Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package nfs-utils for openSUSE:Factory checked in at 2024-08-21 23:24:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nfs-utils (Old) and /work/SRC/openSUSE:Factory/.nfs-utils.new.2698 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nfs-utils" Wed Aug 21 23:24:49 2024 rev:182 rq:1194950 version:unknown Changes: -------- --- /work/SRC/openSUSE:Factory/nfs-utils/nfs-utils.changes 2024-06-17 19:27:49.862602418 +0200 +++ /work/SRC/openSUSE:Factory/.nfs-utils.new.2698/nfs-utils.changes 2024-08-21 23:25:13.931623591 +0200 @@ -1,0 +2,11 @@ +Tue Aug 20 20:21:14 UTC 2024 - Dirk Müller <[email protected]> + +- add 0001-gssd-revert-commit-a5f3b7ccb01c.patch, + 0002-gssd-revert-commit-513630d720bd.patch, + 0003-gssd-switch-to-using-rpc_gss_seccreate.patch, + 0004-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-machine-cr.patch, + 0005-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-user-crede.patch, + 0006-configure-check-for-rpc_gss_seccreate.patch: fixes for + libtirpc 1.3.5 + +------------------------------------------------------------------- New: ---- 0001-gssd-revert-commit-a5f3b7ccb01c.patch 0002-gssd-revert-commit-513630d720bd.patch 0003-gssd-switch-to-using-rpc_gss_seccreate.patch 0004-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-machine-cr.patch 0005-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-user-crede.patch 0006-configure-check-for-rpc_gss_seccreate.patch BETA DEBUG BEGIN: New: - add 0001-gssd-revert-commit-a5f3b7ccb01c.patch, 0002-gssd-revert-commit-513630d720bd.patch, New:- add 0001-gssd-revert-commit-a5f3b7ccb01c.patch, 0002-gssd-revert-commit-513630d720bd.patch, 0003-gssd-switch-to-using-rpc_gss_seccreate.patch, New: 0002-gssd-revert-commit-513630d720bd.patch, 0003-gssd-switch-to-using-rpc_gss_seccreate.patch, 0004-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-machine-cr.patch, New: 0003-gssd-switch-to-using-rpc_gss_seccreate.patch, 0004-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-machine-cr.patch, 0005-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-user-crede.patch, New: 0004-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-machine-cr.patch, 0005-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-user-crede.patch, 0006-configure-check-for-rpc_gss_seccreate.patch: fixes for New: 0005-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-user-crede.patch, 0006-configure-check-for-rpc_gss_seccreate.patch: fixes for libtirpc 1.3.5 BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nfs-utils.spec ++++++ --- /var/tmp/diff_new_pack.O03NpE/_old 2024-08-21 23:25:17.015752107 +0200 +++ /var/tmp/diff_new_pack.O03NpE/_new 2024-08-21 23:25:17.043753274 +0200 @@ -46,6 +46,13 @@ Patch2: 0002-conffile-don-t-report-error-from-conf_init_file.patch Patch3: 0003-conffile-allow-usr-etc-to-provide-any-config-files-e.patch Patch4: 0004-fsidd-call-anonymous-sockets-by-their-name-only-don-.patch +# PATCH-FIX-UPSTREAM: fix build against libtirpc 1.3.5 +Patch5: 0001-gssd-revert-commit-a5f3b7ccb01c.patch +Patch6: 0002-gssd-revert-commit-513630d720bd.patch +Patch7: 0003-gssd-switch-to-using-rpc_gss_seccreate.patch +Patch8: 0004-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-machine-cr.patch +Patch9: 0005-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-user-crede.patch +Patch10: 0006-configure-check-for-rpc_gss_seccreate.patch BuildRequires: e2fsprogs-devel BuildRequires: gcc-c++ BuildRequires: libtool ++++++ 0001-gssd-revert-commit-a5f3b7ccb01c.patch ++++++ >From 20c0797937e9ec43a78a2f5475d4296897f8c537 Mon Sep 17 00:00:00 2001 From: Olga Kornievskaia <[email protected]> Date: Mon, 11 Dec 2023 08:46:35 -0500 Subject: [PATCH 1/6] gssd: revert commit a5f3b7ccb01c In preparation for using rpc_gss_seccreate() function, revert commit a5f3b7ccb01c "gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for user credentials" Reviewed-by: Chuck Lever <[email protected]> Signed-off-by: Olga Kornievskaia <[email protected]> Signed-off-by: Steve Dickson <[email protected]> --- utils/gssd/gssd_proc.c | 