From owner-freebsd-fs@FreeBSD.ORG Sat Feb 23 12:00:20 2013 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id BC43F6EE for ; Sat, 23 Feb 2013 12:00:20 +0000 (UTC) (envelope-from momchil@xaxo.eu) Received: from vps2.xaxo.eu (vps2.xaxo.eu [78.47.156.66]) by mx1.freebsd.org (Postfix) with ESMTP id 3970BA84 for ; Sat, 23 Feb 2013 12:00:19 +0000 (UTC) Received: from t61.xaxo.eu ([10.75.23.6]) by vps2.xaxo.eu (8.14.4/8.14.4) with ESMTP id r1NC0CaJ017602; Sat, 23 Feb 2013 13:00:12 +0100 (CET) (envelope-from momchil@xaxo.eu) Date: Sat, 23 Feb 2013 13:00:03 +0100 Message-ID: <86hal3kzp8.wl%momchil@xaxo.eu> From: Momchil Ivanov To: Rick Macklem Subject: Re: NFS + Kerberos In-Reply-To: <1103491143.3229700.1361577863159.JavaMail.root@erie.cs.uoguelph.ca> References: <86txp4gpes.wl%momchil@xaxo.eu> <1103491143.3229700.1361577863159.JavaMail.root@erie.cs.uoguelph.ca> MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: freebsd-fs@freebsd.org, Elias Martenson , Momchil Ivanov X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Feb 2013 12:00:20 -0000 At Fri, 22 Feb 2013 19:04:23 -0500 (EST), Rick Macklem wrote: > You can run "gssd -d -d" and it will run in foreground and print > out messages related to resource allocation. This isn't much use, > except to tell you that it is doing something. (Adding a "verbose" > option is on my "to do" list, but I don't have any code at this time. > If someone wants to do this, I think it would be great.) > > If you do this, don't have it started at boot (gssd_enable="NO" in > /etc/rc.conf) and then do the above command as root in a window > before attempting the mount command. > > Beyond that, you could add printfs to gssd.c. The main client side > function is gssd_init_sec_context(), which should get the Kerberos > ticket for a user via their TGT. well, the server doesn't seem to start it at boot with gssd_enable="YES", I don't know why, but I cannot stop/restart nfsd until I manually start gssd :) the client starts it at boot, though note: I can ssh into the server even when gssd is not running, I don't know if this is expected. "gssd -d -d" prints things like this on the client and the server: 1 resources allocated 2 resources allocated 1 resources allocated 0 resources allocated 1 resources allocated 2 resources allocated 1 resources allocated 0 resources allocated 1 resources allocated 2 resources allocated 1 resources allocated 0 resources allocated which doesn't tell me anything :) so here is what happens on the client without a kerberos ticket: 1 resources allocated /usr/src/usr.sbin/gssd/gssd.c:279 FILE:/tmp/krb5cc_1001 > init_sec_context_args uid: 1001 cred: 0 ctx: 0 name: 5848115787646107649 req_flags: 5848115787646107650 > gss_resources i=0 gr_id :5848115787646107649 gr_res :0x28203060 /usr/src/usr.sbin/gssd/gssd.c:307 argp->name /usr/src/usr.sbin/gssd/gssd.c:309 name=673198176 /usr/src/usr.sbin/gssd/gssd.c:310 name=0x28203060 0 resources allocated 1 resources allocated /usr/src/usr.sbin/gssd/gssd.c:279 FILE:/tmp/krb5cc_1001 > init_sec_context_args uid: 1001 cred: 0 ctx: 0 name: 5848115787646107650 req_flags: 5848115787646107650 > gss_resources i=0 gr_id :5848115787646107650 gr_res :0x28203060 /usr/src/usr.sbin/gssd/gssd.c:307 argp->name /usr/src/usr.sbin/gssd/gssd.c:309 name=673198176 /usr/src/usr.sbin/gssd/gssd.c:310 name=0x28203060 0 resources allocated 1 resources allocated /usr/src/usr.sbin/gssd/gssd.c:279 FILE:/tmp/krb5cc_1001 > init_sec_context_args uid: 1001 cred: 0 ctx: 0 name: 5848115787646107651 req_flags: 5848115787646107650 > gss_resources i=0 gr_id :5848115787646107651 gr_res :0x28203060 /usr/src/usr.sbin/gssd/gssd.c:307 argp->name /usr/src/usr.sbin/gssd/gssd.c:309 name=673198176 /usr/src/usr.sbin/gssd/gssd.c:310 name=0x28203060 0 resources allocated here is what happens with a kerberos ticket: 1 resources allocated /usr/src/usr.sbin/gssd/gssd.c:279 FILE:/tmp/krb5cc_1001 > init_sec_context_args