb5_enctype *krb5_enctypes = NULL; |
1924 | + |
1925 | +/* |
1926 | + * Parse the supported encryption type information |
1927 | + */ |
1928 | +static int |
1929 | +parse_enctypes(char *enctypes) |
1930 | +{ |
1931 | + int n = 0; |
1932 | + char *curr, *comma; |
1933 | + int i; |
1934 | + static char *cached_types; |
1935 | + |
1936 | + if (cached_types && strcmp(cached_types, enctypes) == 0) |
1937 | + return 0; |
1938 | + free(cached_types); |
1939 | + |
1940 | + if (krb5_enctypes != NULL) { |
1941 | + free(krb5_enctypes); |
1942 | + krb5_enctypes = NULL; |
1943 | + num_krb5_enctypes = 0; |
1944 | + } |
1945 | + |
1946 | + /* count the number of commas */ |
1947 | + for (curr = enctypes; curr && *curr != '\0'; curr = ++comma) { |
1948 | + comma = strchr(curr, ','); |
1949 | + if (comma != NULL) |
1950 | + n++; |
1951 | + else |
1952 | + break; |
1953 | + } |
1954 | + /* If no more commas and we're not at the end, there's one more value */ |
1955 | + if (*curr != '\0') |
1956 | + n++; |
1957 | + |
1958 | + /* Empty string, return an error */ |
1959 | + if (n == 0) |
1960 | + return ENOENT; |
1961 | + |
1962 | + /* Allocate space for enctypes array */ |
1963 | + if ((krb5_enctypes = (int *) calloc(n, sizeof(int))) == NULL) { |
1964 | + return ENOMEM; |
1965 | + } |
1966 | + |
1967 | + /* Now parse each value into the array */ |
1968 | + for (curr = enctypes, i = 0; curr && *curr != '\0'; curr = ++comma) { |
1969 | + krb5_enctypes[i++] = atoi(curr); |
1970 | + comma = strchr(curr, ','); |
1971 | + if (comma == NULL) |
1972 | + break; |
1973 | + } |
1974 | + |
1975 | + num_krb5_enctypes = n; |
1976 | + if ((cached_types = malloc(strlen(enctypes)+1))) |
1977 | + strcpy(cached_types, enctypes); |
1978 | + |
1979 | + return 0; |
1980 | +} |
1981 | + |
1982 | +static int |
1983 | +do_downcall(int k5_fd, uid_t uid, struct authgss_private_data *pd, |
1984 | + gss_buffer_desc *context_token, OM_uint32 lifetime_rec) |
1985 | +{ |
1986 | + char *buf = NULL, *p = NULL, *end = NULL; |
1987 | + unsigned int timeout = context_timeout; |
1988 | + unsigned int buf_size = 0; |
1989 | + |
1990 | + printerr(1, "doing downcall lifetime_rec %u\n", lifetime_rec); |
1991 | + buf_size = sizeof(uid) + sizeof(timeout) + sizeof(pd->pd_seq_win) + |
1992 | + sizeof(pd->pd_ctx_hndl.length) + pd->pd_ctx_hndl.length + |
1993 | + sizeof(context_token->length) + context_token->length; |
1994 | + p = buf = malloc(buf_size); |
1995 | + end = buf + buf_size; |
1996 | + |
1997 | + /* context_timeout set by -t option overrides context lifetime */ |
1998 | + if (timeout == 0) |
1999 | + timeout = lifetime_rec; |
2000 | + if (WRITE_BYTES(&p, end, uid)) goto out_err; |
2001 | + if (WRITE_BYTES(&p, end, timeout)) goto out_err; |
2002 | + if (WRITE_BYTES(&p, end, pd->pd_seq_win)) goto out_err; |
2003 | + if (write_buffer(&p, end, &pd->pd_ctx_hndl)) goto out_err; |
2004 | + if (write_buffer(&p, end, context_token)) goto out_err; |
2005 | + |
2006 | + if (write(k5_fd, buf, p - buf) < p - buf) goto out_err; |
2007 | + if (buf) free(buf); |
2008 | + return 0; |
2009 | +out_err: |
2010 | + if (buf) free(buf); |
2011 | + printerr(1, "Failed to write downcall!\n"); |
2012 | + return -1; |
2013 | +} |
2014 | + |
2015 | +static int |
2016 | +do_error_downcall(int k5_fd, uid_t uid, int err) |
2017 | +{ |
2018 | + char buf[1024]; |
2019 | + char *p = buf, *end = buf + 1024; |
2020 | + unsigned int timeout = 0; |
2021 | + int zero = 0; |
2022 | + |
2023 | + printerr(2, "doing error downcall\n"); |
2024 | + |
2025 | + if (WRITE_BYTES(&p, end, uid)) goto out_err; |
2026 | + if (WRITE_BYTES(&p, end, timeout)) goto out_err; |
2027 | + /* use seq_win = 0 to indicate an error: */ |
2028 | + if (WRITE_BYTES(&p, end, zero)) goto out_err; |
2029 | + if (WRITE_BYTES(&p, end, err)) goto out_err; |
2030 | + |
2031 | + if (write(k5_fd, buf, p - buf) < p - buf) goto out_err; |
2032 | + return 0; |
2033 | +out_err: |
2034 | + printerr(1, "Failed to write error downcall!\n"); |
2035 | + return -1; |
2036 | +} |
2037 | + |
2038 | +/* |
2039 | + * If the port isn't already set, do an rpcbind query to the remote server |
2040 | + * using the program and version and get the port. |
2041 | + * |
2042 | + * Newer kernels send the value of the port= mount option in the "info" |
2043 | + * file for the upcall or '0' for NFSv2/3. For NFSv4 it sends the value |
2044 | + * of the port= option or '2049'. The port field in a new sockaddr should |
2045 | + * reflect the value that was sent by the kernel. |
2046 | + */ |
2047 | +static int |
2048 | +populate_port(struct sockaddr *sa, const socklen_t salen, |
2049 | + const rpcprog_t program, const rpcvers_t version, |
2050 | + const unsigned short protocol) |
2051 | +{ |
2052 | + struct sockaddr_in *s4 = (struct sockaddr_in *) sa; |
2053 | +#ifdef IPV6_SUPPORTED |
2054 | + struct sockaddr_in6 *s6 = (struct sockaddr_in6 *) sa; |
2055 | +#endif /* IPV6_SUPPORTED */ |
2056 | + unsigned short port; |
2057 | + |
2058 | + /* |
2059 | + * Newer kernels send the port in the upcall. If we already have |
2060 | + * the port, there's no need to look it up. |
2061 | + */ |
2062 | + switch (sa->sa_family) { |
2063 | + case AF_INET: |
2064 | + if (s4->sin_port != 0) { |
2065 | + printerr(2, "DEBUG: port already set to %d\n", |
2066 | + ntohs(s4->sin_port)); |
2067 | + return 1; |
2068 | + } |
2069 | + break; |
2070 | +#ifdef IPV6_SUPPORTED |
2071 | + case AF_INET6: |
2072 | + if (s6->sin6_port != 0) { |
2073 | + printerr(2, "DEBUG: port already set to %d\n", |
2074 | + ntohs(s6->sin6_port)); |
2075 | + return 1; |
2076 | + } |
2077 | + break; |
2078 | +#endif /* IPV6_SUPPORTED */ |
2079 | + default: |
2080 | + printerr(0, "ERROR: unsupported address family %d\n", |
2081 | + sa->sa_family); |
2082 | + return 0; |
2083 | + } |
2084 | + |
2085 | + /* |
2086 | + * Newer kernels that send the port in the upcall set the value to |
2087 | + * 2049 for NFSv4 mounts when one isn't specified. The check below is |
2088 | + * only for kernels that don't send the port in the upcall. For those |
2089 | + * we either have to do an rpcbind query or set it to the standard |
2090 | + * port. Doing a query could be problematic (firewalls, etc), so take |
2091 | + * the latter approach. |
2092 | + */ |
2093 | + if (program == 100003 && version == 4) { |
2094 | + port = 2049; |
2095 | + goto set_port; |
2096 | + } |
2097 | + |
2098 | + port = nfs_getport(sa, salen, program, version, protocol); |
2099 | + if (!port) { |
2100 | + printerr(0, "ERROR: unable to obtain port for prog %ld " |
2101 | + "vers %ld\n", program, version); |
2102 | + return 0; |
2103 | + } |
2104 | + |
2105 | +set_port: |
2106 | + printerr(2, "DEBUG: setting port to %hu for prog %lu vers %lu\n", port, |
2107 | + program, version); |
2108 | + |
2109 | + switch (sa->sa_family) { |
2110 | + case AF_INET: |
2111 | + s4->sin_port = htons(port); |
2112 | + break; |
2113 | +#ifdef IPV6_SUPPORTED |
2114 | + case AF_INET6: |
2115 | + s6->sin6_port = htons(port); |
2116 | + break; |
2117 | +#endif /* IPV6_SUPPORTED */ |
2118 | + } |
2119 | + |
2120 | + return 1; |
2121 | +} |
2122 | + |
2123 | +/* |
2124 | + * Create an RPC connection and establish an authenticated |
2125 | + * gss context with a server. |
2126 | + */ |
2127 | +static int |
2128 | +create_auth_rpc_client(struct clnt_info *clp, |
2129 | + CLIENT **clnt_return, |
2130 | + AUTH **auth_return, |
2131 | + uid_t uid, |
2132 | + int authtype, |
2133 | + gss_cred_id_t cred) |
2134 | +{ |
2135 | + CLIENT *rpc_clnt = NULL; |
2136 | + struct rpc_gss_sec sec; |
2137 | + AUTH *auth = NULL; |
2138 | + uid_t save_uid = -1; |
2139 | + int retval = -1; |
2140 | + OM_uint32 min_stat; |
2141 | + char rpc_errmsg[1024]; |
2142 | + int protocol; |
2143 | + struct timeval timeout = {5, 0}; |
2144 | + struct sockaddr *addr = (struct sockaddr *) &clp->addr; |
2145 | + socklen_t salen; |
2146 | + |
2147 | + /* Create the context as the user (not as root) */ |
2148 | + save_uid = geteuid(); |
2149 | + if (setfsuid(uid) != 0) { |
2150 | + printerr(0, "WARNING: Failed to setfsuid for " |
2151 | + "user with uid %d\n", uid); |
2152 | + goto out_fail; |
2153 | + } |
2154 | + printerr(2, "creating context using fsuid %d (save_uid %d)\n", |
2155 | + uid, save_uid); |
2156 | + |
2157 | + sec.qop = GSS_C_QOP_DEFAULT; |
2158 | + sec.svc = RPCSEC_GSS_SVC_NONE; |
2159 | + sec.cred = cred; |
2160 | + sec.req_flags = 0; |
2161 | + if (authtype == AUTHTYPE_KRB5) { |
2162 | + sec.mech = (gss_OID)&krb5oid; |
2163 | + sec.req_flags = GSS_C_MUTUAL_FLAG; |
2164 | + } |
2165 | + else { |
2166 | + printerr(0, "ERROR: Invalid authentication type (%d) " |
2167 | + "in create_auth_rpc_client\n", authtype); |
2168 | + goto out_fail; |
2169 | + } |
2170 | + |
2171 | + |
2172 | + if (authtype == AUTHTYPE_KRB5) { |
2173 | +#ifdef HAVE_SET_ALLOWABLE_ENCTYPES |
2174 | + /* |
2175 | + * Do this before creating rpc connection since we won't need |
2176 | + * rpc connection if it fails! |
2177 | + */ |
2178 | + if (limit_krb5_enctypes(&sec)) { |
2179 | + printerr(1, "WARNING: Failed while limiting krb5 " |
2180 | + "encryption types for user with uid %d\n", |
2181 | + uid); |
2182 | + goto out_fail; |
2183 | + } |
2184 | +#endif |
2185 | + } |
2186 | + |
2187 | + /* create an rpc connection to the nfs server */ |
2188 | + |
2189 | + printerr(2, "creating %s client for server %s\n", clp->protocol, |
2190 | + clp->servername); |
2191 | + |
2192 | + if ((strcmp(clp->protocol, "tcp")) == 0) { |
2193 | + protocol = IPPROTO_TCP; |
2194 | + } else if ((strcmp(clp->protocol, "udp")) == 0) { |
2195 | + protocol = IPPROTO_UDP; |
2196 | + } else { |
2197 | + printerr(0, "WARNING: unrecognized protocol, '%s', requested " |
2198 | + "for connection to server %s for user with uid %d\n", |
2199 | + clp->protocol, clp->servername, uid); |
2200 | + goto out_fail; |
2201 | + } |
2202 | + |
2203 | + switch (addr->sa_family) { |
2204 | + case AF_INET: |
2205 | + salen = sizeof(struct sockaddr_in); |
2206 | + break; |
2207 | +#ifdef IPV6_SUPPORTED |
2208 | + case AF_INET6: |
2209 | + salen = sizeof(struct sockaddr_in6); |
2210 | + break; |
2211 | +#endif /* IPV6_SUPPORTED */ |
2212 | + default: |
2213 | + printerr(1, "ERROR: Unknown address family %d\n", |
2214 | + addr->sa_family); |
2215 | + goto out_fail; |
2216 | + } |
2217 | + |
2218 | + if (!populate_port(addr, salen, clp->prog, clp->vers, protocol)) |
2219 | + goto out_fail; |
2220 | + |
2221 | + rpc_clnt = nfs_get_rpcclient(addr, salen, protocol, clp->prog, |
2222 | + clp->vers, &timeout); |