2 -- utils/gssd/krb5_util.c | 42 ------------------------------------------ utils/gssd/krb5_util.h | 1 - 3 files changed, 45 deletions(-) diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index a96647df..e5cc1d98 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -419,8 +419,6 @@ create_auth_rpc_client(struct clnt_info *clp, if (cred == GSS_C_NO_CREDENTIAL) retval = gssd_refresh_krb5_machine_credential(clp->servername, "*", NULL, 1); - else - retval = gssd_k5_remove_bad_service_cred(clp->servername); if (!retval) { auth = authgss_create_default(rpc_clnt, tgtname, &sec); diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c index 6f66ef4f..f6ce1fec 100644 --- a/utils/gssd/krb5_util.c +++ b/utils/gssd/krb5_util.c @@ -1553,48 +1553,6 @@ gssd_acquire_user_cred(gss_cred_id_t *gss_cred) return ret; } -/* Removed a service ticket for nfs/<name> from the ticket cache - */ -int -gssd_k5_remove_bad_service_cred(char *name) -{ - krb5_creds in_creds, out_creds; - krb5_error_code ret; - krb5_context context; - krb5_ccache cache; - krb5_principal principal; - int retflags = KRB5_TC_MATCH_SRV_NAMEONLY; - char srvname[1024]; - - ret = krb5_init_context(&context); - if (ret) - goto out_cred; - ret = krb5_cc_default(context, &cache); - if (ret) - goto out_free_context; - ret = krb5_cc_get_principal(context, cache, &principal); - if (ret) - goto out_close_cache; - memset(&in_creds, 0, sizeof(in_creds)); - in_creds.client = principal; - sprintf(srvname, "nfs/%s", name); - ret = krb5_parse_name(context, srvname, &in_creds.server); - if (ret) - goto out_free_principal; - ret = krb5_cc_retrieve_cred(context, cache, retflags, &in_creds, &out_creds); - if (ret) - goto out_free_principal; - ret = krb5_cc_remove_cred(context, cache, 0, &out_creds); -out_free_principal: - krb5_free_principal(context, principal); -out_close_cache: - krb5_cc_close(context, cache); -out_free_context: - krb5_free_context(context); -out_cred: - return ret; -} - #ifdef HAVE_SET_ALLOWABLE_ENCTYPES /* * this routine obtains a credentials handle via gss_acquire_cred() diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h index 7ef87018..62c91a0e 100644 --- a/utils/gssd/krb5_util.h +++ b/utils/gssd/krb5_util.h @@ -22,7 +22,6 @@ char *gssd_k5_err_msg(krb5_context context, krb5_error_code code); void gssd_k5_get_default_realm(char **def_realm); int gssd_acquire_user_cred(gss_cred_id_t *gss_cred); -int gssd_k5_remove_bad_service_cred(char *srvname); #ifdef HAVE_SET_ALLOWABLE_ENCTYPES extern int limit_to_legacy_enctypes; -- 2.46.0 ++++++ 0002-gssd-revert-commit-513630d720bd.patch ++++++ >From f05af7d9924b5e455f4e750c1e8985c560784fce Mon Sep 17 00:00:00 2001 From: Olga Kornievskaia <[email protected]> Date: Mon, 11 Dec 2023 08:50:57 -0500 Subject: [PATCH 2/6] gssd: revert commit 513630d720bd In preparation for using rpc_gss_seccreate(), revert commit 513630d720bd "gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for machine credentials" Reviewed-by: Chuck Lever <[email protected]> Signed-off-by: Olga Kornievskaia <[email protected]> Signed-off-by: Steve Dickson <[email protected]> --- utils/gssd/gssd_proc.c | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index e5cc1d98..4fb6b72d 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -412,27 +412,13 @@ create_auth_rpc_client(struct clnt_info *clp, tid, tgtname); auth = authgss_create_default(rpc_clnt, tgtname, &sec); if (!auth) { - if (sec.minor_status == KRB5KRB_AP_ERR_BAD_INTEGRITY) { - printerr(2, "WARNING: server=%s failed context " - "creation with KRB5_AP_ERR_BAD_INTEGRITY\n", - clp->servername); - if (cred == GSS_C_NO_CREDENTIAL) - retval = gssd_refresh_krb5_machine_credential(clp->servername, - "*", NULL, 1); - if (!retval) { - auth = authgss_create_default(rpc_clnt, tgtname, - &sec); - if (auth) - goto success; - } - } /* Our caller should print appropriate message */ printerr(2, "WARNING: Failed to create krb5 context for " "user with uid %d for server %s\n", uid, tgtname); goto out_fail; } -success: + /* Success !!! */ rpc_clnt->cl_auth = auth; *clnt_return = rpc_clnt; -- 2.46.0 ++++++ 0003-gssd-switch-to-using-rpc_gss_seccreate.patch ++++++ >From 3abf6b5223af0ccf07d217d71978ee7987acce88 Mon Sep 17 00:00:00 2001 From: Olga Kornievskaia <[email protected]> Date: Mon, 11 Dec 2023 08:52:47 -0500 Subject: [PATCH 3/6] gssd: switch to using rpc_gss_seccreate() If available from the libtirpc library, switch to using rpc_gss_seccreate() instead of authgss_create_default() which does not expose gss error codes. Reviewed-by: Chuck Lever <[email protected]> Signed-off-by: Olga Kornievskaia <[email protected]> Signed-off-by: Steve Dickson <[email protected]> --- utils/gssd/gssd_proc.