bool idmapper_init(void)
{
#ifdef USE_NFSIDMAP
if (!nfs_param.nfsv4_param.use_getpwnam) {
if (nfs4_init_name_mapping(nfs_param.nfsv4_param.idmapconf)
!= 0) {
return false;
}
owner_domain.addr = gsh_malloc(NFS4_MAX_DOMAIN_LEN + 1);
if (owner_domain.addr == NULL)
return false;
if (nfs4_get_default_domain
(NULL, owner_domain.addr, NFS4_MAX_DOMAIN_LEN) != 0) {
gsh_free(owner_domain.addr);
return false;
}
owner_domain.len = strlen(owner_domain.addr);
}
#endif /* USE_NFSIDMAP */
if (nfs_param.nfsv4_param.use_getpwnam) {
owner_domain.addr = gsh_strdup(nfs_param.nfsv4_param
.domainname);
if (owner_domain.addr == NULL)
return false;
owner_domain.len = strlen(nfs_param.nfsv4_param.domainname);
}
idmapper_cache_init();
return true;
}
int nfsidmap_set_conf()
{
if(!nfsidmap_conf_read)
{
if(nfs4_init_name_mapping(_PATH_IDMAPDCONF))
return 0;
if(nfs4_get_default_domain(NULL, idmap_domain, sizeof(idmap_domain)))
return 0;
nfsidmap_conf_read = TRUE;
}
return 1;
}
int
main(int argc, char *argv[])
{
int get_creds = 1;
int fg = 0;
int verbosity = 0;
int rpc_verbosity = 0;
int idmap_verbosity = 0;
int opt, status;
extern char *optarg;
char *progname;
char *principal = NULL;
while ((opt = getopt(argc, argv, "fivrnp:")) != -1) {
switch (opt) {
case 'f':
fg = 1;
break;
case 'i':
idmap_verbosity++;
break;
case 'n':
get_creds = 0;
break;
case 'v':
verbosity++;
break;
case 'r':
rpc_verbosity++;
break;
case 'p':
principal = optarg;
break;
default:
usage(argv[0]);
break;
}
}
if ((progname = strrchr(argv[0], '/')))
progname++;
else
progname = argv[0];
initerr(progname, verbosity, fg);
#ifdef HAVE_AUTHGSS_SET_DEBUG_LEVEL
if (verbosity && rpc_verbosity == 0)
rpc_verbosity = verbosity;
authgss_set_debug_level(rpc_verbosity);
#elif HAVE_LIBTIRPC_SET_DEBUG
/*
* Only set the libtirpc debug level if explicitly requested via -r...
* svcgssd is chatty enough as it is.
*/
if (rpc_verbosity > 0)
libtirpc_set_debug(progname, rpc_verbosity, fg);
#else
if (rpc_verbosity > 0)
printerr(0, "Warning: rpcsec_gss library does not "
"support setting debug level\n");
#endif
#ifdef HAVE_NFS4_SET_DEBUG
if (verbosity && idmap_verbosity == 0)
idmap_verbosity = verbosity;
nfs4_set_debug(idmap_verbosity, NULL);
#else
if (idmap_verbosity > 0)
printerr(0, "Warning: your nfsidmap library does not "
"support setting debug level\n");
#endif
if (gssd_check_mechs() != 0) {
printerr(0, "ERROR: Problem with gssapi library\n");
exit(1);
}
daemon_init(fg);
signal(SIGINT, sig_die);
signal(SIGTERM, sig_die);
signal(SIGHUP, sig_hup);
if (get_creds) {
if (principal)
status = gssd_acquire_cred(principal,
((const gss_OID)GSS_C_NT_USER_NAME));
else
status = gssd_acquire_cred(GSSD_SERVICE_NAME,
(const gss_OID)GSS_C_NT_HOSTBASED_SERVICE);
if (status == FALSE) {
printerr(0, "unable to obtain root (machine) credentials\n");
printerr(0, "do you have a keytab entry for "
"nfs/<your.host>@<YOUR.REALM> in "
"/etc/krb5.keytab?\n");
exit(1);
}
} else {
status = gssd_acquire_cred(NULL,
(const gss_OID)GSS_C_NT_HOSTBASED_SERVICE);
if (status == FALSE) {
printerr(0, "unable to obtain nameless credentials\n");
exit(1);
}
}
daemon_ready();
nfs4_init_name_mapping(NULL); /* XXX: should only do this once */
gssd_run();
printerr(0, "gssd_run returned!\n");
abort();
}
static int
get_ids(gss_name_t client_name, gss_OID mech, struct svc_cred *cred)
{
u_int32_t maj_stat, min_stat;
gss_buffer_desc name;
char *sname;
int res = -1;
uid_t uid, gid;
gss_OID name_type = GSS_C_NO_OID;
char *secname;
maj_stat = gss_display_name(&min_stat, client_name, &name, &name_type);
if (maj_stat != GSS_S_COMPLETE) {
pgsserr("get_ids: gss_display_name",
maj_stat, min_stat, mech);
goto out;
}
if (name.length >= 0xffff || /* be certain name.length+1 doesn't overflow */
!(sname = calloc(name.length + 1, 1))) {
printerr(0, "WARNING: get_ids: error allocating %d bytes "
"for sname\n", name.length + 1);
gss_release_buffer(&min_stat, &name);
goto out;
}
memcpy(sname, name.value, name.length);
printerr(1, "sname = %s\n", sname);
gss_release_buffer(&min_stat, &name);
res = -EINVAL;
if ((secname = mech2file(mech)) == NULL) {
printerr(0, "WARNING: get_ids: error mapping mech to "
"file for name '%s'\n", sname);
goto out_free;
}
nfs4_init_name_mapping(NULL); /* XXX: should only do this once */
res = nfs4_gss_princ_to_ids(secname, sname, &uid, &gid);
if (res < 0) {
/*
* -ENOENT means there was no mapping, any other error
* value means there was an error trying to do the
* mapping.
