diff options
author | NeilBrown <neilb@suse.de> | 2023-04-19 10:43:15 -0400 |
---|---|---|
committer | Steve Dickson <steved@redhat.com> | 2023-04-19 10:43:15 -0400 |
commit | 3a9b34dd09020785798cd742798efe5edd6440f6 (patch) | |
tree | 519d9609d2f59bf8413605c92c7d18f58c9d005c | |
parent | 04ad483198b6179fb4fbfad58b4a234e2f807ee8 (diff) | |
download | nfs-utils-3a9b34dd09020785798cd742798efe5edd6440f6.tar.gz |
mountd: don't advertise krb5 for v4root when not configured.nfs-utils-2-6-3-rc9
If /etc/krb5.keytab does not exist, then krb5 cannot work, so
advertising it as an option for v4root is pointless.
Since linux commit 676e4ebd5f2c ("NFSD: SECINFO doesn't handle
unsupported pseudoflavors correctly") this can result in an unhelpful
warning if the krb5 code is not built, or built as a module which is not
installed.
[ 161.668635] NFS: SECINFO: security flavor 390003 is not supported
[ 161.668655] NFS: SECINFO: security flavor 390004 is not supported
[ 161.668670] NFS: SECINFO: security flavor 390005 is not supported
So avoid advertising krb5 security options when krb5.keytab cannot be
found.
Note that testing for /etc/krb5.keytab is what we already do in a couple
of systemd unit file to determine if krb5 is enabled.
Link: https://lore.kernel.org/linux-nfs/20170104190327.v3wbpcbqtfa5jy7d@codemonkey.org.uk/
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
-rw-r--r-- | support/export/v4root.c | 2 | ||||
-rw-r--r-- | support/include/pseudoflavors.h | 1 | ||||
-rw-r--r-- | support/nfs/exports.c | 14 |
3 files changed, 10 insertions, 7 deletions
diff --git a/support/export/v4root.c b/support/export/v4root.c index fbb0ad5..03805dc 100644 --- a/support/export/v4root.c +++ b/support/export/v4root.c @@ -66,6 +66,8 @@ set_pseudofs_security(struct exportent *pseudo) if (!flav->fnum) continue; + if (flav->need_krb5 && access("/etc/krb5.keytab", F_OK) != 0) + continue; i = secinfo_addflavor(flav, pseudo); new = &pseudo->e_secinfo[i]; diff --git a/support/include/pseudoflavors.h b/support/include/pseudoflavors.h index deb052b..1f16f3f 100644 --- a/support/include/pseudoflavors.h +++ b/support/include/pseudoflavors.h @@ -8,6 +8,7 @@ struct flav_info { char *flavour; int fnum; + int need_krb5; }; extern struct flav_info flav_map[]; diff --git a/support/nfs/exports.c b/support/nfs/exports.c index 72e632f..15dc574 100644 --- a/support/nfs/exports.c +++ b/support/nfs/exports.c @@ -37,13 +37,13 @@ (NFSEXP_READONLY|NFSEXP_ROOTSQUASH|NFSEXP_GATHERED_WRITES|NFSEXP_NOSUBTREECHECK) struct flav_info flav_map[] = { - { "krb5", RPC_AUTH_GSS_KRB5 }, - { "krb5i", RPC_AUTH_GSS_KRB5I }, - { "krb5p", RPC_AUTH_GSS_KRB5P }, - { "unix", AUTH_UNIX }, - { "sys", AUTH_SYS }, - { "null", AUTH_NULL }, - { "none", AUTH_NONE }, + { "krb5", RPC_AUTH_GSS_KRB5, 1}, + { "krb5i", RPC_AUTH_GSS_KRB5I, 1}, + { "krb5p", RPC_AUTH_GSS_KRB5P, 1}, + { "unix", AUTH_UNIX, 0}, + { "sys", AUTH_SYS, 0}, + { "null", AUTH_NULL, 0}, + { "none", AUTH_NONE, 0}, }; const int flav_map_size = sizeof(flav_map)/sizeof(flav_map[0]); |