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index 4fb6b72d..99761157 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -70,6 +70,9 @@ #include <sys/types.h> #include <sys/wait.h> #include <syscall.h> +#ifdef HAVE_TIRPC_GSS_SECCREATE +#include <rpc/rpcsec_gss.h> +#endif #include "gssd.h" #include "err_util.h" @@ -330,6 +333,11 @@ create_auth_rpc_client(struct clnt_info *clp, struct timeval timeout; struct sockaddr *addr = (struct sockaddr *) &clp->addr; socklen_t salen; +#ifdef HAVE_TIRPC_GSS_SECCREATE + rpc_gss_options_req_t req; + rpc_gss_options_ret_t ret; + char mechanism[] = "kerberos_v5"; +#endif pthread_t tid = pthread_self(); sec.qop = GSS_C_QOP_DEFAULT; @@ -410,7 +418,14 @@ create_auth_rpc_client(struct clnt_info *clp, printerr(3, "create_auth_rpc_client(0x%lx): creating context with server %s\n", tid, tgtname); +#ifdef HAVE_TIRPC_GSS_SECCREATE + memset(&req, 0, sizeof(req)); + req.my_cred = sec.cred; + auth = rpc_gss_seccreate(rpc_clnt, tgtname, mechanism, + rpcsec_gss_svc_none, NULL, &req, &ret); +#else auth = authgss_create_default(rpc_clnt, tgtname, &sec); +#endif if (!auth) { /* Our caller should print appropriate message */ printerr(2, "WARNING: Failed to create krb5 context for " -- 2.46.0 ++++++ 0004-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-machine-cr.patch ++++++ >From 2bfb59c6f50eb86c21f8e0c33bbf32ec53480fb8 Mon Sep 17 00:00:00 2001 From: Olga Kornievskaia <[email protected]> Date: Mon, 11 Dec 2023 08:55:35 -0500 Subject: [PATCH 4/6] gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for machine credentials During context establishment, when the client received KRB5_AP_ERR_BAD_INTEGRITY error, it might be due to the server updating its key material. To handle such error, get a new service ticket and re-try the AP_REQ. This functionality relies on the new API in libtirpc that exposes the gss errors. Reviewed-by: Chuck Lever <[email protected]> Signed-off-by: Olga Kornievskaia <[email protected]> Signed-off-by: Steve Dickson <[email protected]> --- utils/gssd/gssd_proc.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index 99761157..29600a3f 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -427,13 +427,32 @@ create_auth_rpc_client(struct clnt_info *clp, auth = authgss_create_default(rpc_clnt, tgtname, &sec); #endif if (!auth) { +#ifdef HAVE_TIRPC_GSS_SECCREATE + if (ret.minor_status == KRB5KRB_AP_ERR_BAD_INTEGRITY) { + printerr(2, "WARNING: server=%s failed context " + "creation with KRB5_AP_ERR_BAD_INTEGRITY\n", + clp->servername); + if (cred == GSS_C_NO_CREDENTIAL) + retval = gssd_refresh_krb5_machine_credential(clp->servername, + "*", NULL, 1); + if (!retval) { + auth = rpc_gss_seccreate(rpc_clnt, tgtname, + mechanism, rpcsec_gss_svc_none, + NULL, &req, &ret); + if (auth) + goto success; + } + } +#endif /* Our caller should print appropriate message */ printerr(2, "WARNING: Failed to create krb5 context for " "user with uid %d for server %s\n", uid, tgtname); goto out_fail; } - +#ifdef HAVE_TIRPC_GSS_SECCREATE +success: +#endif /* Success !!! */ rpc_clnt->cl_auth = auth; *clnt_return = rpc_clnt; -- 2.46.0 ++++++ 0005-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-user-crede.patch ++++++ >From 15cd566633b1546f0808d0694ede094b4c99752d Mon Sep 17 00:00:00 2001 From: Olga Kornievskaia <[email protected]> Date: Mon, 11 Dec 2023 08:57:28 -0500 Subject: [PATCH 5/6] gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for user credentials Unlike the machine credential