2223 | + if (!rpc_clnt) { |
2224 | + snprintf(rpc_errmsg, sizeof(rpc_errmsg), |
2225 | + "WARNING: can't create %s rpc_clnt to server %s for " |
2226 | + "user with uid %d", |
2227 | + protocol == IPPROTO_TCP ? "tcp" : "udp", |
2228 | + clp->servername, uid); |
2229 | + printerr(0, "%s\n", |
2230 | + clnt_spcreateerror(rpc_errmsg)); |
2231 | + goto out_fail; |
2232 | + } |
2233 | + |
2234 | + printerr(2, "creating context with server %s\n", clp->servicename); |
2235 | + auth = authgss_create_default(rpc_clnt, clp->servicename, &sec); |
2236 | + if (!auth) { |
2237 | + /* Our caller should print appropriate message */ |
2238 | + printerr(2, "WARNING: Failed to create krb5 context for " |
2239 | + "user with uid %d for server %s\n", |
2240 | + uid, clp->servername); |
2241 | + goto out_fail; |
2242 | + } |
2243 | + |
2244 | + /* Success !!! */ |
2245 | + rpc_clnt->cl_auth = auth; |
2246 | + *clnt_return = rpc_clnt; |
2247 | + *auth_return = auth; |
2248 | + retval = 0; |
2249 | + |
2250 | + out: |
2251 | + if (sec.cred != GSS_C_NO_CREDENTIAL) |
2252 | + gss_release_cred(&min_stat, &sec.cred); |
2253 | + /* Restore euid to original value */ |
2254 | + if (((int)save_uid != -1) && (setfsuid(save_uid) != (int)uid)) { |
2255 | + printerr(0, "WARNING: Failed to restore fsuid" |
2256 | + " to uid %d from %d\n", save_uid, uid); |
2257 | + } |
2258 | + return retval; |
2259 | + |
2260 | + out_fail: |
2261 | + /* Only destroy here if failure. Otherwise, caller is responsible */ |
2262 | + if (rpc_clnt) clnt_destroy(rpc_clnt); |
2263 | + |
2264 | + goto out; |
2265 | +} |
2266 | + |
2267 | +/* |
2268 | + * this code uses the userland rpcsec gss library to create a krb5 |
2269 | + * context on behalf of the kernel |
2270 | + */ |
2271 | +static void |
2272 | +process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, |
2273 | + char *service) |
2274 | +{ |
2275 | + CLIENT *rpc_clnt = NULL; |
2276 | + AUTH *auth = NULL; |
2277 | + struct authgss_private_data pd; |
2278 | + gss_buffer_desc token; |
2279 | + char **credlist = NULL; |
2280 | + char **ccname; |
2281 | + char **dirname; |
2282 | + int create_resp = -1; |
2283 | + int err, downcall_err = -EACCES; |
2284 | + gss_cred_id_t gss_cred; |
2285 | + OM_uint32 maj_stat, min_stat, lifetime_rec; |
2286 | + |
2287 | + printerr(2, "handling krb5 upcall (%s)\n", clp->dirname); |
2288 | + |
2289 | + token.length = 0; |
2290 | + token.value = NULL; |
2291 | + memset(&pd, 0, sizeof(struct authgss_private_data)); |
2292 | + |
2293 | + /* |
2294 | + * If "service" is specified, then the kernel is indicating that |
2295 | + * we must use machine credentials for this request. (Regardless |
2296 | + * of the uid value or the setting of root_uses_machine_creds.) |
2297 | + * If the service value is "*", then any service name can be used. |
2298 | + * Otherwise, it specifies the service name that should be used. |
2299 | + * (For now, the values of service will only be "*" or "nfs".) |
2300 | + * |
2301 | + * Restricting gssd to use "nfs" service name is needed for when |
2302 | + * the NFS server is doing a callback to the NFS client. In this |
2303 | + * case, the NFS server has to authenticate itself as "nfs" -- |
2304 | + * even if there are other service keys such as "host" or "root" |
2305 | + * in the keytab. |
2306 | + * |
2307 | + * Another case when the kernel may specify the service attribute |
2308 | + * is when gssd is being asked to create the context for a |
2309 | + * SETCLIENT_ID operation. In this case, machine credentials |
2310 | + * must be used for the authentication. However, the service name |
2311 | + * used for this case is not important. |
2312 | + * |
2313 | + */ |
2314 | + printerr(2, "%s: service is '%s'\n", __func__, |
2315 | + service ? service : "<null>"); |
2316 | + if (uid != 0 || (uid == 0 && root_uses_machine_creds == 0 && |
2317 | + service == NULL)) { |
2318 | + /* Tell krb5 gss which credentials cache to use */ |
2319 | + /* Try first to acquire credentials directly via GSSAPI */ |
2320 | + err = gssd_acquire_user_cred(uid, &gss_cred); |
2321 | + if (!err) |
2322 | + create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid, |
2323 | + AUTHTYPE_KRB5, gss_cred); |
2324 | + /* if create_auth_rplc_client fails try the traditional method of |
2325 | + * trolling for credentials */ |
2326 | + for (dirname = ccachesearch; create_resp != 0 && *dirname != NULL; dirname++) { |
2327 | + err = gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *dirname); |
2328 | + if (err == -EKEYEXPIRED) |
2329 | + downcall_err = -EKEYEXPIRED; |
2330 | + else if (!err) |
2331 | + create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid, |
2332 | + AUTHTYPE_KRB5, GSS_C_NO_CREDENTIAL); |
2333 | + } |
2334 | + } |
2335 | + if (create_resp != 0) { |
2336 | + if (uid == 0 && (root_uses_machine_creds == 1 || |
2337 | + service != NULL)) { |
2338 | + int nocache = 0; |
2339 | + int success = 0; |
2340 | + do { |
2341 | + gssd_refresh_krb5_machine_credential(clp->servername, |
2342 | + NULL, service, |
2343 | + tgtname); |
2344 | + /* |
2345 | + * Get a list of credential cache names and try each |
2346 | + * of them until one works or we've tried them all |
2347 | + */ |
2348 | + if (gssd_get_krb5_machine_cred_list(&credlist)) { |
2349 | + printerr(0, "ERROR: No credentials found " |
2350 | + "for connection to server %s\n", |
2351 | + clp->servername); |
2352 | + goto out_return_error; |
2353 | + } |
2354 | + for (ccname = credlist; ccname && *ccname; ccname++) { |
2355 | + gssd_setup_krb5_machine_gss_ccache(*ccname); |
2356 | + if ((create_auth_rpc_client(clp, &rpc_clnt, |
2357 | + &auth, uid, |
2358 | + AUTHTYPE_KRB5, |
2359 | + GSS_C_NO_CREDENTIAL)) == 0) { |
2360 | + /* Success! */ |
2361 | + success++; |
2362 | + break; |
2363 | + } |
2364 | + printerr(2, "WARNING: Failed to create machine krb5 context " |
2365 | + "with credentials cache %s for server %s\n", |
2366 | + *ccname, clp->servername); |
2367 | + } |
2368 | + gssd_free_krb5_machine_cred_list(credlist); |
2369 | + if (!success) { |
2370 | + if(nocache == 0) { |
2371 | + nocache++; |
2372 | + printerr(2, "WARNING: Machine cache is prematurely expired or corrupted " |
2373 | + "trying to recreate cache for server %s\n", clp->servername); |
2374 | + } else { |
2375 | + printerr(1, "WARNING: Failed to create machine krb5 context " |
2376 | + "with any credentials cache for server %s\n", |
2377 | + clp->servername); |
2378 | + goto out_return_error; |
2379 | + } |
2380 | + } |
2381 | + } while(!success); |
2382 | + } else { |
2383 | + printerr(1, "WARNING: Failed to create krb5 context " |
2384 | + "for user with uid %d for server %s\n", |
2385 | + uid, clp->servername); |
2386 | + goto out_return_error; |
2387 | + } |
2388 | + } |
2389 | + |
2390 | + if (!authgss_get_private_data(auth, &pd)) { |
2391 | + printerr(2, "WARNING: Failed to obtain authentication " |
2392 | + "data for user with uid %d for server %s\n", |
2393 | + uid, clp->servername); |
2394 | + goto out_return_error; |
2395 | + } |
2396 | + |
2397 | + /* Grab the context lifetime to pass to the kernel. lifetime_rec |
2398 | + * is set to zero on error */ |
2399 | + maj_stat = gss_inquire_context(&min_stat, pd.pd_ctx, NULL, NULL, |
2400 | + &lifetime_rec, NULL, NULL, NULL, NULL); |
2401 | + |
2402 | + if (maj_stat) |
2403 | + printerr(1, "WARNING: Failed to inquire context for lifetme " |
2404 | + "maj_stat %u\n", maj_stat); |
2405 | + |
2406 | + if (serialize_context_for_kernel(&pd.pd_ctx, &token, &krb5oid, NULL)) { |
2407 | + printerr(0, "WARNING: Failed to serialize krb5 context for " |
2408 | + "user with uid %d for server %s\n", |
2409 | + uid, clp->servername); |
2410 | + goto out_return_error; |
2411 | + } |
2412 | + |
2413 | + do_downcall(fd, uid, &pd, &token, lifetime_rec); |
2414 | + |
2415 | +out: |
2416 | + if (token.value) |
2417 | + free(token.value); |
2418 | +#ifdef HAVE_AUTHGSS_FREE_PRIVATE_DATA |
2419 | + if (pd.pd_ctx_hndl.length != 0 || pd.pd_ctx != 0) |
2420 | + authgss_free_private_data(&pd); |
2421 | +#endif |
2422 | + if (auth) |
2423 | + AUTH_DESTROY(auth); |
2424 | + if (rpc_clnt) |
2425 | + clnt_destroy(rpc_clnt); |
2426 | + return; |
2427 | + |
2428 | +out_return_error: |
2429 | + do_error_downcall(fd, uid, downcall_err); |
2430 | + goto out; |
2431 | +} |
2432 | + |
2433 | +void |
2434 | +handle_krb5_upcall(struct clnt_info *clp) |
2435 | +{ |
2436 | + uid_t uid; |
2437 | + |
2438 | + if (read(clp->krb5_fd, &uid, sizeof(uid)) < (ssize_t)sizeof(uid)) { |
2439 | + printerr(0, "WARNING: failed reading uid from krb5 " |
2440 | + "upcall pipe: %s\n", strerror(errno)); |
2441 | + return; |
2442 | + } |
2443 | + |
2444 | + process_krb5_upcall(clp, uid, clp->krb5_fd, NULL, NULL); |
2445 | +} |
2446 | + |
2447 | +void |
2448 | +handle_gssd_upcall(struct clnt_info *clp) |
2449 | +{ |
2450 | + uid_t uid; |
2451 | + char *lbuf = NULL; |
2452 | + int lbuflen = 0; |
2453 | + char *p; |
2454 | + char *mech = NULL; |
2455 | + char *target = NULL; |
2456 | + char *service = NULL; |
2457 | + char *enctypes = NULL; |
2458 | + |
2459 | + printerr(1, "handling gssd upcall (%s)\n", clp->dirname); |
2460 | + |
2461 | + if (readline(clp->gssd_fd, &lbuf, &lbuflen) != 1) { |
2462 | + printerr(0, "WARNING: handle_gssd_upcall: " |
2463 | + "failed reading request\n"); |
2464 | + return; |
2465 | + } |
2466 | + printerr(2, "%s: '%s'\n", __func__, lbuf); |
2467 | + |
2468 | + /* find the mechanism name */ |
2469 | + if ((p = strstr(lbuf, "mech=")) != NULL) { |
2470 | + mech = malloc(lbuflen); |
2471 | + if (!mech) |
2472 | + goto out; |
2473 | + if (sscanf(p, "mech=%s", mech) != 1) { |
2474 | + printerr(0, "WARNING: handle_gssd_upcall: " |
2475 | + "failed to parse gss mechanism name " |
2476 | + "in upcall string '%s'\n", lbuf); |
2477 | + goto out; |
2478 | + } |
2479 | + } else { |
2480 | + printerr(0, "WARNING: handle_gssd_upcall: " |
2481 | + "failed to find gss mechanism name " |
2482 | + "in upcall string '%s'\n", lbuf); |
2483 | + goto out; |
2484 | + } |
2485 | + |
2486 | + /* read uid */ |
2487 | + if ((p = strstr(lbuf, "uid=")) != NULL) { |
2488 | + if (sscanf(p, "uid=%d", &uid) != 1) { |
2489 | + printerr(0, "WARNING: handle_gssd_upcall: " |
2490 | + "failed to parse uid " |
2491 | + "in upcall string '%s'\n", lbuf); |
2492 | + goto out; |
2493 | + } |
2494 | + } else { |
2495 | + printerr(0, "WARNING: handle_gssd_upcall: " |
2496 | + "failed to find uid " |
2497 | + "in upcall string '%s'\n", lbuf); |
2498 | + goto out; |
