The branch, v3-2-test has been updated via 7e05ff65a7907bf34e2d422f7c941002cfb86971 (commit) via 7b25c4d2363ee772eed44174c882a7fbc59f0568 (commit) via 34cf3c012e463d0ea04616308738aadea438f48b (commit) via 370722392d7f42f8094f574cac08a6a12e5893a3 (commit) via bd1cf48d7e20cb534bd672bacbf3ac4a87d1a7b4 (commit) via 1d88c3431a1abf5fe6527fcbdf43972607a317ee (commit) from 7e9b24a12d91fc558864e91852028adb9a381838 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test - Log ----------------------------------------------------------------- commit 7e05ff65a7907bf34e2d422f7c941002cfb86971 Author: Jeff Layton <[EMAIL PROTECTED]> Date: Sat Aug 16 14:30:20 2008 -0400 cifs.upcall: negatively instantiate keys on error When a request-key upcall exits without instantiating a key, the kernel will negatively instantiate the key with a 60s timeout. Older kernels, however seem to also link that key into the session keyring. This behavior can interefere with subsequent mount attempts until the key times out. The next request_key() call will get this negative key even if the upcall would have worked the second time. Fix this by having cifs.upcall negatively instantiate the key itself with a 1s timeout and don't attach it to the session keyring. Signed-off-by: Jeff Layton <[EMAIL PROTECTED]> commit 7b25c4d2363ee772eed44174c882a7fbc59f0568 Author: Steve French <[EMAIL PROTECTED]> Date: Sat Aug 16 14:30:19 2008 -0400 Building cifs.upcall is giving this build warning: client/cifs.upcall.c:205: warning: function declaration isnât a prototype This patch fixes this by properly declaring usage() args as void. Signed-off-by: Jeff Layton <[EMAIL PROTECTED]> Signed-off-by: Steve French <[EMAIL PROTECTED]> commit 34cf3c012e463d0ea04616308738aadea438f48b Author: Steve French <[EMAIL PROTECTED]> Date: Sat Aug 16 14:30:18 2008 -0400 cifs.upcall: fix manpage and comments The "cifs.resolver" key type has been changed to "dns_resolver". Fix the comments at the top of cifs.upcall and the manpage accordingly. Signed-off-by: Jeff Layton <[EMAIL PROTECTED]> Signed-off-by: Steve French <[EMAIL PROTECTED]> --- docs-xml/manpages-3/cifs.upcall.8.xml | 4 ++-- source/client/cifs.upcall.c | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) commit 370722392d7f42f8094f574cac08a6a12e5893a3 Author: Steve French <[EMAIL PROTECTED]> Date: Sat Aug 16 14:30:17 2008 -0400 cifs.upcall was not recognizing the newer name "dns_resolver" key type (as a synonym for the older "cifs.resolver" name) when resolving host names to ip addresses for the kernel. Acked-by: Jeff Layton commit bd1cf48d7e20cb534bd672bacbf3ac4a87d1a7b4 Author: Steve French <[EMAIL PROTECTED]> Date: Sat Aug 16 14:30:16 2008 -0400 cifs.upcall: fix compile warning Steve French noticed these warnings when building cifs.upcall: Compiling client/cifs.upcall.c client/cifs.upcall.c: In function 'usage': client/cifs.upcall.c:204: warning: declaration of 'prog' shadows a global declaration client/cifs.upcall.c:33: warning: shadowed declaration is here Change the usage function to not take and arg and have it just use the global "prog" variable. Fix a typo in the log message generated when an unknown option is specified. Also getopt() always returns '?' when it sees an unknown option so there's no point in printing it out. Signed-off-by: Jeff Layton <[EMAIL PROTECTED]> commit 1d88c3431a1abf5fe6527fcbdf43972607a317ee Author: Jeremy Allison <[EMAIL PROTECTED]> Date: Sat Aug 16 14:30:08 2008 -0400 This patchset comprises a number of cleanups for the cifs upcall binary. The biggest change is that it renames it from cifs.spnego to cifs.upcall since the cifs.spnego name really isn't applicable anymore. It also fixes a segfault when the program is run without any args and adds a manpage. Comments and/or suggestions appreciated. Signed-off-by: Jeff Layton <[EMAIL PROTECTED]> ----------------------------------------------------------------------- Summary of changes: docs-xml/manpages-3/cifs.upcall.8.xml | 115 ++++++++++++++++++++++++ source/Makefile.in | 20 ++-- source/client/{cifs.spnego.c => cifs.upcall.c} | 52 +++++++---- source/configure.in | 32 ++++---- 4 files changed, 176 insertions(+), 43 deletions(-) create mode 100644 docs-xml/manpages-3/cifs.upcall.8.xml rename source/client/{cifs.spnego.c => cifs.upcall.c} (88%) Changeset truncated at 500 lines: diff --git a/docs-xml/manpages-3/cifs.upcall.8.xml b/docs-xml/manpages-3/cifs.upcall.8.xml new file mode 100644 index 0000000..3c1bb24 --- /dev/null +++ b/docs-xml/manpages-3/cifs.upcall.8.xml @@ -0,0 +1,115 @@ +<?xml version="1.0" encoding="iso-8859-1"?> +<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> +<refentry id="cifs.upcall.8"> + + +<refmeta> + <refentrytitle>cifs.upcall</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="source">Samba</refmiscinfo> + <refmiscinfo class="manual">System Administration tools</refmiscinfo> + <refmiscinfo class="version">3.2</refmiscinfo> +</refmeta> + +<refnamediv> + <refname>cifs.upcall</refname> + <refpurpose>Userspace upcall helper for Common Internet File System (CIFS)</refpurpose> +</refnamediv> + +<refsynopsisdiv> + <cmdsynopsis> + <command>cifs.upcall</command> + <arg choice="opt">-c</arg> + <arg choice="opt">-v</arg> + <arg choice="req">keyid</arg> + </cmdsynopsis> +</refsynopsisdiv> + + +<refsect1> + <title>DESCRIPTION</title> + + <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle> + <manvolnum>7</manvolnum></citerefentry> suite.</para> + +<para>cifs.upcall is a userspace helper program for the linux CIFS client +filesystem. There are a number of activities that the kernel cannot easily +do itself. This program is a callout program that does these things for the +kernel and then returns the result.</para> + +<para>cifs.upcall is generally intended to be run when the kernel calls +request-key<manvolnum>8</manvolnum> for a particular key type. While it +can be run directly from the command-line, it's not generally intended +to be run that way.</para> +</refsect1> + +<refsect1> + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term>-c</term> + <listitem><para>When handling a kerberos upcall, use a service principal that starts with "cifs/". The default is to use the "host/" service principal. + </para></listitem> + </varlistentry> + + <varlistentry> + <term>-v</term> + <listitem><para>Print version number and exit. + </para></listitem> + </varlistentry> + </variablelist> +</refsect1> + +<refsect1> + <title>CONFIGURATION FOR KEYCTL</title> + <para>cifs.upcall is designed to be called from the kernel via the request-key callout program. This requres that request-key be told where and how to call this program. The current cifs.upcall program handles two different key types:</para> + + <variablelist> + <varlistentry> + <term>cifs.spnego</term> + <listitem><para>This keytype is for retrieving kerberos session keys + </para></listitem> + </varlistentry> + + <varlistentry> + <term>dns_resolver</term> + <listitem><para>This key type is for resolving hostnames into IP addresses + </para></listitem> + </varlistentry> + </variablelist> + + <para>To make this program useful for CIFS, you'll need to set up entries for them in request-key.conf<manvolnum>5</manvolnum>. Here's an example of an entry for each key type:</para> +<programlisting> +#OPERATION TYPE D C PROGRAM ARG1 ARG2... +#========= ============= = = ========================================== +create cifs.spnego * * /usr/local/sbin/cifs.upcall -c %k +create dns_resolver * * /usr/local/sbin/cifs.upcall %k +</programlisting> +<para> +See <citerefentry><refentrytitle>request-key.conf<manvolnum>5</manvolnum></refentrytitle></citerefentry> for more info on each field. +</para> +</refsect1> + +<refsect1> + <title>SEE ALSO</title> + <para> + <citerefentry><refentrytitle>request-key.