Herbert Poeckl wrote:
> On 6/25/12 1:21 PM, Herbert Poeckl wrote:
> > We are getting access denied error on our debian clients when
> > mounting
> > nfsv4 network drives with kerberos 5 authentication.
> >
> > What is wired about this, is that it works with one server, but not
> > with
> > a second server.
> [..]
>
> For the records:
>
> The problem was fixed in this post:
> http://lists.freebsd.org/pipermail/freebsd-fs/2012-August/015047.html
>
Ok, so are you saying that the patch in Attila's email fixed your problem?
If so, please try the attached patch. (It doesn't set the client security
handle stale when DESTROY fails, due to an invalid encrypted checksum. It
is similar to his patch, but only for the DESTROY case, which seems to be
ok to do from my understanding of the RPCSEC_GSS. It doesn't include the
timer changes, which shouldn't affect the outcome from afaik.)
To consider the client security handle still valid when a data (real RPC
in the message) phase entry fails the encrypted checksum seems riskier to
do, so I'd like to avoid that in any patch for head.
rick
> Kind regards,
> Herbert Poeckl
>
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to
> "freebsd-stable-unsubscr...@freebsd.org"
--- rpc/rpcsec_gss/svc_rpcsec_gss.c.sav 2012-09-01 19:20:35.000000000 -0400
+++ rpc/rpcsec_gss/svc_rpcsec_gss.c 2012-09-01 19:24:15.000000000 -0400
@@ -984,7 +984,7 @@ svc_rpc_gss_accept_sec_context(struct sv
static bool_t
svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg,
- gss_qop_t *qop)
+ gss_qop_t *qop, rpc_gss_proc_t gcproc)
{
struct opaque_auth *oa;
gss_buffer_desc rpcbuf, checksum;
@@ -1024,7 +1024,8 @@ svc_rpc_gss_validate(struct svc_rpc_gss_
if (maj_stat != GSS_S_COMPLETE) {
rpc_gss_log_status("gss_verify_mic", client->cl_mech,
maj_stat, min_stat);
- client->cl_state = CLIENT_STALE;
+ if (gcproc != RPCSEC_GSS_DESTROY)
+ client->cl_state = CLIENT_STALE;
return (FALSE);
}
@@ -1358,7 +1359,7 @@ svc_rpc_gss(struct svc_req *rqst, struct
break;
}
- if (!svc_rpc_gss_validate(client, msg, &qop)) {
+ if (!svc_rpc_gss_validate(client, msg, &qop, gc.gc_proc)) {
result = RPCSEC_GSS_CREDPROBLEM;
break;
}
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