2499 | + } |
2500 | + |
2501 | + /* read supported encryption types if supplied */ |
2502 | + if ((p = strstr(lbuf, "enctypes=")) != NULL) { |
2503 | + enctypes = malloc(lbuflen); |
2504 | + if (!enctypes) |
2505 | + goto out; |
2506 | + if (sscanf(p, "enctypes=%s", enctypes) != 1) { |
2507 | + printerr(0, "WARNING: handle_gssd_upcall: " |
2508 | + "failed to parse encryption types " |
2509 | + "in upcall string '%s'\n", lbuf); |
2510 | + goto out; |
2511 | + } |
2512 | + if (parse_enctypes(enctypes) != 0) { |
2513 | + printerr(0, "WARNING: handle_gssd_upcall: " |
2514 | + "parsing encryption types failed: errno %d\n", errno); |
2515 | + } |
2516 | + } |
2517 | + |
2518 | + /* read target name */ |
2519 | + if ((p = strstr(lbuf, "target=")) != NULL) { |
2520 | + target = malloc(lbuflen); |
2521 | + if (!target) |
2522 | + goto out; |
2523 | + if (sscanf(p, "target=%s", target) != 1) { |
2524 | + printerr(0, "WARNING: handle_gssd_upcall: " |
2525 | + "failed to parse target name " |
2526 | + "in upcall string '%s'\n", lbuf); |
2527 | + goto out; |
2528 | + } |
2529 | + } |
2530 | + |
2531 | + /* |
2532 | + * read the service name |
2533 | + * |
2534 | + * The presence of attribute "service=" indicates that machine |
2535 | + * credentials should be used for this request. If the value |
2536 | + * is "*", then any machine credentials available can be used. |
2537 | + * If the value is anything else, then machine credentials for |
2538 | + * the specified service name (always "nfs" for now) should be |
2539 | + * used. |
2540 | + */ |
2541 | + if ((p = strstr(lbuf, "service=")) != NULL) { |
2542 | + service = malloc(lbuflen); |
2543 | + if (!service) |
2544 | + goto out; |
2545 | + if (sscanf(p, "service=%s", service) != 1) { |
2546 | + printerr(0, "WARNING: handle_gssd_upcall: " |
2547 | + "failed to parse service type " |
2548 | + "in upcall string '%s'\n", lbuf); |
2549 | + goto out; |
2550 | + } |
2551 | + } |
2552 | + |
2553 | + if (strcmp(mech, "krb5") == 0) |
2554 | + process_krb5_upcall(clp, uid, clp->gssd_fd, target, service); |
2555 | + else |
2556 | + printerr(0, "WARNING: handle_gssd_upcall: " |
2557 | + "received unknown gss mech '%s'\n", mech); |
2558 | + |
2559 | +out: |
2560 | + free(lbuf); |
2561 | + free(mech); |
2562 | + free(enctypes); |
2563 | + free(target); |
2564 | + free(service); |
2565 | + return; |
2566 | +} |
2567 | + |
2568 | |
2569 | === modified file '.pc/applied-patches' |
2570 | --- .pc/applied-patches 2013-05-14 00:46:42 +0000 |
2571 | +++ .pc/applied-patches 2013-05-24 21:14:25 +0000 |
2572 | @@ -5,4 +5,5 @@ |
2573 | 16-mount.nfs.man-update-distinction-between-fstype.patch |
2574 | 17-multiarch-kerberos-paths.patch |
2575 | 19-iscsiadm-path.patch |
2576 | +20-ticket-expired-error.patch |
2577 | 20-remove-autogenerated-man.patch |
2578 | |
2579 | === modified file 'debian/changelog' |
2580 | --- debian/changelog 2013-05-14 00:46:42 +0000 |
2581 | +++ debian/changelog 2013-05-24 21:14:25 +0000 |
2582 | @@ -1,3 +1,40 @@ |
2583 | +nfs-utils (1:1.2.8-2ubuntu1) UNRELEASED; urgency=low |
2584 | + |
2585 | + * Merge from Debian unstable. Remaining changes: |
2586 | + - debian/nfs-common.{statd,statd-mounting,gssd,idmapd}.upstart, |
2587 | + debian/control, debian/nfs-common.{preinst,postinst,prerm,postrm}, |
2588 | + debian/rules: drop nfs-common init script in favor of upstart jobs, |
2589 | + and build-depend on debhelper (>= 7.3.15ubuntu3) for correct upstart |
2590 | + init handling. |
2591 | + - Depend on rpcbind (>= 0.2.0-6ubuntu1) for upstart support. |
2592 | + - debian/nfs-kernel-server.postinst: don't call "invoke-rc.d nfs-common" |
2593 | + in the postinst, this is redundant anyway and the nfs-common init script |
2594 | + is gone now. |
2595 | + - nfs-kernel-server.init: Unmount nfsd fs when init script stops |
2596 | + - Allow issuing options to rpc.nfsd |
2597 | + - debian/nfs-common.defaults: always start idmapd automatically; drop |
2598 | + the configuration option. |
2599 | + - Move /var/lib/nfs/rpc_pipefs to /run/rpc_pipefs. This does not belong |
2600 | + in /var/lib. |
2601 | + - Add "-e" (ticket expiry is error) option to rpc.gssd to prevent hangs due |
2602 | + to EKEYEXPIRED error from kernel on ticket expiry. LP: #794112 |
2603 | + - Adjust upstart jobs to treat TYPE=nfs and TYPE=nfs4 mounts identically, |
2604 | + since TYPE=nfs4 is considered deprecated. |
2605 | + - Fix various boot-time race conditions between mountall and nfs-utils by |
2606 | + moving handling of the 'mounting' events to separate gssd-mounting and |
2607 | + idmapd-mounting jobs. Requires mountall 2.41 or better to avoid deadlock |
2608 | + on boot. LP: #643289, LP: #611397. |
2609 | + - Fix the stop conditions: never stop on 'runlevel [06]' since that gives |
2610 | + the system no time to cleanly unmount nfs mounts; instead, stop only on |
2611 | + the unmounted-remote-filesystems event. LP: #569094. |
2612 | + - Newer versions of gssd don't talk to portmap, so don't make the upstart |
2613 | + job depend on it. |
2614 | + - Add an instance to statd-mounting, and change it to just wait for statd |
2615 | + instead of trying to trigger it potentially out of order. This also |
2616 | + means we don't need to try to force portmap to start from statd. |
2617 | + |
2618 | + -- Stéphane Graber <stgraber@ubuntu.com> Fri, 24 May 2013 16:47:37 -0400 |
2619 | + |
2620 | nfs-utils (1:1.2.8-2) unstable; urgency=medium |
2621 | |
2622 | * Fix reportbug scripts to use rpcinfo in /usr/sbin. |
2623 | @@ -27,12 +64,80 @@ |
2624 | |
2625 | -- Luk Claes <luk@zomers.be> Fri, 10 May 2013 14:27:47 +0200 |
2626 | |
2627 | +nfs-utils (1:1.2.6-3ubuntu2) quantal; urgency=low |
2628 | + |
2629 | + [ Steve Langasek ] |
2630 | + * Adjust upstart jobs to treat TYPE=nfs and TYPE=nfs4 mounts identically, |
2631 | + since TYPE=nfs4 is considered deprecated. |
2632 | + * Fix various boot-time race conditions between mountall and nfs-utils by |
2633 | + moving handling of the 'mounting' events to separate gssd-mounting and |
2634 | + idmapd-mounting jobs. Requires mountall 2.41 or better to avoid deadlock |
2635 | + on boot. LP: #643289, LP: #611397. |
2636 | + * Fix the stop conditions: never stop on 'runlevel [06]' since that gives |
2637 | + the system no time to cleanly unmount nfs mounts; instead, stop only on |
2638 | + the unmounted-remote-filesystems event. LP: #569094. |
2639 | + * Newer versions of gssd don't talk to portmap, so don't make the upstart |
2640 | + job depend on it. |
2641 | + * Add an instance to statd-mounting, and change it to just wait for statd |
2642 | + instead of trying to trigger it potentially out of order. This also means |
2643 | + we don't need to try to force portmap to start from statd. |
2644 | + |
2645 | + [ Matthew L. Dailey ] |
2646 | + * Add "-e" (ticket expiry is error) option to rpc.gssd to prevent hangs due |
2647 | + to EKEYEXPIRED error from kernel on ticket expiry. LP: #794112 |
2648 | + |
2649 | + -- Stéphane Graber <stgraber@ubuntu.com> Fri, 28 Sep 2012 13:58:43 -0400 |
2650 | + |
2651 | +nfs-utils (1:1.2.6-3ubuntu1) quantal; urgency=low |
2652 | + |
2653 | + * Merge from Debian unstable. Remaining changes: |
2654 | + - debian/nfs-common.{statd,statd-mounting,gssd,idmapd}.upstart, |
2655 | + debian/control, debian/nfs-common.{preinst,postinst,prerm,postrm}, |
2656 | + debian/rules: drop nfs-common init script in favor of upstart jobs, |
2657 | + and build-depend on debhelper (>= 7.3.15ubuntu3) for correct upstart |
2658 | + init handling. |
2659 | + - Depend on rpcbind (>= 0.2.0-6ubuntu1) for upstart support. |
2660 | + - debian/nfs-kernel-server.postinst: don't call "invoke-rc.d nfs-common" |
2661 | + in the postinst, this is redundant anyway and the nfs-common init script |
2662 | + is gone now. |
2663 | + - nfs-kernel-server.init: Unmount nfsd fs when init script stops |
2664 | + - Allow issuing options to rpc.nfsd |
2665 | + - debian/nfs-common.defaults: always start idmapd automatically; drop |
2666 | + the configuration option. |
2667 | + - Move /var/lib/nfs/rpc_pipefs to /run/rpc_pipefs. This does not belong |
2668 | + in /var/lib. |
2669 | + |
2670 | + -- Logan Rosen <logatronico@gmail.com> Sun, 05 Aug 2012 00:56:05 -0400 |
2671 | + |
2672 | nfs-utils (1:1.2.6-3) unstable; urgency=low |
2673 | |
2674 | * Iterate through exports.d to look for expors (Closes: #676604). |
2675 | |
2676 | -- Luk Claes <luk@zomers.be> Tue, 10 Jul 2012 19:38:22 +0200 |
2677 | |
2678 | +nfs-utils (1:1.2.6-2ubuntu1) quantal; urgency=low |
2679 | + |
2680 | + * Merge from Debian unstable, remaining changes: |
2681 | + - debian/nfs-common.{statd,statd-mounting,gssd,idmapd}.upstart, |
2682 | + debian/control, debian/nfs-common.{preinst,postinst,prerm,postrm}, |
2683 | + debian/rules: drop nfs-common init script in favor of upstart jobs, |
2684 | + and build-depend on debhelper (>= 7.3.15ubuntu3) for correct upstart |
2685 | + init handling. |
2686 | + - Depend on rpcbind (>= 0.2.0-6ubuntu1) for upstart support. |
2687 | + - debian/nfs-kernel-server.postinst: don't call "invoke-rc.d nfs-common" |
2688 | + in the postinst, this is redundant anyway and the nfs-common init script |
2689 | + is gone now. |
2690 | + - nfs-kernel-server.init: Unmount nfsd fs when init script stops |
2691 | + - Allow issuing options to rpc.nfsd |
2692 | + - debian/nfs-common.defaults: always start idmapd automatically; drop |
2693 | + the configuration option. |
2694 | + - Move /var/lib/nfs/rpc_pipefs to /run/rpc_pipefs. This does not belong |
2695 | + in /var/lib. |
2696 | + * Dropped changes, included in Debian: |
2697 | + - nfs-kernel-server.default: Add comment about how to disable nfs4. |
2698 | + |
2699 | + -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 22 Jun 2012 11:25:28 -0700 |
2700 | + |
2701 | nfs-utils (1:1.2.6-2) unstable; urgency=low |
2702 | |
2703 | * Move open-iscsi and watchdog to Suggests. |
2704 | @@ -60,6 +165,44 @@ |
2705 | |
2706 | -- Luk Claes <luk@debian.org> Sun, 22 Jan 2012 15:46:25 +0100 |
2707 | |
2708 | +nfs-utils (1:1.2.5-3ubuntu3) precise; urgency=low |
2709 | + |
2710 | + * In some cases, /var/lib/nfs/rpc_pipefs is successfully unmounted on |
2711 | + upgrade but the directory still has contents within it. Since this is |
2712 | + /var/lib we shouldn't assume it's ok for delete these; instead, pass |
2713 | + --ignore-fail-on-non-empty to rmdir. LP: #954619. |
2714 | + |
2715 | + -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 08 Apr 2012 22:44:40 -0700 |
2716 | + |