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>mount.cifs</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> + </para> +</refsect1> + +<refsect1> + <title>AUTHOR</title> + + <para>Igor Mammedov wrote the cifs.upcall program.</para> + <para>Jeff Layton authored this manpage.</para> + <para>The maintainer of the Linux CIFS VFS is Steve French.</para> + <para>The <ulink url="mailto:[EMAIL PROTECTED]">Linux + CIFS Mailing list</ulink> is the preferred place to ask + questions regarding these programs. + </para> +</refsect1> + +</refentry> diff --git a/source/Makefile.in b/source/Makefile.in index 327cc3f..57d5114 100644 --- a/source/Makefile.in +++ b/source/Makefile.in @@ -177,7 +177,7 @@ PATH_FLAGS = -DSMB_PASSWD_FILE=\"$(SMB_PASSWD_FILE)\" \ SBIN_PROGS = bin/[EMAIL PROTECTED]@ bin/[EMAIL PROTECTED]@ @SWAT_SBIN_TARGETS@ @EXTRA_SBIN_PROGS@ -ROOT_SBIN_PROGS = @CIFSMOUNT_PROGS@ @CIFSSPNEGO_PROGS@ +ROOT_SBIN_PROGS = @CIFSMOUNT_PROGS@ @CIFSUPCALL_PROGS@ BIN_PROGS1 = bin/[EMAIL PROTECTED]@ bin/[EMAIL PROTECTED]@ bin/[EMAIL PROTECTED]@ \ bin/[EMAIL PROTECTED]@ bin/[EMAIL PROTECTED]@ bin/[EMAIL PROTECTED]@ @@ -854,7 +854,7 @@ CIFS_MOUNT_OBJ = client/mount.cifs.o CIFS_UMOUNT_OBJ = client/umount.cifs.o -CIFS_SPNEGO_OBJ = client/cifs.spnego.o +CIFS_UPCALL_OBJ = client/cifs.upcall.o NMBLOOKUP_OBJ = utils/nmblookup.o $(PARAM_OBJ) $(LIBNMB_OBJ) \ $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSAMBA_OBJ) @@ -1319,9 +1319,9 @@ bin/[EMAIL PROTECTED]@: $(BINARY_PREREQS) $(CIFS_UMOUNT_OBJ) @BUILD_POPT@ @echo Linking $@ @$(CC) $(FLAGS) -o $@ $(CIFS_UMOUNT_OBJ) $(DYNEXP) $(LDFLAGS) $(POPT_LIBS) -bin/[EMAIL PROTECTED]@: $(BINARY_PREREQS) $(CIFS_SPNEGO_OBJ) $(LIBSMBCLIENT_OBJ1) @BUILD_POPT@ @LIBTALLOC_SHARED@ @LIBTDB_SHARED@ @LIBWBCLIENT_SHARED@ +bin/[EMAIL PROTECTED]@: $(BINARY_PREREQS) $(CIFS_UPCALL_OBJ) $(LIBSMBCLIENT_OBJ1) @BUILD_POPT@ @LIBTALLOC_SHARED@ @LIBTDB_SHARED@ @LIBWBCLIENT_SHARED@ @echo Linking $@ - @$(CC) $(FLAGS) -o $@ $(CIFS_SPNEGO_OBJ) $(DYNEXP) $(LDFLAGS) \ + @$(CC) $(FLAGS) -o $@ $(CIFS_UPCALL_OBJ) $(DYNEXP) $(LDFLAGS) \ -lkeyutils $(LIBS) $(LIBSMBCLIENT_OBJ1) $(KRB5LIBS) \ $(LDAP_LIBS) $(POPT_LIBS) $(LIBTALLOC_LIBS) $(WINBIND_LIBS) \ $(LIBTDB_LIBS) @@ -2411,7 +2411,7 @@ bin/[EMAIL PROTECTED]@: script/tests/timelimit.o @echo Linking $@ @$(CC) $(FLAGS) -o $@ $(DYNEXP) script/tests/timelimit.o -install:: installservers installbin @INSTALL_CIFSMOUNT@ @INSTALL_CIFSSPNEGO@ installman \ +install:: installservers installbin @INSTALL_CIFSMOUNT@ @INSTALL_CIFSUPCALL@ installman \ installscripts installdat installmodules @SWAT_INSTALL_TARGETS@ \ @INSTALL_PAM_MODULES@ installlibs @@ -2438,9 +2438,9 @@ installcifsmount:: @CIFSMOUNT_PROGS@ @$(SHELL) $(srcdir)/script/installdirs.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(ROOTSBINDIR) @$(SHELL) script/installbin.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(prefix) $(ROOTSBINDIR) @CIFSMOUNT_PROGS@ -installcifsspnego:: @CIFSSPNEGO_PROGS@ +installcifsupcall:: @CIFSUPCALL_PROGS@ @$(SHELL) $(srcdir)/script/installdirs.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(ROOTSBINDIR) - @$(SHELL) script/installbin.