[packages/nfs-utils] - updated to 2.8.3 - restoring compatibility with heimdal required reverting of some cred cache fix
qboosh
qboosh at pld-linux.org
Fri Jun 27 19:44:59 CEST 2025
commit 5a8ded0e04195b7b17c19effe2d05a84580a69c9
Author: Jakub Bogusz <qboosh at pld-linux.org>
Date: Fri Jun 27 19:46:21 2025 +0200
- updated to 2.8.3
- restoring compatibility with heimdal required reverting of some cred cache fix
- actually package nfsdcld init script
nfs-utils-krb5-cache.patch | 199 +++++++++++++++++++++++++++++++++++++++++++++
nfs-utils.spec | 47 ++++++-----
nfsdcld.init | 4 +-
3 files changed, 227 insertions(+), 23 deletions(-)
---
diff --git a/nfs-utils.spec b/nfs-utils.spec
index cccd30d..eb257c1 100644
--- a/nfs-utils.spec
+++ b/nfs-utils.spec
@@ -1,9 +1,9 @@
# TODO: systemd support needs cleanup (see TODOs below)
#
# Conditional build:
-%bcond_with krb5 # build with MIT Kerberos instead of Heimdal
+%bcond_with krb5 # MIT Kerberos instead of Heimdal
%bcond_without static_libs # static libraries
-%bcond_without tirpc # use librpcsecgss instead of libtirpc
+%bcond_without tirpc # libtirpc instead of librpcsecgss
Summary: Kernel NFS server
Summary(pl.UTF-8): Działający na poziomie jądra serwer NFS
@@ -11,12 +11,12 @@ Summary(pt_BR.UTF-8): Os utilitários para o cliente e servidor NFS do Linux
Summary(ru.UTF-8): Утилиты для NFS и демоны поддержки для NFS-сервера ядра
Summary(uk.UTF-8): Утиліти для NFS та демони підтримки для NFS-сервера ядра
Name: nfs-utils
-Version: 2.8.2
-Release: 2
+Version: 2.8.3
+Release: 1
License: GPL v2
Group: Networking/Daemons
Source0: https://www.kernel.org/pub/linux/utils/nfs-utils/%{version}/%{name}-%{version}.tar.xz
-# Source0-md5: 40e598d6ec2174258020c8be09bf9ddb
+# Source0-md5: 5a827a1254f878370135e3b3ae49be73
#Source1: ftp://ftp.linuxnfs.sourceforge.org/pub/nfs/nfs.doc.tar.gz
Source1: nfs.doc.tar.gz
# Source1-md5: ae7db9c61c5ad04f83bb99e5caed73da
@@ -52,6 +52,7 @@ Patch4: %{name}-heimdal.patch
Patch5: %{name}-x32.patch
Patch6: libnfsidmap-pluginpath.patch
Patch7: %{name}-sh.patch
+Patch8: %{name}-krb5-cache.patch
URL: http://linux-nfs.org/
BuildRequires: autoconf >= 2.59
BuildRequires: automake
@@ -83,7 +84,7 @@ BuildRequires: libtirpc-devel >= 1:1.3.4
BuildRequires: librpcsecgss-devel >= 0.16
%endif
%if %{with krb5}
-BuildRequires: krb5-devel >= 1.6
+BuildRequires: krb5-devel >= 1.8
%else
BuildRequires: heimdal-devel >= 1.0
%endif
@@ -247,6 +248,9 @@ Statyczna biblioteka libnfsidmap.