2717 | +nfs-utils (1:1.2.5-3ubuntu2) precise; urgency=low |
2718 | + |
2719 | + * Fix wrong path to rpcinfo in the init script, which breaks use of nfs |
2720 | + v3 support in the server. LP: #945651. |
2721 | + |
2722 | + -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 27 Mar 2012 10:44:03 -0700 |
2723 | + |
2724 | +nfs-utils (1:1.2.5-3ubuntu1) precise; urgency=low |
2725 | + |
2726 | + * Merge from Debian testing, remaining changes: |
2727 | + - debian/nfs-common.{statd,statd-mounting,gssd,idmapd}.upstart, |
2728 | + debian/control, debian/nfs-common.{preinst,postinst,prerm,postrm}, |
2729 | + debian/rules: drop nfs-common init script in favor of upstart jobs, |
2730 | + and build-depend on debhelper (>= 7.3.15ubuntu3) for correct upstart |
2731 | + init handling. |
2732 | + - Depend on rpcbind (>= 0.2.0-6ubuntu1) for upstart support. |
2733 | + - debian/nfs-kernel-server.postinst: don't call "invoke-rc.d nfs-common" |
2734 | + in the postinst, this is redundant anyway and the nfs-common init script |
2735 | + is gone now. |
2736 | + - nfs-kernel-server.default: Add comment about how to disable nfs4. |
2737 | + - nfs-kernel-server.init: Unmount nfsd fs when init script stops |
2738 | + - Allow issuing options to rpc.nfsd |
2739 | + - debian/nfs-common.defaults: always start idmapd automatically; drop |
2740 | + the configuration option. |
2741 | + - Move /var/lib/nfs/rpc_pipefs to /run/rpc_pipefs. This does not belong |
2742 | + in /var/lib. |
2743 | + |
2744 | + -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 04 Jan 2012 09:20:27 -0800 |
2745 | + |
2746 | nfs-utils (1:1.2.5-3) unstable; urgency=low |
2747 | |
2748 | [ Roger Leigh ] |
2749 | @@ -78,6 +221,33 @@ |
2750 | |
2751 | -- Luk Claes <luk@debian.org> Fri, 09 Dec 2011 11:55:31 +0100 |
2752 | |
2753 | +nfs-utils (1:1.2.5-2ubuntu1) precise; urgency=low |
2754 | + |
2755 | + * Merge from Debian testing, remaining changes: |
2756 | + - debian/nfs-common.{statd,statd-mounting,gssd,idmapd}.upstart, |
2757 | + debian/control, debian/nfs-common.{preinst,postinst,prerm,postrm}, |
2758 | + debian/rules: drop nfs-common init script in favor of upstart jobs, |
2759 | + and build-depend on debhelper (>= 7.3.15ubuntu3) for correct upstart |
2760 | + init handling. |
2761 | + - Depend on rpcbind (>= 0.2.0-6ubuntu1) for upstart support. |
2762 | + - debian/nfs-kernel-server.postinst: don't call "invoke-rc.d nfs-common" |
2763 | + in the postinst, this is redundant anyway and the nfs-common init script |
2764 | + is gone now. |
2765 | + - nfs-kernel-server.default: Add comment about how to disable nfs4. |
2766 | + - nfs-kernel-server.init: Unmount nfsd fs when init script stops |
2767 | + - Allow issuing options to rpc.nfsd |
2768 | + - debian/nfs-common.defaults: always start idmapd automatically; drop |
2769 | + the configuration option. |
2770 | + - Move /var/lib/nfs/rpc_pipefs to /run/rpc_pipefs. This does not belong |
2771 | + in /var/lib. |
2772 | + * Dropped changes, superseded in Debian/upstream: |
2773 | + - debian/patches/multiarch-kerberos-paths: Search for kerberos libs |
2774 | + in multiarch locations. |
2775 | + - ubuntu-fix-kernel-version-handling: avoid segfaults from short kernel |
2776 | + version numbers. |
2777 | + |
2778 | + -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 30 Oct 2011 00:12:50 +0000 |
2779 | + |
2780 | nfs-utils (1:1.2.5-2) unstable; urgency=low |
2781 | |
2782 | * debian/patches/18-dont-use-PAGE_SIZE.patch |
2783 | @@ -120,6 +290,57 @@ |
2784 | |
2785 | -- Luk Claes <luk@debian.org> Sat, 06 Aug 2011 07:38:48 +0200 |
2786 | |
2787 | +nfs-utils (1:1.2.4-1ubuntu4) precise; urgency=low |
2788 | + |
2789 | + * debian/nfs-common.postinst: handle the case when /var/lib/nfs/rpc_pipefs |
2790 | + is not already mounted on upgrade - dpkg will already remove the |
2791 | + directory for us on upgrade, so don't fail when it's missing. |
2792 | + LP: #882799. |
2793 | + |
2794 | + -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 27 Oct 2011 16:21:22 -0700 |
2795 | + |
2796 | +nfs-utils (1:1.2.4-1ubuntu3) precise; urgency=low |
2797 | + |
2798 | + * debian/nfs-common.defaults, debian/nfs-common.idmapd.upstart: idmapd |
2799 | + should always be started automatically, because we can no longer assume |
2800 | + that a mount of type 'nfs' in /etc/fstab is not nfs4. This also lets |
2801 | + things work by default with nfs4 autofs. LP: #662711. |
2802 | + * Move /var/lib/nfs/rpc_pipefs to /run/rpc_pipefs. This does not belong |
2803 | + in /var/lib. |
2804 | + * Ignore errors from mount if the filesystem is already mounted. |
2805 | + LP: #811823. |
2806 | + |
2807 | + -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 27 Oct 2011 12:04:58 -0700 |
2808 | + |
2809 | +nfs-utils (1:1.2.4-1ubuntu2) oneiric; urgency=low |
2810 | + |
2811 | + * Allow issuing options to rpc.nfsd |
2812 | + (LP: #567491) |
2813 | + |
2814 | + -- Bryce Harrington <bryce@ubuntu.com> Mon, 08 Aug 2011 16:37:26 -0700 |
2815 | + |
2816 | +nfs-utils (1:1.2.4-1ubuntu1) oneiric; urgency=low |
2817 | + |
2818 | + * Merge from Debian unstable (LP: #728586, LP: #789117), remaining |
2819 | + changes: |
2820 | + - debian/nfs-common.{statd,statd-mounting,gssd,idmapd}.upstart, |
2821 | + debian/control, debian/nfs-common.{preinst,postinst,prerm,postrm}, |
2822 | + debian/rules: drop nfs-common init script in favor of upstart jobs, |
2823 | + and build-depend on debhelper (>= 7.3.15ubuntu3) for correct upstart |
2824 | + init handling. |
2825 | + - Depend on rpcbind (>= 0.2.0-6ubuntu1) for upstart support. |
2826 | + - debian/nfs-kernel-server.postinst: don't call "invoke-rc.d nfs-common" |
2827 | + in the postinst, this is redundant anyway and the nfs-common init script |
2828 | + is gone now. |
2829 | + - nfs-kernel-server.default: Add comment about how to disable nfs4. |
2830 | + - debian/patches/multiarch-kerberos-paths: Search for kerberos libs |
2831 | + in multiarch locations. |
2832 | + - nfs-kernel-server.init: Unmount nfsd fs when init script stops |
2833 | + - ubuntu-fix-kernel-version-handling: avoid segfaults from short kernel |
2834 | + version numbers. |
2835 | + |
2836 | + -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 23 Jul 2011 17:54:36 +0200 |
2837 | + |
2838 | nfs-utils (1:1.2.4-1) unstable; urgency=low |
2839 | |
2840 | * New upstream version |
2841 | @@ -207,6 +428,93 @@ |
2842 | |
2843 | -- Luk Claes <luk@debian.org> Wed, 16 Mar 2011 23:10:15 +0100 |
2844 | |
2845 | +nfs-utils (1:1.2.2-4ubuntu8) oneiric; urgency=low |
2846 | + |
2847 | + * debian/nfs-common.idmapd.upstart: don't use a script unnecessarily for |
2848 | + our job when we can exec directly - making the job more resilient in |
2849 | + the face of races with /usr being mounted. LP: #811823. |
2850 | + * Drop rpc_pipefs.conf; this has gotten far more complicated than it |
2851 | + should be, just do the mount in-line in each of the gssd and idmapd |
2852 | + jobs. |
2853 | + |
2854 | + -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 17 Jul 2011 02:23:01 -0700 |
2855 | + |
2856 | +nfs-utils (1:1.2.2-4ubuntu7) oneiric; urgency=low |
2857 | + |
2858 | + [ Andy Whitcroft ] |
2859 | + * ubuntu-fix-kernel-version-handling: avoid segfaults from short kernel |
2860 | + version numbers. (LP: #796611) |
2861 | + |
2862 | + -- Evan Dandrea <ev@ubuntu.com> Tue, 14 Jun 2011 17:13:14 +0100 |
2863 | + |
2864 | +nfs-utils (1:1.2.2-4ubuntu6) oneiric; urgency=low |
2865 | + |
2866 | + * nfs-kernel-server.init: Unmount nfsd fs when init script stops |
2867 | + (LP: #251026) |
2868 | + |
2869 | + -- Bryce Harrington <bryce@ubuntu.com> Mon, 06 Jun 2011 19:18:16 -0700 |
2870 | + |
2871 | +nfs-utils (1:1.2.2-4ubuntu5) natty; urgency=low |
2872 | + |
2873 | + * Search kerberos libs in multiarch locations. |
2874 | + |
2875 | + -- Matthias Klose <doko@ubuntu.com> Fri, 01 Apr 2011 12:35:30 +0200 |
2876 | + |
2877 | +nfs-utils (1:1.2.2-4ubuntu4) natty; urgency=low |
2878 | + |
2879 | + * nvs-kernel-server.default: Add comment about how to disable nfs4. |
2880 | + There are corner cases where the server providing nfsv4 as the default |
2881 | + can confuse the client (117957, 680680) or even cause kernel problems |
2882 | + (716811), so it is worthwhile to document how to fallback to nfs3 only. |
2883 | + |
2884 | + -- Bryce Harrington <bryce@ubuntu.com> Mon, 14 Feb 2011 13:20:27 -0800 |
2885 | + |
2886 | +nfs-utils (1:1.2.2-4ubuntu3) natty; urgency=low |
2887 | + |
2888 | + * debian/nfs-common.statd.upstart: pass a new WAITER= variable |
2889 | + to portmap-wait, so that multiple jobs can wait in parallel, fixing |
2890 | + another subtle race condition; and bump the portmap dependency again for |
2891 | + the necessary instance support. |
2892 | + * also fix the grouping in the start condition, so that restarts work |
2893 | + correctly when portmap is restarted. |
2894 | + * debian/nfs-common.rpc_pipefs.upstart: instantiate this job separately for |
2895 | + gssd and idmapd, so that the filesystem gets mounted and unmounted |
2896 | + correctly even if both of gssd and idmapd aren't being run, or if one of |
2897 | + the two tries to start before the filesystem is fully mounted. Though |
2898 | + it may be simpler now to move this logic back into the gssd and idmapd |
2899 | + jobs directly, leave that for a later date. |
2900 | + |
2901 | + -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 18 Jan 2011 17:45:45 -0800 |
2902 | + |
2903 | +nfs-utils (1:1.2.2-4ubuntu2) natty; urgency=low |
2904 | + |
2905 | + * debian/nfs-common.statd.upstart, |
2906 | + debian/nfs-common.statd-mounting.upstart: refactor startup to wait for |
2907 | + local-filesystems. (LP: #525154) |
2908 | + * debian/control: depend on portmap version that sets ON_BOOT=y and |
2909 | + has the portmap-wait job. |
2910 | + * debian/rules: install new statd-mounting upstart job |
2911 | + |
2912 | + -- Clint Byrum <clint@ubuntu.com> Wed, 05 Jan 2011 12:27:32 -0800 |
2913 | + |
2914 | +nfs-utils (1:1.2.2-4ubuntu1) natty; urgency=low |
2915 | + |
2916 | + * Merge from debian unstable (LP: #685860), remaining changes: |
2917 | + - debian/nfs-common.{statd,gssd,idmapd,rpc_pipefs}.upstart, |
2918 | + debian/control, debian/nfs-common.{preinst,postinst,prerm,postrm}, |
2919 | + debian/rules: drop nfs-common init script in favor of upstart jobs, and |
2920 | + build-depend on debhelper (>= 7.3.15ubuntu3) for correct upstart init |
2921 | + handling. |
2922 | + - debian/control: |