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(prefix) $(ROOTSBINDIR) @CIFSSPNEGO_PROGS@ + @$(SHELL) script/installbin.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(prefix) $(ROOTSBINDIR) @CIFSUPCALL_PROGS@ # Some symlinks are required for the 'probing' of modules. # This mechanism should go at some point.. @@ -2506,7 +2506,7 @@ showlayout:: @echo " swatdir: $(SWATDIR)" -uninstall:: uninstallman uninstallservers uninstallbin @UNINSTALL_CIFSMOUNT@ @UNINSTALL_CIFSSPNEGO@ uninstallscripts uninstalldat uninstallswat uninstallmodules uninstalllibs @UNINSTALL_PAM_MODULES@ +uninstall:: uninstallman uninstallservers uninstallbin @UNINSTALL_CIFSMOUNT@ @UNINSTALL_CIFSUPCALL@ uninstallscripts uninstalldat uninstallswat uninstallmodules uninstalllibs @UNINSTALL_PAM_MODULES@ uninstallman:: @$(SHELL) $(srcdir)/script/uninstallman.sh $(DESTDIR)$(MANDIR) $(srcdir) C @@ -2520,8 +2520,8 @@ uninstallbin:: uninstallcifsmount:: @$(SHELL) script/uninstallbin.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(prefix) $(ROOTSBINDIR) @CIFSMOUNT_PROGS@ -uninstallcifsspnego:: - @$(SHELL) script/uninstallbin.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(prefix) $(ROOTSBINDIR) @CIFSSPNEGO_PROGS@ +uninstallcifsupcall:: + @$(SHELL) script/uninstallbin.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(prefix) $(ROOTSBINDIR) @CIFSUPCALL_PROGS@ uninstallmodules:: @$(SHELL) $(srcdir)/script/uninstallmodules.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(prefix) $(VFSLIBDIR) $(VFS_MODULES) diff --git a/source/client/cifs.spnego.c b/source/client/cifs.upcall.c similarity index 88% rename from source/client/cifs.spnego.c rename to source/client/cifs.upcall.c index d10d19d..aa5eb57 100644 --- a/source/client/cifs.spnego.c +++ b/source/client/cifs.upcall.c @@ -1,15 +1,15 @@ /* -* CIFS SPNEGO user-space helper. +* CIFS user-space helper. * Copyright (C) Igor Mammedov ([EMAIL PROTECTED]) 2007 * * Used by /sbin/request-key for handling * cifs upcall for kerberos authorization of access to share and * cifs upcall for DFS srver name resolving (IPv4/IPv6 aware). -* You should have keyutils installed and add following line to -* /etc/request-key.conf file +* You should have keyutils installed and add something like the +* following lines to /etc/request-key.conf file: -create cifs.spnego * * /usr/local/sbin/cifs.spnego [-v][-c] %k -create cifs.resolver * * /usr/local/sbin/cifs.spnego [-v] %k +create cifs.spnego * * /usr/local/sbin/cifs.upcall %k +create dns_resolver * * /usr/local/sbin/cifs.upcall %k * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -30,7 +30,7 @@ create cifs.resolver * * /usr/local/sbin/cifs.spnego [-v] %k #include "cifs_spnego.h" const char *CIFSSPNEGO_VERSION = "1.1"; -static const char *prog = "cifs.spnego"; +static const char *prog = "cifs.upcall"; typedef enum _secType { KRB5, MS_KRB5 @@ -200,13 +200,20 @@ int cifs_resolver(const key_serial_t key, const char *key_descr) return 0; } +void +usage(void) +{ + syslog(LOG_WARNING, "Usage: %s [-c] [-v] key_serial", prog); + fprintf(stderr, "Usage: %s [-c] [-v] key_serial\n", prog); +} + int main(const int argc, char *const argv[]) { struct cifs_spnego_msg *keydata = NULL; DATA_BLOB secblob = data_blob_null; DATA_BLOB sess_key = data_blob_null; secType_t sectype; - key_serial_t key; + key_serial_t key = 0; size_t datalen; long rc = 1; uid_t uid; @@ -215,10 +222,6 @@ int main(const int argc, char *const argv[]) char *buf, *hostname = NULL; openlog(prog, 0, LOG_DAEMON); - if (argc < 1) { - syslog(LOG_WARNING, "Usage: %s [-c] key_serial", prog); - goto out; - } while ((c = getopt(argc, argv, "cv")) != -1) { switch (c) { @@ -227,20 +230,27 @@ int main(const