Package: nfs-kernel-server
Version: 1:1.1.1~git-20070929-1
Severity: wishlist
Tags: patch
Normally you can only connect to NFS using Kerberos using the hostname
of the server. If you have a cluster where the NFS service can
failover between machines, using heartbeat for instance, you would
want to connect to a single address. This does not work with
rpc.svcgssd as it will only authenticate machines connecting to it's
hostname, not another address the machine handles. For instance, if
you have servers nfs1.foo and nfs2.foo, you might want to have an
address nfs.foo that passes between each other.
The following two patches (one for 1.1.1~git-2007092 (sid), and one
for 1.0.10 (etch)) add an option to rpc.svcgssd to specify the
hostname (-h) you will be connecting to it by. They also remove
references to options that rpc.svcgssd does not support.
Ideally, in the long run nfs-utils would provide an option similar to
what recent openssh versions use, and authenticate with any key in the
keytab.
Patch for 1.1.1~git-2007092:
diff -rud nfs-utils-1.1.1~git-20070929/utils/gssd/svcgssd.c
nfs-utils-1.1.1~git-20070929-krb/utils/gssd/svcgssd.c
--- nfs-utils-1.1.1~git-20070929/utils/gssd/svcgssd.c 2007-09-29
09:55:13.000000000 -0300
+++ nfs-utils-1.1.1~git-20070929-krb/utils/gssd/svcgssd.c 2007-11-15
10:43:33.000000000 -0400
@@ -155,7 +155,7 @@
static void
usage(char *progname)
{
- fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r] [-i]\n",
+ fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r] [-i] [-h hostname]\n",
progname);
exit(1);
}
@@ -171,8 +171,9 @@
int opt;
extern char *optarg;
char *progname;
+ char *servicename = NULL;
- while ((opt = getopt(argc, argv, "fivrnp:")) != -1) {
+ while ((opt = getopt(argc, argv, "fivrnh:")) != -1) {
switch (opt) {
case 'f':
fg = 1;
@@ -189,6 +190,12 @@
case 'r':
rpc_verbosity++;
break;
+ case 'h':
+ servicename = calloc(strlen(optarg) +
strlen(GSSD_SERVICE_NAME) + 2, sizeof(char));
+
+ /* GSSAPI needs @ instead of / between service
name and hostname */
+ snprintf(servicename, strlen(optarg) +
strlen(GSSD_SERVICE_NAME) + 2, "[EMAIL PROTECTED]", GSSD_SERVICE_NAME, optarg);
+ break;
default:
usage(argv[0]);
break;
@@ -228,7 +235,10 @@
signal(SIGTERM, sig_die);
signal(SIGHUP, sig_hup);
- if (get_creds && !gssd_acquire_cred(GSSD_SERVICE_NAME)) {
+ if (servicename == NULL)
+ servicename = GSSD_SERVICE_NAME;
+
+ if (get_creds && !gssd_acquire_cred(servicename)) {
printerr(0, "unable to obtain root (machine) credentials\n");
printerr(0, "do you have a keytab entry for "
"nfs/<your.host>@<YOUR.REALM> in "
Only in nfs-utils-1.1.1~git-20070929-krb/utils/gssd: svcgssd.c.orig
diff -rud nfs-utils-1.1.1~git-20070929/utils/gssd/svcgssd.man
nfs-utils-1.1.1~git-20070929-krb/utils/gssd/svcgssd.man
--- nfs-utils-1.1.1~git-20070929/utils/gssd/svcgssd.man 2007-09-29
09:55:13.000000000 -0300
+++ nfs-utils-1.1.1~git-20070929-krb/utils/gssd/svcgssd.man 2007-11-15
10:26:01.000000000 -0400
@@ -6,7 +6,7 @@
.SH NAME
rpc.svcgssd \- server-side rpcsec_gss daemon
.SH SYNOPSIS
-.B "rpc.svcgssd [-v] [-r] [-i] [-f] [-p pipefsdir]"
+.B "rpc.svcgssd [-v] [-r] [-i] [-f] [-h hostname]"
.SH DESCRIPTION
The rpcsec_gss protocol gives a means of using the gss-api generic security
api to provide security for protocols using rpc (in particular, nfs). Before
@@ -35,6 +35,10 @@
.B -i
If the nfsidmap library supports setting debug level,
increases the verbosity of the output (can be specified multiple times).
