From owner-freebsd-fs@FreeBSD.ORG Sun Oct 7 20:17:07 2012 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 394DD1065673 for ; Sun, 7 Oct 2012 20:17:07 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id AE6AE8FC0C for ; Sun, 7 Oct 2012 20:17:06 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ap4EALzhcVCDaFvO/2dsb2JhbABFDoYDuhiCIAEBBSMERwszEQUBEwIEVQaIGKYnkVyOOgGCEoESA45uhn2QLoIyV4FAOw X-IronPort-AV: E=Sophos;i="4.80,548,1344225600"; d="c'?scan'208";a="182460992" Received: from erie.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.206]) by esa-jnhn-pri.mail.uoguelph.ca with ESMTP; 07 Oct 2012 16:17:05 -0400 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id 5D4FBB3F36; Sun, 7 Oct 2012 16:17:05 -0400 (EDT) Date: Sun, 7 Oct 2012 16:17:05 -0400 (EDT) From: Rick Macklem To: Piete Brooks Message-ID: <2071960851.1864186.1349641025365.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_1864185_1441828033.1349641025360" X-Originating-IP: [172.17.91.201] X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraWebClient - IE7 (Win)/6.0.10_GA_2692) X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: FS List , Ilias Marinos , Brooks Davis , Herbert Poeckl Subject: Kerberized NFS/gssd credential cache issue X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Oct 2012 20:17:07 -0000 ------=_Part_1864185_1441828033.1349641025360 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Piete Brooks wrote: > I initially took the priorities to be sorted, but it seems that all > just add > one to the score. Is this as planned, or should "++" become "|= 1 << > N" so > that the most important one aleays wins? My intent was that they all count the same, because I don't know if one is more important than another. (A "more important" one could add +N, if we collectively decide what is "more important".) I hope you don't mind, but I thought if this is going to be discussed, it should be on a mailing list, so I've replaced some of the cc's with freebsd-fs@. (I took out the ones I believe will be reading the list.) Everyone, a discussion has been going on w.r.t. an NFS over Kerberos issue, where the gssd can't find the Kerberos credentials cache file because it assumes it uses a name /tmp/krb5cc_, where is the effective uid. Some setups of sshd use different naming, usually a random suffix appended to the above, to differentiate between login sessions, so the credentials cache can be destroyed upon logout. The Linux gssd does a search of directories, using various heuristics to try and guess which file is the most appropriate one. I've coded a function that does something similar. Since I am not a Kerberos wizzard, I don't know how appropriate the heuristics are. I have attached testcc.c, which is the function plus a simple main() to test it. (Once tested, this function would be used in the gssd to select a credentials cache file.) The current code does the following: - Searches a directory for files that satisfy the following: - has "krb5cc_ as a substring of the file's name - is a regular file - is owned by the uid - has a valid tgt in it For each file that satisfies the above, I generate a "rating", which is an attempt at heuristically guessing the most appropriate file, when there is more than one file matching the above: - add one to the rating for each of - not a cross-realm tgt - the principal without realm is the same name as getpwuid(uid)->pw_name - if the realm for the client principal is the preferred realm (the preferred realm and "krb5cc_" substring are arguments and I was assuming the preferred realm will usually be the default realm) Each of these currently counts one towards the rating. If multiple files matching the above gets the same rating, it uses the one that has the tgt that expires later. So, Kerberos wizzards... Should there be other criteria for selecting the file? Should some of the rating checks count for more than others? (They currently each count as 1, although some could count for more.) Personally, I don't like the idea that a uid has multiple credential cache files, since there is no definitive way to select the "correct one" to authenticate a "uid", but it seems unavoidable. Thanks in advance for any comments, rick ------=_Part_1864185_1441828033.1349641025360--