uid: 1001 cred: 0 ctx: 0 name: 5848116041049178113 req_flags: 5848116041049178114 > gss_resources i=0 gr_id :5848116041049178113 gr_res :0x28203060 /usr/src/usr.sbin/gssd/gssd.c:307 argp->name /usr/src/usr.sbin/gssd/gssd.c:309 name=673198176 /usr/src/usr.sbin/gssd/gssd.c:310 name=0x28203060 2 resources allocated /usr/src/usr.sbin/gssd/gssd.c:335 GSS_S_CONTINUE_NEEDED 1 resources allocated 0 resources allocated 1 resources allocated /usr/src/usr.sbin/gssd/gssd.c:279 FILE:/tmp/krb5cc_1001 > init_sec_context_args uid: 1001 cred: 0 ctx: 0 name: 5848116041049178115 req_flags: 5848116041049178114 > gss_resources i=0 gr_id :5848116041049178115 gr_res :0x28203060 /usr/src/usr.sbin/gssd/gssd.c:307 argp->name /usr/src/usr.sbin/gssd/gssd.c:309 name=673198176 /usr/src/usr.sbin/gssd/gssd.c:310 name=0x28203060 2 resources allocated /usr/src/usr.sbin/gssd/gssd.c:335 GSS_S_CONTINUE_NEEDED 1 resources allocated 0 resources allocated 1 resources allocated /usr/src/usr.sbin/gssd/gssd.c:279 FILE:/tmp/krb5cc_1001 > init_sec_context_args uid: 1001 cred: 0 ctx: 0 name: 5848116041049178117 req_flags: 5848116041049178114 > gss_resources i=0 gr_id :5848116041049178117 gr_res :0x28203060 /usr/src/usr.sbin/gssd/gssd.c:307 argp->name /usr/src/usr.sbin/gssd/gssd.c:309 name=673198176 /usr/src/usr.sbin/gssd/gssd.c:310 name=0x28203060 2 resources allocated /usr/src/usr.sbin/gssd/gssd.c:335 GSS_S_CONTINUE_NEEDED 1 resources allocated 0 resources allocated here is what I have changed: --- gssd.c.orig 2013-02-23 11:13:20.000000000 +0100 +++ gssd.c 2013-02-23 12:34:33.000000000 +0100 @@ -238,6 +238,33 @@ return (TRUE); } +static void +dump_resources(FILE *s) +{ + struct gss_resource *gr; + int i; + + fprintf(s, "> gss_resources\n"); + + i = 0; + LIST_FOREACH(gr, &gss_resources, gr_link) { + fprintf(s, "i=%d\n", i); + fprintf(s, "gr_id :%llu\n", gr->gr_id); + fprintf(s, "gr_res :%p\n", gr->gr_res); + } +} + +void +dump_init_sec_context_args(FILE *s, init_sec_context_args *p) +{ + fprintf(s, "> init_sec_context_args\n"); + fprintf(s, "uid: %d\n", p->uid); + fprintf(s, "cred: %llu\n", p->cred); + fprintf(s, "ctx: %llu\n", p->ctx); + fprintf(s, "name: %llu\n", p->name); + fprintf(s, "req_flags: %llu\n", p->req_flags); +} + bool_t gssd_init_sec_context_1_svc(init_sec_context_args *argp, init_sec_context_res *result, struct svc_req *rqstp) { @@ -248,27 +275,42 @@ snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d", (int) argp->uid); + + printf("%s:%d %s\n", __FILE__, __LINE__, ccname); + dump_init_sec_context_args(stdout, argp); + dump_resources(stdout); + setenv("KRB5CCNAME", ccname, TRUE); memset(result, 0, sizeof(*result)); if (argp->cred) { + printf("%s:%d argp->cred\n", __FILE__, __LINE__); cred = gssd_find_resource(argp->cred); + printf("%s:%d cred=%llu\n", __FILE__, __LINE__, cred); if (!cred) { result->major_status = GSS_S_CREDENTIALS_EXPIRED; + printf("%s:%d GSS_S_CREDENTIALS_EXPIRED\n", __FILE__, __LINE__); return (TRUE); } } if (argp->ctx) { + printf("%s:%d argp->ctx\n", __FILE__, __LINE__); ctx = gssd_find_resource(argp->ctx); + printf("%s:%d ctx=%llu\n", __FILE__, __LINE__, ctx); if (!ctx) { result->major_status = GSS_S_CONTEXT_EXPIRED; + printf("%s:%d GSS_S_CONTEXT_EXPIRED\n", __FILE__, __LINE__); return (TRUE); } } if (argp->name) { + printf("%s:%d argp->name\n", __FILE__, __LINE__); name = gssd_find_resource(argp->name); + printf("%s:%d name=%llu\n", __FILE__, __LINE__, name); + printf("%s:%d name=%p\n", __FILE__, __LINE__, name); if (!name) { result->major_status = GSS_S_BAD_NAME; + printf("%s:%d GSS_S_BAD_NAME\n", __FILE__, __LINE__); return (TRUE); } } @@ -286,6 +328,11 @@ result->ctx = argp->ctx; else result->ctx = gssd_make_resource(ctx); + + if (result->major_status == GSS_S_COMPLETE) + printf("%s:%d GSS_S_COMPLETE\n", __FILE__, __LINE__); + else + printf("%s:%d GSS_S_CONTINUE_NEEDED\n", __FILE__, __LINE__); } return (TRUE); Ideas? Thank you, Momchil