int argc, char *const argv[]) break; } case 'v':{ - syslog(LOG_WARNING, "version: %s", CIFSSPNEGO_VERSION); - fprintf(stderr, "version: %s", CIFSSPNEGO_VERSION); - break; + printf("version: %s\n", CIFSSPNEGO_VERSION); + goto out; } default:{ - syslog(LOG_WARNING, "unknow option: %c", c); + syslog(LOG_WARNING, "unknown option: %c", c); goto out; } } } + + /* is there a key? */ + if (argc <= optind) { + usage(); + goto out; + } + /* get key and keyring values */ errno = 0; key = strtol(argv[optind], NULL, 10); if (errno != 0) { + key = 0; syslog(LOG_WARNING, "Invalid key format: %s", strerror(errno)); goto out; } @@ -253,7 +263,8 @@ int main(const int argc, char *const argv[]) goto out; } - if (strncmp(buf, "cifs.resolver", sizeof("cifs.resolver")-1) == 0) { + if ((strncmp(buf, "cifs.resolver", sizeof("cifs.resolver")-1) == 0) || + (strncmp(buf, "dns_resolver", sizeof("dns_resolver")-1) == 0)) { rc = cifs_resolver(key, buf); goto out; } @@ -351,7 +362,14 @@ int main(const int argc, char *const argv[]) /* BB: maybe we need use timeout for key: for example no more then * ticket lifietime? */ /* keyctl_set_timeout( key, 60); */ - out: +out: + /* + * on error, negatively instantiate the key ourselves so that we can + * make sure the kernel doesn't hang it off of a searchable keyring + * and interfere with the next attempt to instantiate the key. + */ + if (rc != 0 && key == 0) + keyctl_negate(key, 1, KEY_REQKEY_DEFL_DEFAULT); data_blob_free(&secblob); data_blob_free(&sess_key); SAFE_FREE(hostname); diff --git a/source/configure.in b/source/configure.in index 521ee9c..0012b17 100644 --- a/source/configure.in +++ b/source/configure.in @@ -108,9 +108,9 @@ AC_SUBST(EXTRA_BIN_PROGS) AC_SUBST(CIFSMOUNT_PROGS) AC_SUBST(INSTALL_CIFSMOUNT) AC_SUBST(UNINSTALL_CIFSMOUNT) -AC_SUBST(CIFSSPNEGO_PROGS) -AC_SUBST(INSTALL_CIFSSPNEGO) -AC_SUBST(UNINSTALL_CIFSSPNEGO) +AC_SUBST(CIFSUPCALL_PROGS) +AC_SUBST(INSTALL_CIFSUPCALL) +AC_SUBST(UNINSTALL_CIFSUPCALL) AC_SUBST(EXTRA_SBIN_PROGS) AC_SUBST(EXTRA_ALL_TARGETS) AC_SUBST(CONFIG_LIBS) @@ -4014,14 +4014,14 @@ AC_ARG_WITH(cifsmount, ) ################################################# -# check for cifs.spnego support +# check for cifs.upcall support AC_CHECK_HEADERS([keyutils.h], [HAVE_KEYUTILS_H=1], [HAVE_KEYUTILS_H=0]) -CIFSSPNEGO_PROGS="" -INSTALL_CIFSSPNEGO="" -UNINSTALL_CIFSSPNEGO="" -AC_MSG_CHECKING(whether to build cifs.spnego) -AC_ARG_WITH(cifsspnego, -[AS_HELP_STRING([--with-cifsspnego], [Include cifs.spnego (Linux only) support (default=no)])], +CIFSUPCALL_PROGS="" +INSTALL_CIFSUPCALL="" +UNINSTALL_CIFSUPCALL="" +AC_MSG_CHECKING(whether to build cifs.upcall) +AC_ARG_WITH(cifsupcall, +[AS_HELP_STRING([--with-cifsupcall], [Include cifs.upcall (Linux only) support (default=no)])], [ case "$withval" in no) AC_MSG_RESULT(no) @@ -4030,15 +4030,15 @@ AC_ARG_WITH(cifsspnego, case "$host_os" in *linux*) if test x"$use_ads" != x"yes"; then - AC_MSG_ERROR(ADS support should be enabled for building cifs.spnego) + AC_MSG_ERROR(ADS support should be enabled for building cifs.upcall) elif test x"$HAVE_KEYUTILS_H" != "x1"; then - AC_MSG_ERROR(keyutils package is required for cifs.spnego) + AC_MSG_ERROR(keyutils package is required for cifs.upcall) else AC_MSG_RESULT(yes) - AC_DEFINE(WITH_CIFSSPNEGO,1,[whether to build cifs.spnego]) - CIFSSPNEGO_PROGS="bin/cifs.spnego" - INSTALL_CIFSSPNEGO="installcifsspnego" - UNINSTALL_CIFSSPNEGO="uninstallcifsspnego" + AC_DEFINE(WITH_CIFSUPCALL,1,[whether to build cifs.upcall]) + CIFSUPCALL_PROGS="bin/cifs.upcall" + INSTALL_CIFSUPCALL="installcifsupcall" + UNINSTALL_CIFSUPCALL="uninstallcifsupcall" fi ;; *) -- Samba Shared Repository