GSS=true
GSS_KRB5=true
+# Overwrite RUNAS command to use su - instead,
+# to initialize the process more completely.
+# This is required to get proper access to keyrings.
+RUNAS="runas_su $(id -n -u $RUNAS_ID)"
+
check_krb_env() {
which klist || skip "Kerberos env not setup"
which kinit || skip "Kerberos env not setup"
$RUNAS $LFS flushctx -k -r $MOUNT || error "can't flush context"
echo "destroyed credentials/contexs for $RUNAS_ID"
$RUNAS $CHECKSTAT -p 0666 $file && error "checkstat succeed"
- kill -s 10 $OPPID
+ kill -s 10 $(pgrep -u $USER0 $MULTIOP)
wait $OPPID || error "read file data failed"
echo "read file data OK"
test_5() {
local file1=$DIR/$tdir/$tfile-1
local file2=$DIR/$tdir/$tfile-2
+ local file3=$DIR/$tdir/$tfile-3
local wait_time=$((TIMEOUT + TIMEOUT / 2))
mkdir $DIR/$tdir || error "mkdir $DIR/$tdir failed"
$RUNAS touch $file1 || error "can't touch $file1"
[ -f $file1 ] || error "$file1 not found"
+ # flush context
+ $RUNAS $LFS flushctx $MOUNT || error "can't flush context (1)"
+
# stop lsvcgssd
send_sigint $(comma_list $(mdts_nodes)) $LSVCGSSD
sleep 5
check_gss_daemon_nodes $(comma_list $(mdts_nodes)) $LSVCGSSD &&
- error "$LSVCGSSD still running"
+ error "$LSVCGSSD still running (1)"
+
+ # daemon should restart automatically, at least on newer servers
+ $RUNAS touch $file2
+ if [ $? -ne 0 ]; then
+ echo "$RUNAS touch $file2 failed"
+ (( MDS1_VERSION < $(version_code 2.15.61) )) ||
+ error "$LSVCGSSD should restart automatically"
+ else
+ echo "$RUNAS touch $file2 succeeded"
+ fi
- # flush context, and touch
- $RUNAS $LFS flushctx -k -r $MOUNT || error "can't flush context (1)"
- restore_krb5_cred
- $RUNAS touch $file2 && error "should fail without $LSVCGSSD"
+ # flush context
+ if (( MDS1_VERSION >= $(version_code 2.15.61) )); then
+ $RUNAS $LFS flushctx $MOUNT || error "can't flush context (2)"
+ fi
+
+ # stop lsvcgssd
+ send_sigint $(comma_list $(mdts_nodes)) $LSVCGSSD
+ sleep 5
+ check_gss_daemon_nodes $(comma_list $(mdts_nodes)) $LSVCGSSD &&
+ error "$LSVCGSSD still running (2)"
# restart lsvcgssd, expect touch succeed
echo "restart $LSVCGSSD and recovering"
- start_gss_daemons $(comma_list $(mdts_nodes)) "$LSVCGSSD -vvv"
+ start_gss_daemons $(comma_list $(mdts_nodes)) $LSVCGSSD "-vvv"
sleep 5
check_gss_daemon_nodes $(comma_list $(mdts_nodes)) $LSVCGSSD
- $RUNAS $LFS flushctx -k -r $MOUNT || error "can't flush context (2)"
- restore_krb5_cred
- $RUNAS touch $file2 || error "should not fail now"
- [ -f $file2 ] || error "$file2 not found"
+ $RUNAS touch $file3 || error "should not fail now"
+ [ -f $file3 ] || error "$file3 not found"
}
-run_test 5 "lsvcgssd dead, operations fail"
+run_test 5 "lsvcgssd dead, operations pass"
test_6() {
local nfile=10
stack_trap \
"do_facet $SINGLEMDS $LCTL set_param at_history=$atoldbase" EXIT
- mkdir -p $DIR/$tdir
+ mkdir_on_mdt0 $DIR/$tdir
chmod a+w $DIR/$tdir
+ $RUNAS ls $DIR/$tdir
+ $RUNAS keyctl show @u
+ echo Flushing gss ctxs
+ $RUNAS $LFS flushctx $MOUNT || error "can't flush context on $MOUNT"
+ $RUNAS keyctl show @u
+
$LCTL dk > /dev/null
debugsave
stack_trap debugrestore EXIT
# sleep sometime in ctx handle
do_facet $SINGLEMDS $LCTL set_param fail_val=$req_delay
- #define OBD_FAIL_SEC_CTX_HDL_PAUSE 0x1204
- do_facet $SINGLEMDS $LCTL set_param fail_loc=0x1204
-
- $RUNAS $LFS flushctx -k -r $MOUNT ||
- error "can't flush context on $MOUNT"
- restore_krb5_cred
+ #define OBD_FAIL_SEC_CTX_HDL_PAUSE 0x00001204
+ #define CFS_FAIL_ONCE 0x80000000
+ do_facet $SINGLEMDS $LCTL set_param fail_loc=0x80001204
$RUNAS touch $DIR/$tdir/$tfile &
TOUCHPID=$!
