nfsd4: fix gss-proxy 4.1 mounts for some AD principals

The principal name on a gss cred is used to setup the NFSv4.0 callback, which has to have a client principal name to authenticate to. That code wants the name to be in the form servicetype@hostname. rpc.svcgssd passes down such names (and passes down no principal name at all in the case the principal isn't a service principal). gss-proxy always passes down the principal name, and passes it down in the form servicetype/hostname@REALM. So we've been munging the name gss-proxy passes down into the format the NFSv4.0 callback code expects, or throwing away the name if we can't. Since the introduction of the MACH_CRED enforcement in NFSv4.1, we've also been using the principal name to verify that certain operations are done as the same principal as was used on the original EXCHANGE_ID call. For that application, the original name passed down by gss-proxy is also useful. Lack of that name in some cases was causing some kerberized NFSv4.1 mount failures in an Active Directory environment. This fix only works in the gss-proxy case. The fix for legacy rpc.svcgssd would be more involved, and rpc.svcgssd already has other problems in the AD case. Reported-and-tested-by: James Ralston <ralston@pobox.com> Acked-by: Simo Sorce <simo@redhat.com> Signed-off-by: J. Bruce Fields <bfields@redhat.com>
author: J. Bruce Fields <bfields@redhat.com> 2015-11-20 10:48:02 -0500
committer: J. Bruce Fields <bfields@redhat.com> 2015-11-24 13:36:31 -0500
commit: 414ca017a54d26c3a58ed1504884e51448d22ae1 (patch)
tree: e76eb79e0573b50eed71b8fe5a20696f702fde82 /fs/nfsd
parent: 920dd9bb7d7cf9ae339e15240326a28a22f08a74 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index ed58ced6fa8b..113ecbfac25c 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -1875,6 +1875,10 @@ static int copy_cred(struct svc_cred *target, struct svc_cred *source)
        ret = strdup_if_nonnull(&target->cr_principal, source->cr_principal);
        if (ret)
                return ret;
+        ret = strdup_if_nonnull(&target->cr_raw_principal,
+                                        source->cr_raw_principal);
+        if (ret)
+                return ret;
        target->cr_flavor = source->cr_flavor;
        target->cr_uid = source->cr_uid;
        target->cr_gid = source->cr_gid;
@@ -1978,6 +1982,9 @@ static bool mach_creds_match(struct nfs4_client *cl, struct svc_rqst *rqstp)
                return false;
        if (!svc_rqst_integrity_protected(rqstp))
                return false;
+        if (cl->cl_cred.cr_raw_principal)
+                return 0 == strcmp(cl->cl_cred.cr_raw_principal,
+                                                cr->cr_raw_principal);
        if (!cr->cr_principal)
                return false;
        return 0 == strcmp(cl->cl_cred.cr_principal, cr->cr_principal);
@@ -2390,7 +2397,8 @@ nfsd4_exchange_id(struct svc_rqst *rqstp,
                 * Which is a bug, really.  Anyway, we can't enforce
                 * MACH_CRED in that case, better to give up now:
                 */
-                if (!new->cl_cred.cr_principal) {
+                if (!new->cl_cred.cr_principal &&
+                                        !new->cl_cred.cr_raw_principal) {
                        status = nfserr_serverfault;
                        goto out_nolock;
                }
author	J. Bruce Fields <bfields@redhat.com>	2015-11-20 10:48:02 -0500
committer	J. Bruce Fields <bfields@redhat.com>	2015-11-24 13:36:31 -0500
commit	414ca017a54d26c3a58ed1504884e51448d22ae1 (patch)
tree	e76eb79e0573b50eed71b8fe5a20696f702fde82 /fs/nfsd
parent	920dd9bb7d7cf9ae339e15240326a28a22f08a74 (diff)