%patch -P5 -p1
%patch -P6 -p1
%patch -P7 -p1
+%if %{without krb5}
+%patch -P8 -p1 -R
+%endif
# force regeneration
%{__rm} tools/nfsrahead/99-nfs.rules
@@ -332,33 +336,33 @@ install %{SOURCE6} $RPM_BUILD_ROOT/etc/rc.d/init.d/gssd
install %{SOURCE7} $RPM_BUILD_ROOT/etc/rc.d/init.d/svcgssd
install %{SOURCE11} $RPM_BUILD_ROOT/etc/rc.d/init.d/blkmapd
install %{SOURCE14} $RPM_BUILD_ROOT/etc/rc.d/init.d/nfsdcld
-install %{SOURCE8} $RPM_BUILD_ROOT/etc/sysconfig/nfsd
-install %{SOURCE9} $RPM_BUILD_ROOT/etc/sysconfig/nfslock
-install %{SOURCE10} $RPM_BUILD_ROOT/etc/sysconfig/nfsfs
+cp -p %{SOURCE8} $RPM_BUILD_ROOT/etc/sysconfig/nfsd
+cp -p %{SOURCE9} $RPM_BUILD_ROOT/etc/sysconfig/nfslock
+cp -p %{SOURCE10} $RPM_BUILD_ROOT/etc/sysconfig/nfsfs
-install %{SOURCE12} $RPM_BUILD_ROOT/etc/modprobe.d/sunrpc.conf
+cp -p %{SOURCE12} $RPM_BUILD_ROOT/etc/modprobe.d/sunrpc.conf
#install systemd/proc-fs-nfsd.mount $RPM_BUILD_ROOT%{systemdunitdir}/proc-fs-nfsd.mount
#install systemd/var-lib-nfs-rpc_pipefs.mount $RPM_BUILD_ROOT%{systemdunitdir}/var-lib-nfs-rpc_pipefs.mount
# TODO: upstream installs nfs-server.service
-install %{SOURCE102} $RPM_BUILD_ROOT%{systemdunitdir}/nfsd.service
+cp -p %{SOURCE102} $RPM_BUILD_ROOT%{systemdunitdir}/nfsd.service
# TODO: upstream installs nfs-blkmap.service
-install %{SOURCE103} $RPM_BUILD_ROOT%{systemdunitdir}/blkmapd.service
-install %{SOURCE104} $RPM_BUILD_ROOT%{systemdunitdir}/nfsd-exportfs.service
+cp -p %{SOURCE103} $RPM_BUILD_ROOT%{systemdunitdir}/blkmapd.service
+cp -p %{SOURCE104} $RPM_BUILD_ROOT%{systemdunitdir}/nfsd-exportfs.service
# TODO: upstream installs rpc-gssd.service
-install %{SOURCE105} $RPM_BUILD_ROOT%{systemdunitdir}/gssd.service
+cp -p %{SOURCE105} $RPM_BUILD_ROOT%{systemdunitdir}/gssd.service
# TODO: upstream installs nfs-idmapd.service
-install %{SOURCE106} $RPM_BUILD_ROOT%{systemdunitdir}/idmapd.service
+cp -p %{SOURCE106} $RPM_BUILD_ROOT%{systemdunitdir}/idmapd.service
# TODO: upstream installs rpc-statd.service + rpc-statd-notify.service
-install %{SOURCE107} $RPM_BUILD_ROOT%{systemdunitdir}/nfslock.service
+cp -p %{SOURCE107} $RPM_BUILD_ROOT%{systemdunitdir}/nfslock.service
# TODO: upstream installs nfs-mountd.service
-install %{SOURCE108} $RPM_BUILD_ROOT%{systemdunitdir}/nfsd-mountd.service
+cp -p %{SOURCE108} $RPM_BUILD_ROOT%{systemdunitdir}/nfsd-mountd.service
# TODO: upstream installs auth-rpcgss-module.service / rpc-svcgssd.service
-install %{SOURCE109} $RPM_BUILD_ROOT%{systemdunitdir}/svcgssd.service
+cp -p %{SOURCE109} $RPM_BUILD_ROOT%{systemdunitdir}/svcgssd.service
# TODO: upstream installs also nfs-utils.service and nfs-client.target meta-services
-install %{SOURCE110} $RPM_BUILD_ROOT%{_datadir}/nfs-utils/nfsd.postconfig
-install %{SOURCE111} $RPM_BUILD_ROOT%{_datadir}/nfs-utils/nfsd.preconfig
-install %{SOURCE112} $RPM_BUILD_ROOT%{_datadir}/nfs-utils/nfslock.preconfig
+cp -p %{SOURCE110} $RPM_BUILD_ROOT%{_datadir}/nfs-utils/nfsd.postconfig
+cp -p %{SOURCE111} $RPM_BUILD_ROOT%{_datadir}/nfs-utils/nfsd.preconfig
+cp -p %{SOURCE112} $RPM_BUILD_ROOT%{_datadir}/nfs-utils/nfslock.preconfig
# Disable old SysV service for systemd installs
ln -s /dev/null $RPM_BUILD_ROOT%{systemdunitdir}/nfs.service
@@ -522,6 +526,7 @@ fi
%attr(755,root,root) %{_sbindir}/nfsstat
%attr(754,root,root) /etc/rc.d/init.d/nfs
+%attr(754,root,root) /etc/rc.d/init.d/nfsdcld
%attr(754,root,root) /etc/rc.d/init.d/svcgssd
%attr(664,root,fileshare) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/exports
diff --git a/nfs-utils-krb5-cache.patch b/nfs-utils-krb5-cache.patch
new file mode 100644
index 0000000..a9ab0bd
--- /dev/null
+++ b/nfs-utils-krb5-cache.patch
@@ -0,0 +1,199 @@
+From 1cd9e3c0d290646e80750249914396566dd6b800 Mon Sep 17 00:00:00 2001
+From: Olga Kornievskaia <okorniev at redhat.com>
+Date: Mon, 24 Mar 2025 08:43:43 -0400
+Subject: [PATCH] gssd: do not use krb5_cc_initialize
+
+When gssd refreshes machine credentials, it uses the
+krb5_get_init_creds_keytab() and then to save the received credentials
+in a ticket cache, it proceeds to initialize the credential cache via
+a krb5_cc_initialize() before storing the received credentials into it.