case, we can't throw away the ticket cache and use the keytab to renew the credentials. Instead, we need to remove the service ticket for the server that returned KRB5_AP_ERR_BAD_INTEGRITY and try again. Reviewed-by: Chuck Lever <[email protected]> Signed-off-by: Olga Kornievskaia <[email protected]> Signed-off-by: Steve Dickson <[email protected]> --- utils/gssd/gssd_proc.c | 2 ++ utils/gssd/krb5_util.c | 42 ++++++++++++++++++++++++++++++++++++++++++ utils/gssd/krb5_util.h | 1 + 3 files changed, 45 insertions(+) diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index 29600a3f..7629de0b 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -435,6 +435,8 @@ create_auth_rpc_client(struct clnt_info *clp, if (cred == GSS_C_NO_CREDENTIAL) retval = gssd_refresh_krb5_machine_credential(clp->servername, "*", NULL, 1); + else + retval = gssd_k5_remove_bad_service_cred(clp->servername); if (!retval) { auth = rpc_gss_seccreate(rpc_clnt, tgtname, mechanism, rpcsec_gss_svc_none, diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c index f6ce1fec..6f66ef4f 100644 --- a/utils/gssd/krb5_util.c +++ b/utils/gssd/krb5_util.c @@ -1553,6 +1553,48 @@ gssd_acquire_user_cred(gss_cred_id_t *gss_cred) return ret; } +/* Removed a service ticket for nfs/<name> from the ticket cache + */ +int +gssd_k5_remove_bad_service_cred(char *name) +{ + krb5_creds in_creds, out_creds; + krb5_error_code ret; + krb5_context context; + krb5_ccache cache; + krb5_principal principal; + int retflags = KRB5_TC_MATCH_SRV_NAMEONLY; + char srvname[1024]; + + ret = krb5_init_context(&context); + if (ret) + goto out_cred; + ret = krb5_cc_default(context, &cache); + if (ret) + goto out_free_context; + ret = krb5_cc_get_principal(context, cache, &principal); + if (ret) + goto out_close_cache; + memset(&in_creds, 0, sizeof(in_creds)); + in_creds.client = principal; + sprintf(srvname, "nfs/%s", name); + ret = krb5_parse_name(context, srvname, &in_creds.server); + if (ret) + goto out_free_principal; + ret = krb5_cc_retrieve_cred(context, cache, retflags, &in_creds, &out_creds); + if (ret) + goto out_free_principal; + ret = krb5_cc_remove_cred(context, cache, 0, &out_creds); +out_free_principal: + krb5_free_principal(context, principal); +out_close_cache: + krb5_cc_close(context, cache); +out_free_context: + krb5_free_context(context); +out_cred: + return ret; +} + #ifdef HAVE_SET_ALLOWABLE_ENCTYPES /* * this routine obtains a credentials handle via gss_acquire_cred() diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h index 62c91a0e..7ef87018 100644 --- a/utils/gssd/krb5_util.h +++ b/utils/gssd/krb5_util.h @@ -22,6 +22,7 @@ char *gssd_k5_err_msg(krb5_context context, krb5_error_code code); void gssd_k5_get_default_realm(char **def_realm); int gssd_acquire_user_cred(gss_cred_id_t *gss_cred); +int gssd_k5_remove_bad_service_cred(char *srvname); #ifdef HAVE_SET_ALLOWABLE_ENCTYPES extern int limit_to_legacy_enctypes; -- 2.46.0 ++++++ 0006-configure-check-for-rpc_gss_seccreate.patch ++++++ >From 49567e7d03a5605c590be2135a24d4de8345fa3c Mon Sep 17 00:00:00 2001 From: Olga Kornievskaia <[email protected]> Date: Mon, 11 Dec 2023 08:59:43 -0500 Subject: [PATCH 6/6] configure: check for rpc_gss_seccreate If we have rpc_gss_sccreate in tirpc library define HAVE_TIRPC_GSS_SECCREATE, which would allow us to handle bad_integrity errors. Reviewed-by: Chuck Lever <[email protected]> Signed-off-by: Olga Kornievskaia <[email protected]> Signed-off-by: Steve Dickson <[email protected]> --- aclocal/libtirpc.m4 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/aclocal/libtirpc.m4 b/aclocal/libtirpc.m4 index bddae022..ef48a2ae 100644 --- a/aclocal/libtirpc.m4 +++ b/aclocal/libtirpc.m4 @@ -26,6 +26,11 @@ AC_DEFUN([AC_LIBTIRPC], [ [Define to 1 if your tirpc library provides libtirpc_set_debug])],, [${LIBS}])]) + AS_IF([test -n "${LIBTIRPC}"], + [AC_CHECK_LIB([tirpc], [rpc_gss_seccreate], + [AC_DEFINE([HAVE_TIRPC_GSS_SECCREATE], [1], + [Define to 1 if your tirpc library provides rpc_gss_seccreate])],, + [${LIBS}])]) AC_SUBST([AM_CPPFLAGS]) AC_SUBST(LIBTIRPC) -- 2.46.0