2923 | + + depend on the upstart-using version of portmap, 6.0-10ubuntu1; and |
2924 | + drop the alternative depends on rpcbind, which hasn't been converted. |
2925 | + + depend on portmap 6.0-10ubuntu1. |
2926 | + - debian/nfs-kernel-server.postinst: don't call "invoke-rc.d nfs-common" |
2927 | + in the postinst, this is redundant anyway and the nfs-common init script |
2928 | + is gone now. |
2929 | + |
2930 | + -- Lorenzo De Liso <blackz@ubuntu.com> Wed, 15 Dec 2010 21:42:55 +0100 |
2931 | + |
2932 | nfs-utils (1:1.2.2-4) unstable; urgency=low |
2933 | |
2934 | * mountd: fix path comparison for v4 crossmnt (Closes: #578317) |
2935 | @@ -234,6 +542,28 @@ |
2936 | |
2937 | -- Anibal Monsalve Salazar <anibal@debian.org> Tue, 13 Jul 2010 15:20:17 +1000 |
2938 | |
2939 | +nfs-utils (1:1.2.2-1ubuntu1) maverick; urgency=low |
2940 | + |
2941 | + * Merge from Debian unstable, remaining changes: |
2942 | + - debian/nfs-common.{statd,gssd,idmapd,rpc_pipefs}.upstart, |
2943 | + debian/control, debian/nfs-common.{preinst,postinst,prerm,postrm}, |
2944 | + debian/rules: drop nfs-common init script in favor of upstart jobs, and |
2945 | + build-depend on debhelper (>= 7.3.15ubuntu3) for correct upstart init |
2946 | + handling. |
2947 | + - debian/control: depend on the upstart-using version of portmap, |
2948 | + 6.0-10ubuntu1; and drop the alternative depends on rpcbind, which |
2949 | + hasn't been converted. |
2950 | + - debian/nfs-kernel-server.postinst: don't call "invoke-rc.d nfs-common" |
2951 | + in the postinst, this is redundant anyway and the nfs-common init script |
2952 | + is gone now. |
2953 | + * Dropped changes, included in Debian: |
2954 | + - debian/control: add ${misc:Depends} line for nfs-common, for the |
2955 | + upstart deps |
2956 | + - debian/nfs-kernel-server.init: updated check for presence of nfsd |
2957 | + support |
2958 | + |
2959 | + -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 04 Jun 2010 09:55:28 +0000 |
2960 | + |
2961 | nfs-utils (1:1.2.2-1) unstable; urgency=low |
2962 | |
2963 | [ Anibal Monsalve Salazar ] |
2964 | @@ -305,6 +635,51 @@ |
2965 | |
2966 | -- Ben Hutchings <ben@decadent.org.uk> Wed, 16 Dec 2009 22:14:01 +0000 |
2967 | |
2968 | +nfs-utils (1:1.2.0-4ubuntu4) lucid; urgency=low |
2969 | + |
2970 | + * debian/nfs-common.gssd.upstart: |
2971 | + - fix the OPTIONS= match for the start condition (missing a leading '*') |
2972 | + so that we actually match on nfs4 mounts |
2973 | + - drop the 'script' for a straight exec of rpc.gssd; if /usr is a separate |
2974 | + partition then nfs4 mounts might be attempted in parallel, and upstart |
2975 | + gets mightily confused when this happens. LP: #545673 |
2976 | + |
2977 | + -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 23 Mar 2010 22:26:07 -0700 |
2978 | + |
2979 | +nfs-utils (1:1.2.0-4ubuntu3) lucid; urgency=low |
2980 | + |
2981 | + * debian/nfs-common.*.upstart: start on new 'mounting' signal instead of |
2982 | + obsolete 'mount' signal. |
2983 | + |
2984 | + -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 25 Feb 2010 06:41:46 -0800 |
2985 | + |
2986 | +nfs-utils (1:1.2.0-4ubuntu2) lucid; urgency=low |
2987 | + |
2988 | + * debian/nfs-kernel-server.init: 2.6.32 kernels no longer export the |
2989 | + same symbols. Switch symbol check to nfsd_serv which has been present |
2990 | + since 2005. LP: #493145. |
2991 | + |
2992 | + -- Andy Whitcroft <apw@canonical.com> Mon, 07 Dec 2009 16:56:56 +0000 |
2993 | + |
2994 | +nfs-utils (1:1.2.0-4ubuntu1) lucid; urgency=low |
2995 | + |
2996 | + * Merge from Debian testing, remaining changes: |
2997 | + - debian/nfs-common.{statd,gssd,idmapd,rpc_pipefs}.upstart, |
2998 | + debian/control, debian/nfs-common.{preinst,postinst,prerm,postrm}, |
2999 | + debian/rules: drop nfs-common init script in favor of upstart jobs, and |
3000 | + build-depend on debhelper (>= 7.3.15ubuntu3) for correct upstart init |
3001 | + handling. |
3002 | + - debian/control: depend on the upstart-using version of portmap, |
3003 | + 6.0-10ubuntu1; and drop the alternative depends on rpcbind, which |
3004 | + hasn't been converted. |
3005 | + - debian/control: add ${misc:Depends} line for nfs-common, for the |
3006 | + upstart deps |
3007 | + - debian/nfs-kernel-server.postinst: don't call "invoke-rc.d nfs-common" |
3008 | + in the postinst, this is redundant anyway and the nfs-common init script |
3009 | + is gone now. |
3010 | + |
3011 | + -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 04 Dec 2009 18:37:48 -0800 |
3012 | + |
3013 | nfs-utils (1:1.2.0-4) unstable; urgency=low |
3014 | |
3015 | * Removing myself from uploaders. |
3016 | @@ -319,6 +694,94 @@ |
3017 | |
3018 | -- Steinar H. Gunderson <sesse@debian.org> Sun, 09 Aug 2009 12:47:00 +0200 |
3019 | |
3020 | +nfs-utils (1:1.2.0-2ubuntu9) lucid; urgency=low |
3021 | + |
3022 | + * debian/nfs-common.statd.upstart: check for a started portmap in a |
3023 | + non-racy manner. LP: #484209. |
3024 | + |
3025 | + -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 17 Nov 2009 11:27:37 -0600 |
3026 | + |
3027 | +nfs-utils (1:1.2.0-2ubuntu8) karmic; urgency=low |
3028 | + |
3029 | + * debian/control: add missing ${misc:Depends} for nfs-common, else we don't |
3030 | + get the dependency on upstart that we should have. LP: #456281. |
3031 | + |
3032 | + -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 20 Oct 2009 13:10:01 +0000 |
3033 | + |
3034 | +nfs-utils (1:1.2.0-2ubuntu7) karmic; urgency=low |
3035 | + |
3036 | + * debian/rules: now that the jobs will exit cleanly on their own when |
3037 | + 'start' is called but the job is a no-op, remove the --error-handler |
3038 | + option to dh_installinit so that we don't accidentally ignore other |
3039 | + kinds of errors that could point to real problems. |
3040 | + |
3041 | + -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 11 Oct 2009 08:51:39 +0000 |
3042 | + |
3043 | +nfs-utils (1:1.2.0-2ubuntu6) karmic; urgency=low |
3044 | + |
3045 | + * Drop the gssd upstart job's dependency on "local-filesystems"; at boot |
3046 | + time this is always implied transitively by the dep on portmap, and using |
3047 | + a combination of 'or' and 'and' operators in the dependency list seems |
3048 | + to confuse upstart quite badly, causing kerberized mounts to hang at boot. |
3049 | + LP: #447654. |
3050 | + |
3051 | + -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 10 Oct 2009 20:12:11 +0000 |
3052 | + |
3053 | +nfs-utils (1:1.2.0-2ubuntu5) karmic; urgency=low |
3054 | + |
3055 | + * Set upstart jobs to also start on mount attempt, in the event that |
3056 | + mountall gets to them before the daemons are done starting. Really-fixes |
3057 | + LP: #431248. |
3058 | + * Call 'stop' in the pre-start scripts for all jobs when we want to prevent |
3059 | + the job from starting; this lets upstart know that it's a clean stop, |
3060 | + and avoids boot-time messages about service start failures |
3061 | + |
3062 | + -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 09 Oct 2009 19:17:34 +0000 |
3063 | + |
3064 | +nfs-utils (1:1.2.0-2ubuntu4) karmic; urgency=low |
3065 | + |
3066 | + * Mounting rpc_pipefs also requires the sunrpc module, so move this |
3067 | + modprobe to the right upstart job. |
3068 | + |
3069 | + -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 05 Oct 2009 22:04:28 -0700 |
3070 | + |
3071 | +nfs-utils (1:1.2.0-2ubuntu3) karmic; urgency=low |
3072 | + |
3073 | + * nfs-kernel-server: don't call invoke-rc.d nfs-common in the postinst, |
3074 | + this is redundant anyway and the nfs-common init script is gone now. |
3075 | + LP: #441855. |
3076 | + |
3077 | + -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 03 Oct 2009 23:07:09 -0700 |
3078 | + |
3079 | +nfs-utils (1:1.2.0-2ubuntu2) karmic; urgency=low |
3080 | + |
3081 | + * Configure gssd and idmapd upstart jobs to stop on runlevels 0 and 6; this |
3082 | + is consistent with previous initscript-based behavior, and spares upstart |
3083 | + trying to restart the jobs repeatedly when sendsigs runs. |
3084 | + * When autodetecting gssd, handle the case of 'sec=krb5' being embedded in |
3085 | + the middle of the options list in /etc/fstab. LP: #364861. |
3086 | + * Fix transition idempotency error when stopping old nfs-common init |
3087 | + script, in case the postinst fails to finish afterwards (e.g., failure to |
3088 | + restart the daemons). |
3089 | + * Fix statd upstart job to properly honor NEED_STATD=no and not get stuck |
3090 | + respawning indefinitely. |
3091 | + * Ignore failures to start the daemons on upgrade, since if they aren't |
3092 | + needed we don't *want* them to start. LP: #441055. |
3093 | + * Fix up the rpc_pipefs job, the wrong version of the file slipped into |
3094 | + the previous upload. |
3095 | + |
3096 | + -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 03 Oct 2009 01:52:21 +0000 |
3097 | + |
3098 | +nfs-utils (1:1.2.0-2ubuntu1) karmic; urgency=low |
3099 | + |
3100 | + * Drop nfs-common init script in favor of new upstart jobs. LP: #431248. |
3101 | + * Build-depend on debhelper (>= 7.3.15ubuntu3) for correct upstart init |
3102 | + handling. |
3103 | + * Depend the upstart-using version of portmap, 6.0-10ubuntu1; and drop the |
3104 | + alternative depends on rpcbind, which hasn't been converted. |
3105 | + |
3106 | + -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 02 Oct 2009 19:23:19 +0000 |
3107 | + |
3108 | nfs-utils (1:1.2.0-2) unstable; urgency=low |
3109 | |
3110 | * Merge from Ubuntu |
3111 | |
3112 | === modified file 'debian/control' |
3113 | --- debian/control 2013-05-10 19:27:47 +0000 |
3114 | +++ debian/control 2013-05-24 21:14:25 +0000 |
3115 | @@ -1,9 +1,10 @@ |
3116 | Source: nfs-utils |
3117 | Priority: standard |
3118 | Section: net |
3119 | -Maintainer: Debian kernel team <debian-kernel@lists.debian.org> |
3120 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
3121 | +XSBC-Original-Maintainer: Debian kernel team <debian-kernel@lists.debian.org> |
3122 | Uploaders: Anibal Monsalve Salazar <anibal@debian.org>, Ben Hutchings <ben@decadent.org.uk>, Luk Claes <luk@debian.org> |
3123 | -Build-Depends: debhelper (>= 7), libwrap0-dev, libevent-dev, libnfsidmap-dev (>= 0.24), libkrb5-dev, libgssglue-dev (>= 0.3), libblkid-dev, libkeyutils-dev, pkg-config, libldap2-dev, libcap-dev, libtirpc-dev, libdevmapper-dev, dh-autoreconf, libmount-dev, libsqlite3-dev |
