[gssproxy] cifs-utils, Linux cifs kernel client and gssproxy
Pavel Shilovsky
piastryyy at gmail.com
Fri Nov 5 00:31:10 UTC 2021
Thanks everyone for the patches! All 3 have been merged to the next
branch: https://github.com/piastry/cifs-utils/commits/next.
There are no compiler warnings on my system but let me know if you
spot anything.
--
Best regards,
Pavel Shilovsky
вт, 26 окт. 2021 г. в 08:05, Jacob Shivers <jshivers at redhat.com>:
>
> Hello Pavel,
>
> Brief addition to man 8 cifs.upcall
>
> Author: Jacob Shivers <jshivers at redhat.com>
> Date: Tue Oct 26 10:57:41 2021 -0400
>
> man-pages: Update cifs.upcall to mention GSS_USE_PROXY
>
> Add ENVIRONMENT VARIABLES section with the usage of gssproxy as a credential
> retrieval method.
>
> Signed-off-by: Jacob Shivers <jshivers at redhat.com>
>
> diff --git a/cifs.upcall.rst.in b/cifs.upcall.rst.in
> index 08ce324..09d0503 100644
> --- a/cifs.upcall.rst.in
> +++ b/cifs.upcall.rst.in
> @@ -91,6 +91,15 @@ OPTIONS
> --version|-v
> Print version number and exit.
>
> +*********************
> +ENVIRONMENT VARIABLES
> +*********************
> +
> +GSS_USE_PROXY="yes"
> + Enable usage of gssproxy for credential retrieval. This includes keytab
> + based client initiation as well as (Resource Based) Constrained Delegation.
> + See gssproxy-mech(8).
> +
> ************************
> CONFIGURATION FOR KEYCTL
> ************************
>
> On Mon, Oct 25, 2021 at 5:32 PM Pavel Shilovsky <piastryyy at gmail.com> wrote:
> >
> > Ronnie,
> > Thanks for the patch to silent compile warning. Let me try it.
> >
> > Jacob,
> > Sounds good. I haven't updated the cifs.upcall man page yet. Feel free
> > to provide the patch.
> > --
> > Best regards,
> > Pavel Shilovsky
> >
> > пт, 22 окт. 2021 г. в 19:16, Jacob Shivers <jshivers at redhat.com>:
> > >
> > > Everything looks good.
> > >
> > > I sent a PR for gssproxy adding a drop file for cifs-client. I think
> > > the only thing outstanding will be an update to man 8 cifs.upcall that
> > > mentions the requirement to add GSS_USE_PROXY in
> > > /etc/request-key.d/cifs.spnego. I don't have a particular stance on a
> > > short-hand flag for GSS_USE_PROXY=yes as there is not already an
> > > existing configuration file for client side cifs.ko. Should one ever
> > > be created then it would be pertinent to include it there.
> > >
> > > If you don't have anything written for man 8 cifs.upcall, I can take
> > > care of that.
> > >
> > > Thanks again.
> > >
> > > On Thu, Oct 21, 2021 at 7:46 PM Leif Sahlberg <lsahlber at redhat.com> wrote:
> > > >
> > > >
> > > >
> > > >
> > > > On Fri, Oct 22, 2021 at 9:23 AM Pavel Shilovsky <piastryyy at gmail.com> wrote:
> > > >>
> > > >> Hello Michael, Jacob,
> > > >>
> > > >> The cifs.upcall patch is applied with some minor adjustments (code
> > > >> style and a patch description) on top of the next branch on github:
> > > >>
> > > >> https://github.com/piastry/cifs-utils/commit/3d681bb5c140376ccc19e48711231aeef1e87aa9
> > > >>
> > > >> Please let me know if it looks good and/or if you have other suggestions.
> > > >>
> > > >> The only concern that I have is the compile warning below. Would
> > > >> appreciate it if you provide a fix for that.