echo "waiting for touch (pid $TOUCHPID) to finish..."
- sleep 2 # give it a chance to really trigger context init rpc
- do_facet $SINGLEMDS $LCTL set_param fail_loc=0
wait $TOUCHPID || error "touch should have succeeded"
+ $RUNAS keyctl show @u
$LCTL dk | grep -i "Early reply #" || error "No early reply"
}
run_test 8 "Early reply sent for slow gss context negotiation"
+test_9() {
+ local test9user=$(getent passwd $RUNAS_ID | cut -d: -f1)
+
+ $LFS mkdir -i 0 -c 1 $DIR/$tdir || error "mkdir $DIR/$tdir failed"
+ chmod 0777 $DIR/$tdir || error "chmod $DIR/$tdir failed"
+ $RUNAS ls -ld $DIR/$tdir
+
+ # Add group, and client to new group, on client only.
+ # Server is not aware.
+ groupadd -g 5000 grptest9
+ stack_trap "groupdel grptest9" EXIT
+
+ usermod -g grptest9 $test9user
+ stack_trap "usermod -g $test9user $test9user" EXIT
+ id $RUNAS_ID
+ # Thanks to Kerberos, client should not be able to create file
+ # with primary group not known on server side
+ $RUNAS touch $DIR/$tdir/fileA &&
+ error "server should not trust client's primary gid"
+ do_facet mds1 "lctl set_param mdt.*.identity_flush=-1"
+
+ do_facet mds1 groupadd -g 5000 grptest9
+ stack_trap "do_facet mds1 groupdel grptest9 || true" EXIT
+ do_facet mds1 usermod -a -G grptest9 $test9user
+ stack_trap "do_facet mds1 gpasswd -d $test9user grptest9 || true" EXIT
+ id $RUNAS_ID
+ do_facet mds1 "id $RUNAS_ID"
+ # Thanks to Kerberos, client should be able to create file
+ # with primary group taken as one of supp groups, as long as
+ # server side knows the supp groups.
+ $RUNAS touch $DIR/$tdir/fileA ||
+ error "server should know client's supp gid"
+ ls -l $DIR/$tdir
+ do_facet mds1 "lctl set_param mdt.*.identity_flush=-1"
+ do_facet mds1 gpasswd -d $test9user grptest9
+ do_facet mds1 groupdel grptest9
+ usermod -g $test9user $test9user
+
+ usermod -a -G grptest9 $test9user
+ stack_trap "gpasswd -d $test9user grptest9" EXIT
+ id $RUNAS_ID
+ $RUNAS touch $DIR/$tdir/fileB
+ ls -l $DIR/$tdir
+ # Thanks to Kerberos, client should not be able to chgrp
+ $RUNAS chgrp grptest9 $DIR/$tdir/fileB &&
+ error "server should not trust client's supp gid"
+ ls -l $DIR/$tdir
+ do_facet mds1 "lctl set_param mdt.*.identity_flush=-1"
+}
+run_test 9 "Do not trust primary and supp gids from client"
+
#
# following tests will manipulate flavors and may end with any flavor set,
# so each test should not assume any start flavor.
stopall
# start gss daemon on mgs node
- combined_mgs_mds || start_gss_daemons $mgs_HOST "$LSVCGSSD -vvv"
+ combined_mgs_mds || start_gss_daemons $mgs_HOST $LSVCGSSD "-vvv"
# start mgs
start mgs $(mgsdevname 1) $MDS_MOUNT_OPTS