3124 | +Build-Depends: debhelper (>= 7.3.15ubuntu3), libwrap0-dev, libevent-dev, libnfsidmap-dev (>= 0.24), libkrb5-dev, libgssglue-dev (>= 0.3), libblkid-dev, libkeyutils-dev, pkg-config, libldap2-dev, libcap-dev, libtirpc-dev, libdevmapper-dev, dh-autoreconf, libmount-dev, libsqlite3-dev |
3125 | Standards-Version: 3.9.0 |
3126 | Homepage: http://nfs.sourceforge.net/ |
3127 | Vcs-Git: git://git.debian.org/kernel/nfs-utils.git |
3128 | @@ -32,7 +33,7 @@ |
3129 | |
3130 | Package: nfs-common |
3131 | Architecture: any |
3132 | -Depends: ${shlibs:Depends}, ${misc:Depends}, rpcbind, adduser, ucf, lsb-base (>= 1.3-9ubuntu3), initscripts (>= 2.88dsf-13.3) |
3133 | +Depends: ${shlibs:Depends}, ${misc:Depends}, rpcbind (>= 0.2.0-6ubuntu1), adduser, ucf, lsb-base (>= 1.3-9ubuntu3), initscripts (>= 2.88dsf-13.10ubuntu1), mountall (>= 2.41) |
3134 | Recommends: python |
3135 | Suggests: open-iscsi, watchdog |
3136 | Provides: nfs-client |
3137 | |
3138 | === modified file 'debian/idmapd.conf' |
3139 | --- debian/idmapd.conf 2011-10-02 18:29:53 +0000 |
3140 | +++ debian/idmapd.conf 2013-05-24 21:14:25 +0000 |
3141 | @@ -1,7 +1,7 @@ |
3142 | [General] |
3143 | |
3144 | Verbosity = 0 |
3145 | -Pipefs-Directory = /var/lib/nfs/rpc_pipefs |
3146 | +Pipefs-Directory = /run/rpc_pipefs |
3147 | # set your own domain here, if id differs from FQDN minus hostname |
3148 | # Domain = localdomain |
3149 | |
3150 | |
3151 | === modified file 'debian/nfs-common.default' |
3152 | --- debian/nfs-common.default 2011-03-16 23:10:15 +0000 |
3153 | +++ debian/nfs-common.default 2013-05-24 21:14:25 +0000 |
3154 | @@ -12,8 +12,5 @@ |
3155 | # For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS |
3156 | STATDOPTS= |
3157 | |
3158 | -# Do you want to start the idmapd daemon? It is only needed for NFSv4. |
3159 | -NEED_IDMAPD= |
3160 | - |
3161 | # Do you want to start the gssd daemon? It is required for Kerberos mounts. |
3162 | NEED_GSSD= |
3163 | |
3164 | === modified file 'debian/nfs-common.dirs' |
3165 | --- debian/nfs-common.dirs 2011-03-27 18:54:45 +0000 |
3166 | +++ debian/nfs-common.dirs 2013-05-24 21:14:25 +0000 |
3167 | @@ -4,7 +4,6 @@ |
3168 | var/lib/nfs |
3169 | var/lib/nfs/sm |
3170 | var/lib/nfs/sm.bak |
3171 | -var/lib/nfs/rpc_pipefs |
3172 | usr/share/nfs-common/conffiles |
3173 | usr/share/bug/nfs-common |
3174 | usr/share/bug/nfs-utils |
3175 | |
3176 | === added file 'debian/nfs-common.gssd-mounting.upstart' |
3177 | --- debian/nfs-common.gssd-mounting.upstart 1970-01-01 00:00:00 +0000 |
3178 | +++ debian/nfs-common.gssd-mounting.upstart 2013-05-24 21:14:25 +0000 |
3179 | @@ -0,0 +1,57 @@ |
3180 | +# gssd-mounting |
3181 | + |
3182 | +description "Block the mounting event for NFS4 filesytems until gssd is running" |
3183 | +author "Steve Langasek <steve.langasek@canonical.com>" |
3184 | + |
3185 | +instance $MOUNTPOINT |
3186 | + |
3187 | +start on mounting TYPE=nfs* OPTIONS=*sec*krb5* |
3188 | +stop on started gssd or stopped gssd |
3189 | +task |
3190 | + |
3191 | +# This is required so that the task is still considered |
3192 | +# successful when it gets killed |
3193 | +normal exit TERM |
3194 | + |
3195 | +script |
3196 | + |
3197 | + DEFAULTFILE=/etc/default/nfs-common |
3198 | + |
3199 | + if [ -f "$DEFAULTFILE" ]; then |
3200 | + . "$DEFAULTFILE" |
3201 | + fi |
3202 | + |
3203 | + if [ -f /etc/fstab ]; then |
3204 | + exec 9<&0 </etc/fstab |
3205 | + |
3206 | + while read DEV MTPT FSTYPE OPTS REST |
3207 | + do |
3208 | + case "$OPTS" in |
3209 | + sec=krb5|*,sec=krb5|sec=krb5,*|*,sec=krb5,*|sec=krb5i|*,sec=krb5i|sec=krb5i,*|*,sec=krb5i,*|sec=krb5p|*,sec=krb5p|sec=krb5p,*|*,sec=krb5p,*) |
3210 | + AUTO_NEED_GSSD=yes |
3211 | + ;; |
3212 | + esac |
3213 | + done |
3214 | + |
3215 | + exec 0<&9 9<&- |
3216 | + fi |
3217 | + |
3218 | + case "$NEED_GSSD" in |
3219 | + yes|no) |
3220 | + ;; |
3221 | + *) |
3222 | + NEED_GSSD=$AUTO_NEED_GSSD |
3223 | + ;; |
3224 | + esac |
3225 | + [ "x$NEED_GSSD" = xyes ] || { stop; exit 0; } |
3226 | + |
3227 | + status gssd | grep -q "start/running" && exit 0 |
3228 | + |
3229 | + # If it's already starting we'll get killed by the impending 'stop on |
3230 | + # started gssd' |
3231 | + # If it wasn't already starting, we'll either get killed by the stop |
3232 | + # on started or stopped. |
3233 | + # So, its safe to sleep forever here and rely on upstart to kill us, |
3234 | + |
3235 | + while sleep 3600; do :; done |
3236 | +end script |
3237 | |
3238 | === added file 'debian/nfs-common.gssd.upstart' |
3239 | --- debian/nfs-common.gssd.upstart 1970-01-01 00:00:00 +0000 |
3240 | +++ debian/nfs-common.gssd.upstart 2013-05-24 21:14:25 +0000 |
3241 | @@ -0,0 +1,86 @@ |
3242 | +# gssd - rpcsec_gss daemon |
3243 | + |
3244 | +# The rpcsec_gss protocol gives a means of using the GSS-API generic security |
3245 | +# API to provide security for protocols using RPC (in particular, NFS). |
3246 | + |
3247 | +description "rpcsec_gss daemon" |
3248 | +author "Steve Langasek <steve.langasek@canonical.com>" |
3249 | + |
3250 | +start on local-filesystems |
3251 | +stop on unmounted-remote-filesystems |
3252 | + |
3253 | +expect fork |
3254 | +respawn |
3255 | + |
3256 | +env DEFAULTFILE=/etc/default/nfs-common |
3257 | +env PIPEFS_MOUNTPOINT=/run/rpc_pipefs |
3258 | + |
3259 | +pre-start script |
3260 | + do_modprobe() { |
3261 | + modprobe -q "$1" || true |
3262 | + } |
3263 | + |
3264 | + if [ -f "$DEFAULTFILE" ]; then |
3265 | + . "$DEFAULTFILE" |
3266 | + fi |
3267 | + |
3268 | + # |
3269 | + # Parse the fstab file, and determine whether we need gssd. (The |
3270 | + # /etc/defaults settings, if any, will override our autodetection.) |
3271 | + # This code is partially adapted from the mountnfs.sh script in the |
3272 | + # sysvinit package. |
3273 | + |
3274 | + if [ -f /etc/fstab ]; then |
3275 | + exec 9<&0 </etc/fstab |
3276 | + |
3277 | + while read DEV MTPT FSTYPE OPTS REST |
3278 | + do |
3279 | + case "$OPTS" in |
3280 | + sec=krb5|*,sec=krb5|sec=krb5,*|*,sec=krb5,*|sec=krb5i|*,sec=krb5i|sec=krb5i,*|*,sec=krb5i,*|sec=krb5p|*,sec=krb5p|sec=krb5p,*|*,sec=krb5p,*) |
3281 | + AUTO_NEED_GSSD=yes |
3282 | + ;; |
3283 | + esac |
3284 | + done |
3285 | + |
3286 | + exec 0<&9 9<&- |
3287 | + fi |
3288 | + |
3289 | + case "$NEED_GSSD" in |
3290 | + yes|no) |
3291 | + ;; |
3292 | + *) |
3293 | + NEED_GSSD=$AUTO_NEED_GSSD |
3294 | + ;; |
3295 | + esac |
3296 | + [ "x$NEED_GSSD" = xyes ] || { stop; exit 0; } |
3297 | + |
3298 | + # we need this available; better to fail now than |
3299 | + # mysteriously on the first mount |
3300 | + if ! grep -q -E '^nfs[ ]' /etc/services; then |
3301 | + echo "broken /etc/services, please see /usr/share/doc/nfs-common/README.Debian.nfsv4" |
3302 | + exit 1 |
3303 | + fi |
3304 | + |
3305 | + do_modprobe nfs |
3306 | + do_modprobe nfsd |
3307 | + do_modprobe rpcsec_gss_krb5 |
3308 | + |
3309 | + do_modprobe sunrpc |
3310 | + |
3311 | + if ! mountpoint -q "$PIPEFS_MOUNTPOINT" |
3312 | + then |
3313 | + mkdir -p "$PIPEFS_MOUNTPOINT" |
3314 | + mount -t rpc_pipefs rpc_pipefs "$PIPEFS_MOUNTPOINT" || true |
3315 | + fi |
3316 | +end script |
3317 | + |
3318 | +exec rpc.gssd |
3319 | + |
3320 | +post-stop script |
3321 | + if mountpoint -q "$PIPEFS_MOUNTPOINT" |
3322 | + then |
3323 | + # ignore any failures caused by the filesystem still |
3324 | + # being in use |
3325 | + umount "$PIPEFS_MOUNTPOINT" || true |
3326 | + fi |
3327 | +end script |
3328 | |
3329 | === added file 'debian/nfs-common.idmapd-mounting.upstart' |
3330 | --- debian/nfs-common.idmapd-mounting.upstart 1970-01-01 00:00:00 +0000 |
3331 | +++ debian/nfs-common.idmapd-mounting.upstart 2013-05-24 21:14:25 +0000 |
3332 | @@ -0,0 +1,27 @@ |
3333 | +# idmapd-mounting |
3334 | + |
3335 | +description "Block the mounting event for NFS4 filesytems until idmapd is running" |
3336 | +author "Steve Langasek <steve.langasek@canonical.com>" |
3337 | + |
3338 | +instance $MOUNTPOINT |
3339 | + |
3340 | +start on mounting TYPE=nfs* |
3341 | +stop on started idmapd or stopped idmapd |
3342 | +task |
3343 | + |
3344 | +# This is required so that the task is still considered |
3345 | +# successful when it gets killed |
3346 | +normal exit TERM |
3347 | + |
3348 | +script |
3349 | + |
3350 | + status idmapd | grep -q "start/running" && exit 0 |
3351 | + |
3352 | + # If it's already starting we'll get killed by the impending 'stop on |
3353 | + # started idmapd' |
3354 | + # If it wasn't already starting, we'll either get killed by the stop |
3355 | + # on started or stopped. |
3356 | + # So, its safe to sleep forever here and rely on upstart to kill us, |
3357 | + |
3358 | + while sleep 3600; do :; done |
3359 | +end script |
3360 | |
3361 | === added file 'debian/nfs-common.idmapd.upstart' |
3362 | --- debian/nfs-common.idmapd.upstart 1970-01-01 00:00:00 +0000 |
3363 | +++ debian/nfs-common.idmapd.upstart 2013-05-24 21:14:25 +0000 |
3364 | @@ -0,0 +1,46 @@ |
3365 | +# idmapd - NFSv4 id <-> name mapper |
3366 | + |
3367 | +# rpc.idmapd is the NFSv4 ID <-> name mapping daemon. It provides |
3368 | +# functionality to the NFSv4 kernel client and server, to which it |
3369 | +# communicates via upcalls, by translating user and group IDs to names, and |
3370 | +# vice versa. |
3371 | + |
3372 | +description "NFSv4 id <-> name mapper" |
3373 | +author "Steve Langasek <steve.langasek@canonical.com>" |
3374 | + |
3375 | +start on local-filesystems |
3376 | +stop on unmounted-remote-filesystems |
3377 | + |
3378 | +expect fork |
3379 | +respawn |
3380 | + |
3381 | +env PIPEFS_MOUNTPOINT=/run/rpc_pipefs |
3382 | + |
3383 | +pre-start script |
3384 | + do_modprobe() { |
3385 | + modprobe -q "$1" || true |
3386 | + } |
3387 | + |
3388 | + do_modprobe nfs |
3389 | + do_modprobe nfsd |
3390 | + |
3391 | + do_modprobe sunrpc |
3392 | + |
3393 | + if ! mountpoint -q "$PIPEFS_MOUNTPOINT" |
3394 | + then |
3395 | + mkdir -p "$PIPEFS_MOUNTPOINT" |
3396 | + mount -t rpc_pipefs rpc_pipefs "$PIPEFS_MOUNTPOINT" || true |
3397 | + fi |
3398 | +end script |
3399 | + |
3400 | +exec rpc.idmapd |
3401 | + |
3402 | +post-stop script |
3403 | + if mountpoint -q "$PIPEFS_MOUNTPOINT" |
3404 | + then |
3405 | + # ignore any failures caused by the filesystem still |
3406 | + # being in use |
3407 | + umount "$PIPEFS_MOUNTPOINT" || true |
3408 | + fi |
3409 | +end script |
3410 | + |
3411 | |
3412 | === modified file 'debian/nfs-common.init' |
3413 | --- debian/nfs-common.init 2013-05-10 19:27:47 +0000 |
3414 | +++ debian/nfs-common.init 2013-05-24 21:14:25 +0000 |
3415 | @@ -20,7 +20,7 @@ |
3416 | NEED_STATD= |
3417 | NEED_IDMAPD= |
3418 | NEED_GSSD= |