* If there was no mapping, we send down the value -1
* to indicate that the anonuid/anongid for the export
* should be used.
*/
if (res == -ENOENT) {
cred->cr_uid = -1;
cred->cr_gid = -1;
cred->cr_ngroups = 0;
res = 0;
goto out_free;
}
printerr(1, "WARNING: get_ids: failed to map name '%s' "
"to uid/gid: %s\n", sname, strerror(-res));
goto out_free;
}
cred->cr_uid = uid;
cred->cr_gid = gid;
add_supplementary_groups(secname, sname, cred);
res = 0;
out_free:
free(sname);
out:
return res;
}
int main(int argc, char **argv)
{
char *arg;
char *value;
char *type;
int rc = 1, opt;
int timeout = 600;
key_serial_t key;
char *progname, *keystr = NULL;
int clearing = 0, keymask = 0, display = 0, list = 0;
/* Set the basename */
if ((progname = strrchr(argv[0], '/')) != NULL)
progname++;
else
progname = argv[0];
xlog_open(progname);
while ((opt = getopt(argc, argv, "du:g:r:ct:vl")) != -1) {
switch (opt) {
case 'd':
display++;
break;
case 'l':
list++;
break;
case 'u':
keymask = UIDKEYS;
keystr = strdup(optarg);
break;
case 'g':
keymask = GIDKEYS;
keystr = strdup(optarg);
break;
case 'r':
keymask = GIDKEYS|UIDKEYS;
keystr = strdup(optarg);
break;
case 'c':
clearing++;
break;
case 'v':
verbose++;
break;
case 't':
timeout = atoi(optarg);
break;
default:
xlog_warn(usage, progname);
break;
}
}
if ((rc = nfs4_init_name_mapping(PATH_IDMAPDCONF))) {
xlog_errno(rc, "Unable to create name to user id mappings.");
return EXIT_FAILURE;
}
if (!verbose)
verbose = conf_get_num("General", "Verbosity", 0);
if (display)
return display_default_domain();
if (list)
return list_keyring(DEFAULT_KEYRING);
if (keystr) {
return key_invalidate(keystr, keymask);
}
if (clearing) {
xlog_syslog(0);
return keyring_clear(DEFAULT_KEYRING);
}
xlog_stderr(0);
if ((argc - optind) != 2) {
xlog_err("Bad arg count. Check /etc/request-key.conf");
xlog_warn(usage, progname);
return EXIT_FAILURE;
}
if (verbose)
nfs4_set_debug(verbose, NULL);
key = strtol(argv[optind++], NULL, 10);
arg = strdup(argv[optind]);
if (arg == NULL) {
xlog_err("strdup failed: %m");
return EXIT_FAILURE;
}
type = strtok(arg, ":");
value = strtok(NULL, ":");
if (value == NULL) {
free(arg);
xlog_err("Error: Null uid/gid value.");
return EXIT_FAILURE;
}
if (verbose) {
xlog_warn("key: 0x%lx type: %s value: %s timeout %ld",
key, type, value, timeout);
}
/* Become a possesor of the to-be-instantiated key to set the key's timeout */
request_key("keyring", DEFAULT_KEYRING, NULL, KEY_SPEC_THREAD_KEYRING);
if (strcmp(type, "uid") == 0)
rc = id_lookup(value, key, USER);
else if (strcmp(type, "gid") == 0)
rc = id_lookup(value, key, GROUP);
else if (strcmp(type, "user") == 0)
rc = name_lookup(value, key, USER);
else if (strcmp(type, "group") == 0)
rc = name_lookup(value, key, GROUP);
/* Set timeout to 10 (600 seconds) minutes */
if (rc == EXIT_SUCCESS)
keyctl_set_timeout(key, timeout);
free(arg);
return rc;
}