+.TP
+.B -h hostname
+Specify the hostname to use when looking for the service principal in
+the keytab.
.SH SEE ALSO
.BR rpc.gssd(8),
Patch for 1.0.10:
diff -rud nfs-utils-1.0.10/utils/gssd/svcgssd.c
nfs-utils-1.0.10-krb/utils/gssd/svcgssd.c
--- nfs-utils-1.0.10/utils/gssd/svcgssd.c 2006-08-07 03:40:50.000000000
-0300
+++ nfs-utils-1.0.10-krb/utils/gssd/svcgssd.c 2007-11-15 10:41:58.000000000
-0400
@@ -154,7 +154,7 @@
static void
usage(char *progname)
{
- fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r]\n",
+ fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r] [-h hostname]\n",
progname);
exit(1);
}
@@ -169,8 +169,9 @@
int opt;
extern char *optarg;
char *progname;
+ char *servicename = NULL;
- while ((opt = getopt(argc, argv, "fvrnp:")) != -1) {
+ while ((opt = getopt(argc, argv, "fvrnh:")) != -1) {
switch (opt) {
case 'f':
fg = 1;
@@ -184,6 +185,12 @@
case 'r':
rpc_verbosity++;
break;
+ case 'h':
+ servicename = calloc(strlen(optarg) +
strlen(GSSD_SERVICE_NAME) + 2, sizeof(char));
+
+ /* GSSAPI needs @ instead of / between service
name and hostname */
+ snprintf(servicename, strlen(optarg) +
strlen(GSSD_SERVICE_NAME) + 2, "[EMAIL PROTECTED]", GSSD_SERVICE_NAME, optarg);
+ break;
default:
usage(argv[0]);
break;
@@ -216,7 +223,10 @@
signal(SIGTERM, sig_die);
signal(SIGHUP, sig_hup);
- if (get_creds && !gssd_acquire_cred(GSSD_SERVICE_NAME)) {
+ if (servicename == NULL)
+ servicename = GSSD_SERVICE_NAME;
+
+ if (get_creds && !gssd_acquire_cred(servicename)) {
printerr(0, "unable to obtain root (machine) credentials\n");
printerr(0, "do you have a keytab entry for "
"nfs/<your.host>@<YOUR.REALM> in "
diff -rud nfs-utils-1.0.10/utils/gssd/svcgssd.man
nfs-utils-1.0.10-krb/utils/gssd/svcgssd.man
--- nfs-utils-1.0.10/utils/gssd/svcgssd.man 2006-08-07 03:40:50.000000000
-0300
+++ nfs-utils-1.0.10-krb/utils/gssd/svcgssd.man 2007-11-15 10:27:42.000000000
-0400
@@ -6,7 +6,7 @@
.SH NAME
rpc.svcgssd \- server-side rpcsec_gss daemon
.SH SYNOPSIS
-.B "rpc.svcgssd [-v] [-r] [-f] [-p pipefsdir]"
+.B "rpc.svcgssd [-v] [-r] [-f] [-h hostname]"
.SH DESCRIPTION
The rpcsec_gss protocol gives a means of using the gss-api generic security
api to provide security for protocols using rpc (in particular, nfs). Before
@@ -31,6 +31,10 @@
.B -r
If the rpcsec_gss library supports setting debug level,
increases the verbosity of the output (can be specified multiple times).
+.TP
+.B -h hostname
+Specify the hostname to use when looking for the service principal in
+the keytab.
.SH SEE ALSO
.BR rpc.gssd(8),
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages nfs-kernel-server depends on:
ii libblkid1 1.40.2-1 block device id library
ii libc6 2.6.1-1+b1 GNU C Library: Shared libraries
ii libcomerr2 1.40.2-1 common error description library
ii libgssglue1 0.1-1 mechanism-switch gssapi library
ii libkrb53 1.6.dfsg.3~beta1-2 MIT Kerberos runtime libraries
ii libnfsidmap2 0.20-0 An nfs idmapping library
ii librpcsecgss3 0.17-1 allows secure rpc communication us
ii libwrap0 7.6.dbs-14 Wietse Venema's TCP wrappers libra
ii lsb-base 3.1-24 Linux Standard Base 3.1 init scrip
ii nfs-common 1:1.1.1~git-20070929-1 NFS support files common to client
ii ucf 3.003 Update Configuration File: preserv
nfs-kernel-server recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