+
+krb5_cc_initialize() is not concurrency safe. two gssd upcalls by
+uid=0, one for krb5i auth flavor and another for krb5p, would enter
+into krb5_cc_initialize() and one of them would fail, leading to
+an upcall failure and NFS operation error.
+
+Instead it was proposed that gssd changes its design to do what
+kinit does and forgo the use of krb5_cc_initialize and instead setup
+the output cache via krb5_get_init_creds_opt_set_out_cache() prior
+to calling krb5_get_init_creds_keytab() which would then store
+credentials automatically.
+
+https://mailman.mit.edu/pipermail/krbdev/2025-February/013708.html
+
+Signed-off-by: Olga Kornievskaia <okorniev at redhat.com>
+Signed-off-by: Steve Dickson <steved at redhat.com>
+---
+ utils/gssd/krb5_util.c | 103 ++++++++++++++++++++---------------------
+ 1 file changed, 50 insertions(+), 53 deletions(-)
+
+diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
+index 201585ed..560e8be1 100644
+--- a/utils/gssd/krb5_util.c
++++ b/utils/gssd/krb5_util.c
+@@ -168,7 +168,8 @@ static int select_krb5_ccache(const struct dirent *d);
+ static int gssd_find_existing_krb5_ccache(uid_t uid, char *dirname,
+ const char **cctype, struct dirent **d);
+ static int gssd_get_single_krb5_cred(krb5_context context,
+- krb5_keytab kt, struct gssd_k5_kt_princ *ple, int force_renew);
++ krb5_keytab kt, struct gssd_k5_kt_princ *ple, int force_renew,
++ krb5_ccache ccache);
+ static int query_krb5_ccache(const char* cred_cache, char **ret_princname,
+ char **ret_realm);
+
+@@ -395,16 +396,14 @@ static int
+ gssd_get_single_krb5_cred(krb5_context context,
+ krb5_keytab kt,
+ struct gssd_k5_kt_princ *ple,
+- int force_renew)
++ int force_renew,
++ krb5_ccache ccache)
+ {
+ krb5_get_init_creds_opt *opts = NULL;
+ krb5_creds my_creds;
+- krb5_ccache ccache = NULL;
+ char kt_name[BUFSIZ];
+- char cc_name[BUFSIZ];
+ int code;
+ time_t now = time(0);
+- char *cache_type;
+ char *pname = NULL;
+ char *k5err = NULL;
+ int nocache = 0;
+@@ -457,6 +456,14 @@ gssd_get_single_krb5_cred(krb5_context context,
+ krb5_get_init_creds_opt_set_tkt_life(opts, 5*60);
+ #endif
+
++ if ((code = krb5_get_init_creds_opt_set_out_ccache(context, opts,
++ ccache))) {
++ k5err = gssd_k5_err_msg(context, code);
++ printerr(1, "WARNING: %s while initializing ccache for "
++ "principal '%s' using keytab '%s'\n", k5err,
++ pname ? pname : "<unparsable>", kt_name);
++ goto out;
++ }
+ if ((code = krb5_get_init_creds_keytab(context, &my_creds, ple->princ,
+ kt, 0, NULL, opts))) {
+ k5err = gssd_k5_err_msg(context, code);
+@@ -466,61 +473,18 @@ gssd_get_single_krb5_cred(krb5_context context,
+ goto out;
+ }
+
+- /*
+- * Initialize cache file which we're going to be using
+- */
+-
+ pthread_mutex_lock(&ple_lock);
+- if (use_memcache)
+- cache_type = "MEMORY";
+- else
+- cache_type = "FILE";
+- snprintf(cc_name, sizeof(cc_name), "%s:%s/%s%s_%s",
+- cache_type,
+- ccachesearch[0], GSSD_DEFAULT_CRED_PREFIX,
+- GSSD_DEFAULT_MACHINE_CRED_SUFFIX, ple->realm);
+ ple->endtime = my_creds.times.endtime;
+- if (ple->ccname == NULL || strcmp(ple->ccname, cc_name) != 0) {
+- free(ple->ccname);
+- ple->ccname = strdup(cc_name);
+- if (ple->ccname == NULL) {
+- printerr(0, "ERROR: no storage to duplicate credentials "
+- "cache name '%s'\n", cc_name);
+- code = ENOMEM;
