Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
No build reason found for step:i586
openSUSE:Slowroll:Build:2
nfs-utils
0004-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0004-gssd-handle-KRB5_AP_ERR_BAD_INTEGRITY-for-machine-cr.patch of Package nfs-utils
From 2bfb59c6f50eb86c21f8e0c33bbf32ec53480fb8 Mon Sep 17 00:00:00 2001 From: Olga Kornievskaia <kolga@netapp.com> Date: Mon, 11 Dec 2023 08:55:35 -0500 Subject: [PATCH 4/6] gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for machine credentials During context establishment, when the client received KRB5_AP_ERR_BAD_INTEGRITY error, it might be due to the server updating its key material. To handle such error, get a new service ticket and re-try the AP_REQ. This functionality relies on the new API in libtirpc that exposes the gss errors. Reviewed-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Olga Kornievskaia <kolga@netapp.com> Signed-off-by: Steve Dickson <steved@redhat.com> --- utils/gssd/gssd_proc.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index 99761157..29600a3f 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -427,13 +427,32 @@ create_auth_rpc_client(struct clnt_info *clp, auth = authgss_create_default(rpc_clnt, tgtname, &sec); #endif if (!auth) { +#ifdef HAVE_TIRPC_GSS_SECCREATE + if (ret.minor_status == KRB5KRB_AP_ERR_BAD_INTEGRITY) { + printerr(2, "WARNING: server=%s failed context " + "creation with KRB5_AP_ERR_BAD_INTEGRITY\n", + clp->servername); + if (cred == GSS_C_NO_CREDENTIAL) + retval = gssd_refresh_krb5_machine_credential(clp->servername, + "*", NULL, 1); + if (!retval) { + auth = rpc_gss_seccreate(rpc_clnt, tgtname, + mechanism, rpcsec_gss_svc_none, + NULL, &req, &ret); + if (auth) + goto success; + } + } +#endif /* Our caller should print appropriate message */ printerr(2, "WARNING: Failed to create krb5 context for " "user with uid %d for server %s\n", uid, tgtname); goto out_fail; } - +#ifdef HAVE_TIRPC_GSS_SECCREATE +success: +#endif /* Success !!! */ rpc_clnt->cl_auth = auth; *clnt_return = rpc_clnt; -- 2.46.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor