bool idmapper_init(void) { #ifdef USE_NFSIDMAP if (!nfs_param.nfsv4_param.use_getpwnam) { if (nfs4_init_name_mapping(nfs_param.nfsv4_param.idmapconf) != 0) { return false; } owner_domain.addr = gsh_malloc(NFS4_MAX_DOMAIN_LEN + 1); if (owner_domain.addr == NULL) return false; if (nfs4_get_default_domain (NULL, owner_domain.addr, NFS4_MAX_DOMAIN_LEN) != 0) { gsh_free(owner_domain.addr); return false; } owner_domain.len = strlen(owner_domain.addr); } #endif /* USE_NFSIDMAP */ if (nfs_param.nfsv4_param.use_getpwnam) { owner_domain.addr = gsh_strdup(nfs_param.nfsv4_param .domainname); if (owner_domain.addr == NULL) return false; owner_domain.len = strlen(nfs_param.nfsv4_param.domainname); } idmapper_cache_init(); return true; }
int nfsidmap_set_conf() { if(!nfsidmap_conf_read) { if(nfs4_init_name_mapping(_PATH_IDMAPDCONF)) return 0; if(nfs4_get_default_domain(NULL, idmap_domain, sizeof(idmap_domain))) return 0; nfsidmap_conf_read = TRUE; } return 1; }
int main(int argc, char *argv[]) { int get_creds = 1; int fg = 0; int verbosity = 0; int rpc_verbosity = 0; int idmap_verbosity = 0; int opt, status; extern char *optarg; char *progname; char *principal = NULL; while ((opt = getopt(argc, argv, "fivrnp:")) != -1) { switch (opt) { case 'f': fg = 1; break; case 'i': idmap_verbosity++; break; case 'n': get_creds = 0; break; case 'v': verbosity++; break; case 'r': rpc_verbosity++; break; case 'p': principal = optarg; break; default: usage(argv[0]); break; } } if ((progname = strrchr(argv[0], '/'))) progname++; else progname = argv[0]; initerr(progname, verbosity, fg); #ifdef HAVE_AUTHGSS_SET_DEBUG_LEVEL if (verbosity && rpc_verbosity == 0) rpc_verbosity = verbosity; authgss_set_debug_level(rpc_verbosity); #elif HAVE_LIBTIRPC_SET_DEBUG /* * Only set the libtirpc debug level if explicitly requested via -r... * svcgssd is chatty enough as it is. */ if (rpc_verbosity > 0) libtirpc_set_debug(progname, rpc_verbosity, fg); #else if (rpc_verbosity > 0) printerr(0, "Warning: rpcsec_gss library does not " "support setting debug level\n"); #endif #ifdef HAVE_NFS4_SET_DEBUG if (verbosity && idmap_verbosity == 0) idmap_verbosity = verbosity; nfs4_set_debug(idmap_verbosity, NULL); #else if (idmap_verbosity > 0) printerr(0, "Warning: your nfsidmap library does not " "support setting debug level\n"); #endif if (gssd_check_mechs() != 0) { printerr(0, "ERROR: Problem with gssapi library\n"); exit(1); } daemon_init(fg); signal(SIGINT, sig_die); signal(SIGTERM, sig_die); signal(SIGHUP, sig_hup); if (get_creds) { if (principal) status = gssd_acquire_cred(principal, ((const gss_OID)GSS_C_NT_USER_NAME)); else status = gssd_acquire_cred(GSSD_SERVICE_NAME, (const gss_OID)GSS_C_NT_HOSTBASED_SERVICE); if (status == FALSE) { printerr(0, "unable to obtain root (machine) credentials\n"); printerr(0, "do you have a keytab entry for " "nfs/<your.host>@<YOUR.REALM> in " "/etc/krb5.keytab?\n"); exit(1); } } else { status = gssd_acquire_cred(NULL, (const gss_OID)GSS_C_NT_HOSTBASED_SERVICE); if (status == FALSE) { printerr(0, "unable to obtain nameless credentials\n"); exit(1); } } daemon_ready(); nfs4_init_name_mapping(NULL); /* XXX: should only do this once */ gssd_run(); printerr(0, "gssd_run returned!\n"); abort(); }