> > > >>
> > > >> gcc -DHAVE_CONFIG_H -I. -Wall -Wextra -D_FORTIFY_SOURCE=2 -fpie
> > > >> -pie -Wl,-z,relro,-z,now -g -O2 -MT cifs.upcall.o -MD -MP -MF
> > > >> .deps/cifs.upcall.Tpo -c -o cifs.upcall.o cifs.upcall.c
> > > >> cifs.upcall.c: In function ‘cifs_gss_get_req’:
> > > >> cifs.upcall.c:808:4: warning: passing argument 5 of
> > > >> ‘gss_init_sec_context’ discards ‘const’ qualifier from pointer target
> > > >> type [-Wdiscarded-qualifiers]
> > > >> gss_mech_krb5, /* force krb5 */
> > > >> ^
> > > >> In file included from /usr/include/gssapi/gssapi_generic.h:31:0,
> > > >> from cifs.upcall.c:40:
> > > >> /usr/include/gssapi/gssapi.h:437:1: note: expected ‘gss_OID {aka
> > > >> struct gss_OID_desc_struct *}’ but argument is of type ‘const
> > > >> gss_OID_desc * const {aka const struct gss_OID_desc_struct * const}’
> > > >> gss_init_sec_context(
> > > >> ^
> > > >
> > > >
> > > > I do not get that warning on my system, but this patch should fix it?
> > > >
> > > > Author: Ronnie Sahlberg <lsahlber at redhat.com>
> > > > Date: Fri Oct 22 09:41:24 2021 +1000
> > > >
> > > > cifs.upcall.c: fix compiler warning
> > > >
> > > > Signed-off-by: Ronnie Sahlberg <lsahlber at redhat.com>
> > > >
> > > > diff --git a/cifs.upcall.c b/cifs.upcall.c
> > > > index e9c7f5f..5e7c0a1 100644
> > > > --- a/cifs.upcall.c
> > > > +++ b/cifs.upcall.c
> > > > @@ -69,6 +69,10 @@
> > > > #include <cap-ng.h>
> > > > #endif
> > > >
> > > > +#ifndef discard_const
> > > > +#define discard_const(ptr) ((void *)((intptr_t)(ptr)))
> > > > +#endif
> > > > +
> > > > static krb5_context context;
> > > > static const char *prog = "cifs.upcall";
> > > >
> > > > @@ -805,7 +809,7 @@ cifs_gss_get_req(const char *host, DATA_BLOB *mechtoken, DATA_BLOB *sess_key)
> > > > GSS_C_NO_CREDENTIAL, /* claimant_cred_handle */
> > > > &ctx,
> > > > target_name,
> > > > - gss_mech_krb5, /* force krb5 */
> > > > + discard_const(gss_mech_krb5), /* force krb5 */
> > > > 0, /* flags */
> > > > 0, /* time_req */
> > > > GSS_C_NO_CHANNEL_BINDINGS, /* input_chan_bindings */
> > > >
> > > >
> > > >
> > > >>
> > > >> mv -f .deps/cifs.upcall.Tpo .deps/cifs.upcall.Po
> > > >> gcc -Wall -Wextra -D_FORTIFY_SOURCE=2 -fpie -pie -Wl,-z,relro,-z,now
> > > >> -g -O2 -o cifs.upcall cifs.upcall.o data_blob.o asn1.o spnego.o
> > > >> -ltalloc -lkeyutils -lgssapi_krb5 -lkrb5
> > > >>
> > > >>
> > > >> --
> > > >> Best regards,
> > > >> Pavel Shilovsky
> > > >>
> > > >> чт, 30 сент. 2021 г. в 16:18, Jacob Shivers <jshivers at redhat.com>:
> > > >>
> > > >> >
> > > >> > Hello Pavel/Michael,
> > > >> >
> > > >> > The only other addition would be to modify
> > > >> > /etc/gssproxy/99-nfs-client.conf to also use the 'program' directive,
> > > >> > i.e. 'program = /usr/sbin/rpc.gssd' so that both rpc.gssd and
> > > >> > cifs.upcall can make use of the default gssproxy socket
> > > >> > '/var/lib/gssproxy/default.sock'
> > > >> >
> > > >> > If the 'program' directive is not included in the respective drop
> > > >> > files, then gssproxy can not differentiate which service is to be used
> > > >> > and will fail to start.