+- pthread_mutex_unlock(&ple_lock);
+- goto out;
+- }
+- }
+ pthread_mutex_unlock(&ple_lock);
+- if ((code = krb5_cc_resolve(context, cc_name, &ccache))) {
+- k5err = gssd_k5_err_msg(context, code);
+- printerr(0, "ERROR: %s while opening credential cache '%s'\n",
+- k5err, cc_name);
+- goto out;
+- }
+- if ((code = krb5_cc_initialize(context, ccache, ple->princ))) {
+- k5err = gssd_k5_err_msg(context, code);
+- printerr(0, "ERROR: %s while initializing credential "
+- "cache '%s'\n", k5err, cc_name);
+- goto out;
+- }
+- if ((code = krb5_cc_store_cred(context, ccache, &my_creds))) {
+- k5err = gssd_k5_err_msg(context, code);
+- printerr(0, "ERROR: %s while storing credentials in '%s'\n",
+- k5err, cc_name);
+- goto out;
+- }
+
+ code = 0;
+- printerr(2, "%s(0x%lx): principal '%s' ccache:'%s'\n",
+- __func__, tid, pname, cc_name);
++ printerr(2, "%s(0x%lx): principal '%s' ccache:'%s'\n",
++ __func__, tid, pname, ple->ccname);
+ out:
+ if (opts)
+ krb5_get_init_creds_opt_free(context, opts);
+ if (pname)
+ k5_free_unparsed_name(context, pname);
+- if (ccache)
+- krb5_cc_close(context, ccache);
+ krb5_free_cred_contents(context, &my_creds);
+ free(k5err);
+ return (code);
+@@ -1147,10 +1111,12 @@ gssd_refresh_krb5_machine_credential_internal(char *hostname,
+ {
+ krb5_error_code code = 0;
+ krb5_context context;
+- krb5_keytab kt = NULL;;
++ krb5_keytab kt = NULL;
++ krb5_ccache ccache = NULL;
+ int retval = 0;
+- char *k5err = NULL;
++ char *k5err = NULL, *cache_type;
+ const char *svcnames[] = { "$", "root", "nfs", "host", NULL };
++ char cc_name[BUFSIZ];
+
+ /*
+ * If a specific service name was specified, use it.
+@@ -1209,7 +1175,38 @@ gssd_refresh_krb5_machine_credential_internal(char *hostname,
+ goto out_free_kt;
+ }
+ }
+- retval = gssd_get_single_krb5_cred(context, kt, ple, force_renew);
++
++ if (use_memcache)
++ cache_type = "MEMORY";
++ else
++ cache_type = "FILE";
++ snprintf(cc_name, sizeof(cc_name), "%s:%s/%s%s_%s",
++ cache_type,
++ ccachesearch[0], GSSD_DEFAULT_CRED_PREFIX,
++ GSSD_DEFAULT_MACHINE_CRED_SUFFIX, ple->realm);
++
++ pthread_mutex_lock(&ple_lock);
++ if (ple->ccname == NULL || strcmp(ple->ccname, cc_name) != 0) {
++ free(ple->ccname);
++ ple->ccname = strdup(cc_name);
++ if (ple->ccname == NULL) {
++ printerr(0, "ERROR: no storage to duplicate credentials "
++ "cache name '%s'\n", cc_name);
++ code = ENOMEM;
++ pthread_mutex_unlock(&ple_lock);
++ goto out_free_kt;
++ }
++ }
++ pthread_mutex_unlock(&ple_lock);
++ if ((code = krb5_cc_resolve(context, cc_name, &ccache))) {
++ k5err = gssd_k5_err_msg(context, code);
++ printerr(0, "ERROR: %s while opening credential cache '%s'\n",
++ k5err, cc_name);
++ goto out_free_kt;
++ }
++
++ retval = gssd_get_single_krb5_cred(context, kt, ple, force_renew, ccache);
++ krb5_cc_close(context, ccache);
+ out_free_kt:
+ krb5_kt_close(context, kt);
+ out_free_context:
+--
+GitLab
+
diff --git a/nfsdcld.init b/nfsdcld.init
index 199eefb..0addee9 100644
--- a/nfsdcld.init
+++ b/nfsdcld.init
@@ -58,10 +58,10 @@ RETVAL=0
# See how we were called.
case "$1" in
start)
- start
+ start
;;
stop)
- stop
+ stop
;;
restart|force-reload)
stop
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/nfs-utils.git/commitdiff/5a8ded0e04195b7b17c19effe2d05a84580a69c9
More information about the pld-cvs-commit
mailing list