3419 | -PIPEFS_MOUNTPOINT=/var/lib/nfs/rpc_pipefs |
3420 | +PIPEFS_MOUNTPOINT=/run/rpc_pipefs |
3421 | RPCGSSDOPTS= |
3422 | if [ -f $DEFAULTFILE ]; then |
3423 | . $DEFAULTFILE |
3424 | @@ -172,6 +172,7 @@ |
3425 | do_modprobe sunrpc |
3426 | do_modprobe nfs |
3427 | do_modprobe nfsd |
3428 | + mkdir -p "$PIPEFS_MOUNTPOINT" |
3429 | if do_mount rpc_pipefs $PIPEFS_MOUNTPOINT |
3430 | then |
3431 | if [ "$NEED_IDMAPD" = yes ] |
3432 | |
3433 | === modified file 'debian/nfs-common.postinst' |
3434 | --- debian/nfs-common.postinst 2012-01-22 15:46:25 +0000 |
3435 | +++ debian/nfs-common.postinst 2013-05-24 21:14:25 +0000 |
3436 | @@ -2,18 +2,23 @@ |
3437 | |
3438 | set -e |
3439 | |
3440 | -#DEBHELPER# |
3441 | +finish_rm_conffile() { |
3442 | + local CONFFILE="$1" |
3443 | + |
3444 | + if [ -e "$CONFFILE.dpkg-backup" ]; then |
3445 | + mv -f "$CONFFILE.dpkg-backup" "$CONFFILE.dpkg-bak" |
3446 | + fi |
3447 | + if [ -e "$CONFFILE.dpkg-remove" ]; then |
3448 | + echo "Removing obsolete conffile $CONFFILE ..." |
3449 | + rm -f "$CONFFILE.dpkg-remove" |
3450 | + fi |
3451 | +} |
3452 | |
3453 | case "$1" in |
3454 | configure) |
3455 | ucf --three-way /usr/share/nfs-common/conffiles/idmapd.conf /etc/idmapd.conf |
3456 | ucf --three-way /usr/share/nfs-common/conffiles/nfs-common.default /etc/default/nfs-common |
3457 | |
3458 | - if [ "$2" != "" ] && dpkg --compare-versions "$2" lt 1:1.1.0-10; then |
3459 | - update-rc.d -f nfs-common remove >/dev/null |
3460 | - fi |
3461 | - update-rc.d nfs-common start 20 2 3 4 5 . stop 20 0 1 6 . start 44 S . >/dev/null |
3462 | - |
3463 | if ! getent passwd statd >/dev/null; then |
3464 | adduser --system --home /var/lib/nfs --no-create-home statd |
3465 | fi |
3466 | @@ -26,7 +31,6 @@ |
3467 | |
3468 | chown statd: /var/lib/nfs/sm \ |
3469 | /var/lib/nfs/sm.bak \ |
3470 | - /var/lib/nfs/rpc_pipefs \ |
3471 | /var/lib/nfs |
3472 | if [ -f /var/lib/nfs/state ]; then |
3473 | chown statd /var/lib/nfs/state |
3474 | @@ -38,6 +42,26 @@ |
3475 | fi |
3476 | fi |
3477 | |
3478 | + if dpkg --compare-versions "$2" lt-nl 1:1.2.0-2ubuntu1 |
3479 | + then |
3480 | + if [ -e /etc/init.d/nfs-common.dpkg-remove ] |
3481 | + then |
3482 | + invoke-rc.d nfs-common.dpkg-remove stop |
3483 | + elif [ -e /etc/init.d/nfs-common.dpkg-backup ] |
3484 | + then |
3485 | + invoke-rc.d nfs-common.dpkg-backup stop |
3486 | + fi |
3487 | + update-rc.d nfs-common remove |
3488 | + elif dpkg --compare-versions "$2" lt-nl 1:1.2.4-1ubuntu3 |
3489 | + then |
3490 | + # handle the move of rpc_pipefs from /var/lib to /run |
3491 | + invoke-rc.d idmapd stop |
3492 | + invoke-rc.d gssd stop |
3493 | + if [ -d /var/lib/nfs/rpc_pipefs ]; then |
3494 | + rmdir --ignore-fail-on-non-empty /var/lib/nfs/rpc_pipefs |
3495 | + fi |
3496 | + fi |
3497 | + |
3498 | # Migrate /lib/init/rw/sendsigs.omit.statd to /run. |
3499 | if [ -f /lib/init/rw/sendsigs.omit.d/statd ]; then |
3500 | mv /lib/init/rw/sendsigs.omit.d/statd /run/sendsigs.omit.d/statd |
3501 | @@ -45,6 +69,10 @@ |
3502 | ;; |
3503 | esac |
3504 | |
3505 | -act="restart" |
3506 | -[ "$1:$2" = "configure:" ] && act="start" |
3507 | -invoke-rc.d nfs-common $act |
3508 | +finish_rm_conffile /etc/init/rpc_pipefs.conf |
3509 | + |
3510 | + |
3511 | + |
3512 | +#DEBHELPER# |
3513 | + |
3514 | +finish_rm_conffile /etc/init.d/nfs-common |
3515 | |
3516 | === modified file 'debian/nfs-common.postrm' |
3517 | --- debian/nfs-common.postrm 2009-06-06 01:19:54 +0000 |
3518 | +++ debian/nfs-common.postrm 2013-05-24 21:14:25 +0000 |
3519 | @@ -6,7 +6,6 @@ |
3520 | |
3521 | case "$1" in |
3522 | purge) |
3523 | - update-rc.d nfs-common remove >/dev/null |
3524 | |
3525 | for FILE in /etc/default/nfs-common /etc/idmapd.conf; do |
3526 | # Taken from the ucf example postrm |
3527 | |
3528 | === added file 'debian/nfs-common.preinst' |
3529 | --- debian/nfs-common.preinst 1970-01-01 00:00:00 +0000 |
3530 | +++ debian/nfs-common.preinst 2013-05-24 21:14:25 +0000 |
3531 | @@ -0,0 +1,33 @@ |
3532 | +#!/bin/sh |
3533 | + |
3534 | +set -e |
3535 | + |
3536 | +prepare_rm_conffile() { |
3537 | + local CONFFILE="$1" |
3538 | + local PACKAGE="$2" |
3539 | + |
3540 | + [ -e "$CONFFILE" ] || return 0 |
3541 | + |
3542 | + local md5sum="$(md5sum $CONFFILE | sed -e 's/ .*//')" |
3543 | + local old_md5sum="$(dpkg-query -W -f='${Conffiles}' $PACKAGE | \ |
3544 | + sed -n -e "\' $CONFFILE ' { s/ obsolete$//; s/.* //; p }")" |
3545 | + if [ "$md5sum" != "$old_md5sum" ]; then |
3546 | + echo "Obsolete conffile $CONFFILE has been modified by you." |
3547 | + echo "Saving as $CONFFILE.dpkg-bak ..." |
3548 | + mv -f "$CONFFILE" "$CONFFILE.dpkg-backup" |
3549 | + else |
3550 | + echo "Moving obsolete conffile $CONFFILE out of the way..." |
3551 | + mv -f "$CONFFILE" "$CONFFILE.dpkg-remove" |
3552 | + fi |
3553 | +} |
3554 | + |
3555 | +# remove the obsolete init script (replaced by an upstart job) |
3556 | +if [ "$1" = install ] || [ "$1" = upgrade ]; then |
3557 | + if [ -e "/etc/init.d/nfs-common" ] && [ ! -L "/etc/init.d/nfs-common" ]; then |
3558 | + prepare_rm_conffile /etc/init.d/nfs-common nfs-common |
3559 | + fi |
3560 | +fi |
3561 | + |
3562 | +prepare_rm_conffile /etc/init/rpc_pipefs.conf nfs-common |
3563 | + |
3564 | +#DEBHELPER# |
3565 | |
3566 | === modified file 'debian/nfs-common.prerm' |
3567 | --- debian/nfs-common.prerm 2009-06-06 01:19:54 +0000 |
3568 | +++ debian/nfs-common.prerm 2013-05-24 21:14:25 +0000 |
3569 | @@ -4,13 +4,6 @@ |
3570 | |
3571 | #DEBHELPER# |
3572 | |
3573 | -case "$1" in |
3574 | - remove|purge) |
3575 | - [ -x /etc/init.d/nfs-common ] && |
3576 | - invoke-rc.d nfs-common stop |
3577 | - ;; |
3578 | -esac |
3579 | - |
3580 | if [ "$1" != upgrade ] |
3581 | then |
3582 | rm -f /var/lib/nfs/sm/* \ |
3583 | |
3584 | === added file 'debian/nfs-common.statd-mounting.upstart' |
3585 | --- debian/nfs-common.statd-mounting.upstart 1970-01-01 00:00:00 +0000 |
3586 | +++ debian/nfs-common.statd-mounting.upstart 2013-05-24 21:14:25 +0000 |
3587 | @@ -0,0 +1,30 @@ |
3588 | +# statd-mounting |
3589 | + |
3590 | +description "Block the mounting event for NFS filesytems until statd is running" |
3591 | +author "Clint Byrum <clint.byrum@canonical.com>" |
3592 | + |
3593 | +instance $MOUNTPOINT |
3594 | + |
3595 | +start on mounting TYPE=nfs |
3596 | +stop on started statd or stopped statd |
3597 | +task |
3598 | + |
3599 | +# This is required so that the task is still considered |
3600 | +# successful when it gets killed |
3601 | +normal exit 2 |
3602 | + |
3603 | +script |
3604 | + |
3605 | + . /etc/default/nfs-common |
3606 | + |
3607 | + [ "x$NEED_STATD" != "xno" ] || exit 0 |
3608 | + status statd | grep -q "start/running" && exit 0 |
3609 | + |
3610 | + # If its already starting we'll get killed by the impending 'stop on |
3611 | + # started statd' |
3612 | + # If it wasn't already starting, we'll either get killed by the stop |
3613 | + # on started or stopped. |
3614 | + # So, its safe to sleep forever here and rely on upstart to kill us, |
3615 | + |
3616 | + while sleep 3600; do :; done |
3617 | +end script |
3618 | |
3619 | === added file 'debian/nfs-common.statd.upstart' |
3620 | --- debian/nfs-common.statd.upstart 1970-01-01 00:00:00 +0000 |
3621 | +++ debian/nfs-common.statd.upstart 2013-05-24 21:14:25 +0000 |
3622 | @@ -0,0 +1,43 @@ |
3623 | +# statd - NSM status monitor |
3624 | + |
3625 | +description "NSM status monitor" |
3626 | +author "Steve Langasek <steve.langasek@canonical.com>" |
3627 | + |
3628 | +# ON_BOOT is set to y in portmap's special portmap-boot.conf |
3629 | +# It will not be set when users run 'restart portmap' or 'start portmap' |
3630 | +# This is so that we don't start until we have local filesystems on |
3631 | +# bootup but we also restart whenever portmap is restarted. -Clint Byrum |
3632 | +# |
3633 | +# The case where we need to make sure statd is started on mounting |
3634 | +# TYPE=nfs is handled in the "statd-mounting" job. |
3635 | +# |
3636 | +start on (started portmap ON_BOOT= |
3637 | + or (local-filesystems and started portmap ON_BOOT=y)) |
3638 | +stop on stopping portmap |
3639 | + |
3640 | +expect fork |
3641 | +respawn |
3642 | + |
3643 | +env DEFAULTFILE=/etc/default/nfs-common |
3644 | + |
3645 | +pre-start script |
3646 | + if [ -f "$DEFAULTFILE" ]; then |
3647 | + . "$DEFAULTFILE" |
3648 | + fi |
3649 | + |
3650 | + [ "x$NEED_STATD" != xno ] || { stop; exit 0; } |
3651 | + logger -t statd-pre-start "$UPSTART_EVENTS" || true |
3652 | + echo UPSTART_EVENTS = "$UPSTART_EVENTS" |
3653 | + |
3654 | + exec sm-notify |
3655 | +end script |
3656 | + |
3657 | +script |
3658 | + if [ -f "$DEFAULTFILE" ]; then |
3659 | + . "$DEFAULTFILE" |
3660 | + fi |
3661 | + |
3662 | + if [ "x$NEED_STATD" != xno ]; then |
3663 | + exec rpc.statd -L $STATDOPTS |
3664 | + fi |
3665 | +end script |
3666 | |
3667 | === modified file 'debian/nfs-kernel-server.default' |
3668 | --- debian/nfs-kernel-server.default 2011-10-02 18:29:53 +0000 |
3669 | +++ debian/nfs-kernel-server.default 2013-05-24 21:14:25 +0000 |
3670 | @@ -6,7 +6,7 @@ |
3671 | |
3672 | # Options for rpc.mountd. |
3673 | # If you have a port-based firewall, you might want to set up |
3674 | -# a fixed port here using the --port option. For more information, |
3675 | +# a fixed port here using the --port option. For more information, |
3676 | # see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS |
3677 | # To disable NFSv4 on the server, specify '--no-nfs-version 4' here |
3678 | RPCMOUNTDOPTS=--manage-gids |
3679 | @@ -17,3 +17,6 @@ |
3680 | |
3681 | # Options for rpc.svcgssd. |
3682 | RPCSVCGSSDOPTS= |
3683 | + |
3684 | +# Options for rpc.nfsd. |
3685 | +RPCNFSDOPTS= |
3686 | |
3687 | === modified file 'debian/nfs-kernel-server.init' |
3688 | --- debian/nfs-kernel-server.init 2013-05-10 19:27:47 +0000 |
3689 | +++ debian/nfs-kernel-server.init 2013-05-24 21:14:25 +0000 |
3690 | @@ -30,6 +30,7 @@ |
3691 | RPCMOUNTDOPTS= |
3692 | NEED_SVCGSSD=no |
3693 | RPCSVCGSSDOPTS= |
3694 | +RPCNFSDOPTS= |
3695 | PROCNFSD_MOUNTPOINT=/proc/fs/nfsd |
3696 | if [ -f $DEFAULTFILE ]; then |
3697 | . $DEFAULTFILE |
3698 | @@ -75,7 +76,7 @@ |
3699 | log_warning_msg "Not starting $DESC: no support in current kernel." |
3700 | exit 0 |
3701 | fi |
3702 | - |
3703 | + |
3704 | do_mount nfsd $PROCNFSD_MOUNTPOINT || NEED_SVCGSSD=no |
3705 | log_begin_msg "Exporting directories for $DESC..." |
3706 | $PREFIX/sbin/exportfs -r |
3707 | @@ -88,7 +89,7 @@ |
3708 | |
3709 | log_daemon_msg "Starting $DESC" |
3710 | log_progress_msg "nfsd" |