> > > >> >
> > > >> > In total, a gssproxy drop file for cifs.upcall, modifying the gssproxy
> > > >> > drop file for rpc.gssd, and an inclusion of a parameter that sets an
> > > >> > environmental variable for cifs.upcall to use gssproxy should be all
> > > >> > that is needed. I had not submitted a pull request for gssproxy yet as
> > > >> > the extended cifs.upcall functionality had not received any further
> > > >> > feedback. I can submit something if you are ready to include the patch
> > > >> > to cifs.upcall
> > > >> >
> > > >> > Thanks,
> > > >> >
> > > >> > Jacob Shivers
> > > >> >
> > > >> > On Mon, Sep 27, 2021 at 3:20 AM Weiser, Michael <michael.weiser at atos.net> wrote:
> > > >> > >
> > > >> > > Hello Pavel,
> > > >> > >
> > > >> > > > Do we have any more-up-to-date version of the cifs-utils patch other
> > > >> > > > than the one attached to the email thread? I would like to merge the
> > > >> > > > patch into the "next" branch so it makes the next release of
> > > >> > > > cifs-utils.
> > > >> > >
> > > >> > > I'm also not aware of a newer version. As one of the initiators of the discussion, who's highly interested in seeing this merged, I'm standing by to help out with background context, testing or improving the code. (The patch was meant as a PoC which is why I skipped some reindenting and niceties to keep its approach and impact easy to gauge.)
> > > >> > >
> > > >> > > > Also there is a potential helper script mentioned above that is needed
> > > >> > > > to set up gssproxy properly?
> > > >> > >
> > > >> > > I'm not aware of a helper script. gssproxy just needs to be told about cifs-utils and how it should be treated using a single config drop file. Also in the meantime, Jacob and I have streamlined the configuration so a separate UNIX domain socket and tweaking its permissions using a systemd service drop-in file is no longer needed. Instead, gssproxy can distinguish multiple clients on the same socket using the calling binary derived from getsockopt/SO_PEERCRED.
> > > >> > >
> > > >> > > Finally, environment variable GSS_USE_PROXY needs to be set for cifs.upcall to enable the gssproxy proxy mech. (Instead of using the env command, cifs.upcall could have a command line option similar to rpc.gssd[1] which ends up doing the same thing.)
> > > >> > >
> > > >> > > Here's the config summary:
> > > >> > >
> > > >> > > # cat /etc/request-key.d/cifs.spnego.conf
> > > >> > > create cifs.spnego * * /usr/bin/env GSS_USE_PROXY=yes /usr/sbin/cifs.upcall %k
> > > >> > >
> > > >> > > # cat /etc/gssproxy/99-cifs.conf
> > > >> > > [service/cifs]
> > > >> > > mechs = krb5
> > > >> > > # not needed when program option is used
> > > >> > > # socket = /var/lib/gssproxy/cifs.sock
> > > >> > > program = /usr/sbin/cifs.upcall
> > > >> > > cred_store = keytab:/etc/krb5.keytab
> > > >> > > cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
> > > >> > > cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
> > > >> > > cred_usage = initiate
> > > >> > > # allow process with any euid to use the service and receive impersonated
> > > >> > > # tickets for services
> > > >> > > allow_any_uid = yes
> > > >> > > # allow euid access to keytab
> > > >> > > trusted = yes
> > > >> > > # allow impersonation
> > > >> > > impersonate = yes
> > > >> > > # allow process with euid 0 to use the keytab
> > > >> > > euid = 0
> > > >> > >
> > > >> > > The actual mount can be done using system credentials from the keytab. Small proof session showcasing that gssproxy is involved and working:
> > > >> > >
> > > >> > > # systemctl stop gssproxy
> > > >> > > # mount -o sec=krb5,multiuser,user=FEDORA33\$ //dc/share /mnt
> > > >> > > # su - adsuser -c "touch /mnt/test"
> > > >> > > touch: cannot touch '/mnt/test': Permission denied
> > > >> > > # systemctl start gssproxy
> > > >> > > # su - adsuser -c "touch /mnt/test"
> > > >> > > #
> > > >> > >
> > > >> > > [1] http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=blob;f=utils/gssd/gssd.c;h=833d8e0110a9737df8ef6ddeb439ba1a37ee9931;hb=HEAD#l1128
> > > >> > >
> > > >> > > Thanks,
> > > >> > > Michael
> > > >> > >
More information about the samba-technical
mailing list