@@ -51,7 +51,6 @@ _Bool fedfsd_auth_rpc_gss(struct svc_req *rqstp);
/*
* gss.c
*/
-extern bool_t fedfsd_no_dispatch;
_Bool fedfsd_set_up_authenticators(void);
char * fedfsd_get_gss_cred(struct svc_req *rqstp);
@@ -1,12 +1,10 @@
/**
* @file src/fedfsd/gss.c
* @brief fedfsd support for RPCSEC GSSAPI
- *
- * Todo: Rework when Linux libtirpc gets a standard RPCSEC API
*/
/*
- * Copyright 2013 Oracle. All rights reserved.
+ * Copyright 2013, 2015 Oracle. All rights reserved.
*
* This file is part of fedfs-utils.
*
@@ -38,9 +36,10 @@
#include <netinet/in.h>
#include <rpc/rpc.h>
+#include <rpc/auth.h>
#include <rpc/svc.h>
#include <rpc/svc_auth.h>
-#include <gssapi/gssapi.h>
+#include <rpc/rpcsec_gss.h>
#include "fedfs.h"
#include "nsdb.h"
@@ -49,117 +48,33 @@
/**
- * Internal TI-RPC API for unpacking a GSS credential
- * (Not currently provided by any libtirpc header)
- */
-enum auth_stat _svcauth_gss(struct svc_req *rqst,
- struct rpc_msg *msg,
- bool_t *no_dispatch);
-
-/**
- * TI-RPC API for setting the server's principal name
- * (Not currently provided by any libtirpc header)
- */
-bool_t svcauth_gss_set_svc_name(gss_name_t name);
-
-/**
* TI-RPC API for retrieving the caller's principal
* (Not currently provided by any libtirpc header)
*/
char *svcauth_gss_get_principal(SVCAUTH *auth);
-
-/**
- * Set to TRUE when the GSS authenticator has already sent an RPC reply
- */
-bool_t fedfsd_no_dispatch = FALSE;
-
-/**
- * Log a GSS error
- *
- * @param prefix NUL-terminated C string containing log entry prefix
- * @param maj_stat major status to report
- * @param min_stat minor status to report
- */
-static void
-fedfsd_log_gss_error(const char *prefix, OM_uint32 maj_stat, OM_uint32 min_stat)
-{
- gss_buffer_desc maj_msg, min_msg;
- OM_uint32 min, msg_ctx;
-
- msg_ctx = 0;
- gss_display_status(&min, maj_stat, GSS_C_GSS_CODE,
- GSS_C_NULL_OID, &msg_ctx, &maj_msg);
- gss_display_status(&min, min_stat, GSS_C_MECH_CODE,
- GSS_C_NULL_OID, &msg_ctx, &min_msg);
-
- xlog(D_GENERAL, "%s: %s - %s",
- prefix, (char *)maj_msg.value, (char *)min_msg.value);
-
- (void)gss_release_buffer(&min, &min_msg);
- (void)gss_release_buffer(&min, &maj_msg);
-}
-
/**
- * Unmarshal GSS credentials carried by a request
+ * Ensure GSS Kerberos authentication is enabled
*
- * @param rqst handle of an incoming request
- * @param msg RPC header information
- * @return status returned from authentication check
+ * @return true if all handlers were installed successfully.
*/
-static enum auth_stat
-fedfsd_authenticate_gss(struct svc_req *rqst, struct rpc_msg *msg)
-{
- enum auth_stat stat;
-
- fedfsd_no_dispatch = FALSE;
- stat = _svcauth_gss(rqst, msg, &fedfsd_no_dispatch);
- xlog(D_GENERAL, "%s: stat = %d, no_dispatch = %d\n",
- __func__, stat, fedfsd_no_dispatch);
- return stat;
-}
-
-static _Bool
-fedfsd_set_svc_name(void)
+_Bool
+fedfsd_set_up_authenticators(void)
{
- OM_uint32 maj_stat, min_stat;
- gss_buffer_desc namebuf;
- gss_name_t name;
-
- namebuf.value = FEDFS_ADMIN_GSS_SERVICE_NAME;
- namebuf.length = strlen(FEDFS_ADMIN_GSS_SERVICE_NAME);
-
- maj_stat = gss_import_name(&min_stat, &namebuf,
- (gss_OID)GSS_C_NT_HOSTBASED_SERVICE,
- &name);
- if (maj_stat != GSS_S_COMPLETE) {
- fedfsd_log_gss_error("Failed to import service name",
- maj_stat, min_stat);
- return false;
+ if (!rpc_gss_is_installed("kerberos_v5")) {
+ xlog(D_GENERAL, "%s: kerberos_v5 mechanism not available",
+ __func__);
+ return true;
}
- if (svcauth_gss_set_svc_name(name) != TRUE) {
- (void)gss_release_name(&min_stat, &name);
+ if (!rpc_gss_set_svc_name(FEDFS_ADMIN_GSS_SERVICE_NAME,
+ "kerberos_v5", 0,
+ FEDFS_PROG, FEDFS_V1)) {
+ xlog(D_GENERAL, "%s: Could not set service name", __func__);
return false;
}
- return true;
-}
-/**
- * Install call-outs to unmarshal each request's credentials
- *
- * @return true if all handlers were installed successfully.
- *
- * libtirpc already provides handlers for dealing with
- * AUTH_NULL and AUTH_SYS. These cannot be removed.
- * A handler for RPCSEC_GSS must be installed manually.
- */
-_Bool
-fedfsd_set_up_authenticators(void)
-{
- if (svc_auth_reg(RPCSEC_GSS, fedfsd_authenticate_gss) < 0)
- return false;
- return fedfsd_set_svc_name();
+ return true;
}
/**
@@ -1352,9 +1352,6 @@ fedfsd_dispatch_1(struct svc_req *rqstp, SVCXPRT *xprt)
{
char addrbuf[INET6_ADDRSTRLEN];
- if (fedfsd_no_dispatch)
- return;
-
fedfsd_caller(rqstp, addrbuf, sizeof(addrbuf));
if (!fedfsd_is_authorized(rqstp)) {
With libtirpc-0.3, GSS is always loaded and available. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> --- src/fedfsd/fedfsd.h | 1 src/fedfsd/gss.c | 117 +++++++-------------------------------------------- src/fedfsd/svc.c | 3 - 3 files changed, 16 insertions(+), 105 deletions(-)