static int get_ids(gss_name_t client_name, gss_OID mech, struct svc_cred *cred) { u_int32_t maj_stat, min_stat; gss_buffer_desc name; char *sname; int res = -1; uid_t uid, gid; gss_OID name_type = GSS_C_NO_OID; char *secname; maj_stat = gss_display_name(&min_stat, client_name, &name, &name_type); if (maj_stat != GSS_S_COMPLETE) { pgsserr("get_ids: gss_display_name", maj_stat, min_stat, mech); goto out; } if (name.length >= 0xffff || /* be certain name.length+1 doesn't overflow */ !(sname = calloc(name.length + 1, 1))) { printerr(0, "WARNING: get_ids: error allocating %d bytes " "for sname\n", name.length + 1); gss_release_buffer(&min_stat, &name); goto out; } memcpy(sname, name.value, name.length); printerr(1, "sname = %s\n", sname); gss_release_buffer(&min_stat, &name); res = -EINVAL; if ((secname = mech2file(mech)) == NULL) { printerr(0, "WARNING: get_ids: error mapping mech to " "file for name '%s'\n", sname); goto out_free; } nfs4_init_name_mapping(NULL); /* XXX: should only do this once */ res = nfs4_gss_princ_to_ids(secname, sname, &uid, &gid); if (res < 0) { /* * -ENOENT means there was no mapping, any other error * value means there was an error trying to do the * mapping. * If there was no mapping, we send down the value -1 * to indicate that the anonuid/anongid for the export * should be used. */ if (res == -ENOENT) { cred->cr_uid = -1; cred->cr_gid = -1; cred->cr_ngroups = 0; res = 0; goto out_free; } printerr(1, "WARNING: get_ids: failed to map name '%s' " "to uid/gid: %s\n", sname, strerror(-res)); goto out_free; } cred->cr_uid = uid; cred->cr_gid = gid; add_supplementary_groups(secname, sname, cred); res = 0; out_free: free(sname); out: return res; }
int main(int argc, char **argv) { char *arg; char *value; char *type; int rc = 1, opt; int timeout = 600; key_serial_t key; char *progname, *keystr = NULL; int clearing = 0, keymask = 0, display = 0, list = 0; /* Set the basename */ if ((progname = strrchr(argv[0], '/')) != NULL) progname++; else progname = argv[0]; xlog_open(progname); while ((opt = getopt(argc, argv, "du:g:r:ct:vl")) != -1) { switch (opt) { case 'd': display++; break; case 'l': list++; break; case 'u': keymask = UIDKEYS; keystr = strdup(optarg); break; case 'g': keymask = GIDKEYS; keystr = strdup(optarg); break; case 'r': keymask = GIDKEYS|UIDKEYS; keystr = strdup(optarg); break; case 'c': clearing++; break; case 'v': verbose++; break; case 't': timeout = atoi(optarg); break; default: xlog_warn(usage, progname); break; } } if ((rc = nfs4_init_name_mapping(PATH_IDMAPDCONF))) { xlog_errno(rc, "Unable to create name to user id mappings."); return EXIT_FAILURE; } if (!verbose) verbose = conf_get_num("General", "Verbosity", 0); if (display) return display_default_domain(); if (list) return list_keyring(DEFAULT_KEYRING); if (keystr) { return key_invalidate(keystr, keymask); } if (clearing) { xlog_syslog(0); return keyring_clear(DEFAULT_KEYRING); } xlog_stderr(0); if ((argc - optind) != 2) { xlog_err("Bad arg count. Check /etc/request-key.conf"); xlog_warn(usage, progname); return EXIT_FAILURE; } if (verbose) nfs4_set_debug(verbose, NULL); key = strtol(argv[optind++], NULL, 10); arg = strdup(argv[optind]); if (arg == NULL) { xlog_err("strdup failed: %m"); return EXIT_FAILURE; } type = strtok(arg, ":"); value = strtok(NULL, ":"); if (value == NULL) { free(arg); xlog_err("Error: Null uid/gid value."); return EXIT_FAILURE; } if (verbose) { xlog_warn("key: 0x%lx type: %s value: %s timeout %ld", key, type, value, timeout); } /* Become a possesor of the to-be-instantiated key to set the key's timeout */ request_key("keyring", DEFAULT_KEYRING, NULL, KEY_SPEC_THREAD_KEYRING); if (strcmp(type, "uid") == 0) rc = id_lookup(value, key, USER); else if (strcmp(type, "gid") == 0) rc = id_lookup(value, key, GROUP); else if (strcmp(type, "user") == 0) rc = name_lookup(value, key, USER); else if (strcmp(type, "group") == 0) rc = name_lookup(value, key, GROUP); /* Set timeout to 10 (600 seconds) minutes */ if (rc == EXIT_SUCCESS) keyctl_set_timeout(key, timeout); free(arg); return rc; }