3711 | - |
3712 | + |
3713 | # See if rpcbind is running |
3714 | $PREFIX/sbin/rpcinfo -p >/dev/null 2>&1 |
3715 | RET=$? |
3716 | @@ -100,7 +101,7 @@ |
3717 | |
3718 | start-stop-daemon --start --oknodo --quiet \ |
3719 | --nicelevel $RPCNFSDPRIORITY \ |
3720 | - --exec $PREFIX/sbin/rpc.nfsd -- $RPCNFSDCOUNT |
3721 | + --exec $PREFIX/sbin/rpc.nfsd -- $RPCNFSDOPTS $RPCNFSDCOUNT |
3722 | RET=$? |
3723 | if [ $RET != 0 ]; then |
3724 | log_end_msg $RET |
3725 | @@ -195,6 +196,7 @@ |
3726 | if mountpoint -q $PROCNFSD_MOUNTPOINT |
3727 | then |
3728 | $PREFIX/sbin/exportfs -f |
3729 | + umount $PROCNFSD_MOUNTPOINT |
3730 | fi |
3731 | ;; |
3732 | |
3733 | |
3734 | === modified file 'debian/nfs-kernel-server.postinst' |
3735 | --- debian/nfs-kernel-server.postinst 2010-01-13 10:39:08 +0000 |
3736 | +++ debian/nfs-kernel-server.postinst 2013-05-24 21:14:25 +0000 |
3737 | @@ -21,5 +21,4 @@ |
3738 | |
3739 | act="restart" |
3740 | [ "$1:$2" = "configure:" ] && act="start" |
3741 | -[ "$1:$2" = "configure:" ] && invoke-rc.d nfs-common start |
3742 | invoke-rc.d nfs-kernel-server $act |
3743 | |
3744 | === added file 'debian/patches/20-ticket-expired-error.patch' |
3745 | --- debian/patches/20-ticket-expired-error.patch 1970-01-01 00:00:00 +0000 |
3746 | +++ debian/patches/20-ticket-expired-error.patch 2013-05-24 21:14:25 +0000 |
3747 | @@ -0,0 +1,79 @@ |
3748 | +## Description: add some description |
3749 | +## Origin/Author: add some origin or author |
3750 | +## Bug: bug URL |
3751 | +Index: ubuntu/utils/gssd/gssd.c |
3752 | +=================================================================== |
3753 | +--- ubuntu.orig/utils/gssd/gssd.c 2013-05-24 16:44:14.635084023 -0400 |
3754 | ++++ ubuntu/utils/gssd/gssd.c 2013-05-24 16:45:41.339080825 -0400 |
3755 | +@@ -63,6 +63,7 @@ |
3756 | + int root_uses_machine_creds = 1; |
3757 | + unsigned int context_timeout = 0; |
3758 | + char *preferred_realm = NULL; |
3759 | ++int ticket_expiry_is_error = 0; |
3760 | + |
3761 | + void |
3762 | + sig_die(int signal) |
3763 | +@@ -85,7 +86,7 @@ |
3764 | + static void |
3765 | + usage(char *progname) |
3766 | + { |
3767 | +- fprintf(stderr, "usage: %s [-f] [-l] [-M] [-n] [-v] [-r] [-p pipefsdir] [-k keytab] [-d ccachedir] [-t timeout] [-R preferred realm] [-D]\n", |
3768 | ++ fprintf(stderr, "usage: %s [-e] [-f] [-l] [-M] [-n] [-v] [-r] [-p pipefsdir] [-k keytab] [-d ccachedir] [-t timeout] [-R preferred realm] [-D]\n", |
3769 | + progname); |
3770 | + exit(1); |
3771 | + } |
3772 | +@@ -102,8 +103,11 @@ |
3773 | + char *progname; |
3774 | + |
3775 | + memset(ccachesearch, 0, sizeof(ccachesearch)); |
3776 | +- while ((opt = getopt(argc, argv, "DfvrlmnMp:k:d:t:R:")) != -1) { |
3777 | ++ while ((opt = getopt(argc, argv, "eDfvrlmnMp:k:d:t:R:")) != -1) { |
3778 | + switch (opt) { |
3779 | ++ case 'e': |
3780 | ++ ticket_expiry_is_error = 1; |
3781 | ++ break; |
3782 | + case 'f': |
3783 | + fg = 1; |
3784 | + break; |
3785 | +Index: ubuntu/utils/gssd/gssd.h |
3786 | +=================================================================== |
3787 | +--- ubuntu.orig/utils/gssd/gssd.h 2013-05-24 16:44:14.635084023 -0400 |
3788 | ++++ ubuntu/utils/gssd/gssd.h 2013-05-24 16:44:14.627084023 -0400 |
3789 | +@@ -67,6 +67,7 @@ |
3790 | + extern int root_uses_machine_creds; |
3791 | + extern unsigned int context_timeout; |
3792 | + extern char *preferred_realm; |
3793 | ++extern int ticket_expiry_is_error; |
3794 | + |
3795 | + TAILQ_HEAD(clnt_list_head, clnt_info) clnt_list; |
3796 | + |
3797 | +Index: ubuntu/utils/gssd/gssd.man |
3798 | +=================================================================== |
3799 | +--- ubuntu.orig/utils/gssd/gssd.man 2013-05-24 16:44:14.635084023 -0400 |
3800 | ++++ ubuntu/utils/gssd/gssd.man 2013-05-24 16:44:14.627084023 -0400 |
3801 | +@@ -272,6 +272,12 @@ |
3802 | + seconds, which allows changing Kerberos tickets and identities frequently. |
3803 | + The default is no explicit timeout, which means the kernel context will live |
3804 | + the lifetime of the Kerberos service ticket used in its creation. |
3805 | ++.TP |
3806 | ++.B -e |
3807 | ++Return EACCESS instead of EKEYEXPIRED when a user's credentials expire. |
3808 | ++Returning EKEYEXPIRED was introduced around kernel 2.6.34 and causes all nfs4 |
3809 | ++I/O to block when a user's credentials expire. This option reverts to old |
3810 | ++bevavior. |
3811 | + .SH SEE ALSO |
3812 | + .BR rpc.svcgssd (8), |
3813 | + .BR kerberos (1), |
3814 | +Index: ubuntu/utils/gssd/gssd_proc.c |
3815 | +=================================================================== |
3816 | +--- ubuntu.orig/utils/gssd/gssd_proc.c 2013-05-24 16:44:14.635084023 -0400 |
3817 | ++++ ubuntu/utils/gssd/gssd_proc.c 2013-05-24 16:46:28.887079072 -0400 |
3818 | +@@ -1019,7 +1019,7 @@ |
3819 | + * trolling for credentials */ |
3820 | + for (dirname = ccachesearch; create_resp != 0 && *dirname != NULL; dirname++) { |
3821 | + err = gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *dirname); |
3822 | +- if (err == -EKEYEXPIRED) |
3823 | ++ if (err == -EKEYEXPIRED && !ticket_expiry_is_error) |
3824 | + downcall_err = -EKEYEXPIRED; |
3825 | + else if (!err) |
3826 | + create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid, |
3827 | |
3828 | === modified file 'debian/patches/series' |
3829 | --- debian/patches/series 2013-05-14 00:46:42 +0000 |
3830 | +++ debian/patches/series 2013-05-24 21:14:25 +0000 |
3831 | @@ -5,4 +5,5 @@ |
3832 | 16-mount.nfs.man-update-distinction-between-fstype.patch |
3833 | 17-multiarch-kerberos-paths.patch |
3834 | 19-iscsiadm-path.patch |
3835 | +20-ticket-expired-error.patch |
3836 | 20-remove-autogenerated-man.patch |
3837 | |
3838 | === modified file 'debian/rules' |
3839 | --- debian/rules 2013-05-10 19:27:47 +0000 |
3840 | +++ debian/rules 2013-05-24 21:14:25 +0000 |
3841 | @@ -2,7 +2,9 @@ |
3842 | |
3843 | # Parsing of DEB_BUILD_OPTIONS flags. |
3844 | # Note that nostrip is handled automatically by debhelper. |
3845 | -CFLAGS := -g -Wall |
3846 | +CFLAGS := -g -Wall -DPIPEFS_DIR=\\\"/run/rpc_pipefs\\\" \ |
3847 | + -DGSSD_PIPEFS_DIR=\\\"/run/rpc_pipefs\\\" |
3848 | + |
3849 | ifneq (,$(filter noopt,$(DEB_BUILD_OPTIONS))) |
3850 | CFLAGS += -O0 |
3851 | else |
3852 | @@ -52,7 +54,12 @@ |
3853 | dh_install -Xman --fail-missing |
3854 | dh_installdocs -A |
3855 | dh_installdocs -pnfs-common debian/README.Debian.nfsv4 |
3856 | - install -m 0755 debian/nfs-common.init debian/nfs-common/etc/init.d/nfs-common |
3857 | + dh_installinit -pnfs-common --upstart-only -R --name statd |
3858 | + dh_installinit -pnfs-common --upstart-only --no-start --name statd-mounting |
3859 | + dh_installinit -pnfs-common --upstart-only -R --name gssd |
3860 | + dh_installinit -pnfs-common --upstart-only --no-start --name gssd-mounting |
3861 | + dh_installinit -pnfs-common --upstart-only -R --name idmapd |
3862 | + dh_installinit -pnfs-common --upstart-only --no-start --name idmapd-mounting |
3863 | install -m 0755 debian/nfs-kernel-server.init debian/nfs-kernel-server/etc/init.d/nfs-kernel-server |
3864 | install -m 0644 debian/nfs-common.bugcontrol debian/nfs-common/usr/share/bug/nfs-common/control |
3865 | install -m 0755 debian/nfs-common.bugscript debian/nfs-common/usr/share/bug/nfs-common/script |
3866 | |
3867 | === modified file 'utils/gssd/gssd.c' |
3868 | --- utils/gssd/gssd.c 2013-05-10 19:27:47 +0000 |
3869 | +++ utils/gssd/gssd.c 2013-05-24 21:14:25 +0000 |
3870 | @@ -63,6 +63,7 @@ |
3871 | int root_uses_machine_creds = 1; |
3872 | unsigned int context_timeout = 0; |
3873 | char *preferred_realm = NULL; |
3874 | +int ticket_expiry_is_error = 0; |
3875 | |
3876 | void |
3877 | sig_die(int signal) |
3878 | @@ -85,7 +86,7 @@ |
3879 | static void |
3880 | usage(char *progname) |
3881 | { |
3882 | - fprintf(stderr, "usage: %s [-f] [-l] [-M] [-n] [-v] [-r] [-p pipefsdir] [-k keytab] [-d ccachedir] [-t timeout] [-R preferred realm] [-D]\n", |
3883 | + fprintf(stderr, "usage: %s [-e] [-f] [-l] [-M] [-n] [-v] [-r] [-p pipefsdir] [-k keytab] [-d ccachedir] [-t timeout] [-R preferred realm] [-D]\n", |
3884 | progname); |
3885 | exit(1); |
3886 | } |
3887 | @@ -102,8 +103,11 @@ |
3888 | char *progname; |
3889 | |
3890 | memset(ccachesearch, 0, sizeof(ccachesearch)); |
3891 | - while ((opt = getopt(argc, argv, "DfvrlmnMp:k:d:t:R:")) != -1) { |
3892 | + while ((opt = getopt(argc, argv, "eDfvrlmnMp:k:d:t:R:")) != -1) { |
3893 | switch (opt) { |
3894 | + case 'e': |
3895 | + ticket_expiry_is_error = 1; |
3896 | + break; |
3897 | case 'f': |
3898 | fg = 1; |
3899 | break; |
3900 | |
3901 | === modified file 'utils/gssd/gssd.h' |
3902 | --- utils/gssd/gssd.h 2013-05-10 19:27:47 +0000 |
3903 | +++ utils/gssd/gssd.h 2013-05-24 21:14:25 +0000 |
3904 | @@ -67,6 +67,7 @@ |
3905 | extern int root_uses_machine_creds; |
3906 | extern unsigned int context_timeout; |
3907 | extern char *preferred_realm; |
3908 | +extern int ticket_expiry_is_error; |
3909 | |
3910 | TAILQ_HEAD(clnt_list_head, clnt_info) clnt_list; |
3911 | |
3912 | |
3913 | === modified file 'utils/gssd/gssd.man' |
3914 | --- utils/gssd/gssd.man 2013-05-10 19:27:47 +0000 |
3915 | +++ utils/gssd/gssd.man 2013-05-24 21:14:25 +0000 |
3916 | @@ -272,6 +272,12 @@ |
3917 | seconds, which allows changing Kerberos tickets and identities frequently. |
3918 | The default is no explicit timeout, which means the kernel context will live |
3919 | the lifetime of the Kerberos service ticket used in its creation. |
3920 | +.TP |
3921 | +.B -e |
3922 | +Return EACCESS instead of EKEYEXPIRED when a user's credentials expire. |
3923 | +Returning EKEYEXPIRED was introduced around kernel 2.6.34 and causes all nfs4 |
3924 | +I/O to block when a user's credentials expire. This option reverts to old |
3925 | +bevavior. |
3926 | .SH SEE ALSO |
3927 | .BR rpc.svcgssd (8), |
3928 | .BR kerberos (1), |
3929 | |
3930 | === modified file 'utils/gssd/gssd_proc.c' |
3931 | --- utils/gssd/gssd_proc.c 2013-05-10 19:27:47 +0000 |
3932 | +++ utils/gssd/gssd_proc.c 2013-05-24 21:14:25 +0000 |
3933 | @@ -1019,7 +1019,7 @@ |
3934 | * trolling for credentials */ |
3935 | for (dirname = ccachesearch; create_resp != 0 && *dirname != NULL; dirname++) { |
3936 | err = gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *dirname); |
3937 | - if (err == -EKEYEXPIRED) |
3938 | + if (err == -EKEYEXPIRED && !ticket_expiry_is_error) |
3939 | downcall_err = -EKEYEXPIRED; |
3940 | else if (!err) |
3941 | create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid, |