File 0004-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-... of Package nfs-utils

Overview Repositories Revisions Requests Users Attributes Meta

File 0004-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-machine-cr.patch of Package nfs-utils

From 2bfb59c6f50eb86c21f8e0c33bbf32ec53480fb8 Mon Sep 17 00:00:00 2001
From: Olga Kornievskaia <kolga@netapp.com>
Date: Mon, 11 Dec 2023 08:55:35 -0500
Subject: [PATCH 4/6] gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for machine
 credentials

During context establishment, when the client received
KRB5_AP_ERR_BAD_INTEGRITY error, it might be due to the server
updating its key material. To handle such error, get a new
service ticket and re-try the AP_REQ.

This functionality relies on the new API in libtirpc that
exposes the gss errors.

Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
---
 utils/gssd/gssd_proc.c | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index 99761157..29600a3f 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -427,13 +427,32 @@ create_auth_rpc_client(struct clnt_info *clp,
 	auth = authgss_create_default(rpc_clnt, tgtname, &sec);
 #endif
 	if (!auth) {
+#ifdef HAVE_TIRPC_GSS_SECCREATE
+		if (ret.minor_status == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
+			printerr(2, "WARNING: server=%s failed context "
+				 "creation with KRB5_AP_ERR_BAD_INTEGRITY\n",
+				 clp->servername);
+			if (cred == GSS_C_NO_CREDENTIAL)
+				retval = gssd_refresh_krb5_machine_credential(clp->servername,
+					"*", NULL, 1);
+			if (!retval) {
+				auth = rpc_gss_seccreate(rpc_clnt, tgtname,
+						mechanism, rpcsec_gss_svc_none,
+						NULL, &req, &ret);
+				if (auth)
+					goto success;
+			}
+		}
+#endif
 		/* Our caller should print appropriate message */
 		printerr(2, "WARNING: Failed to create krb5 context for "
 			    "user with uid %d for server %s\n",
 			 uid, tgtname);
 		goto out_fail;
 	}
-
+#ifdef HAVE_TIRPC_GSS_SECCREATE
+success:
+#endif
 	/* Success !!! */
 	rpc_clnt->cl_auth = auth;
 	*clnt_return = rpc_clnt;
-- 
2.46.0

Places

File 0004-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-machine-cr.patch of Package nfs-utils

Places