Acrually LGSS_MECH_SK processing if SSK is not enabled, rather than
just printing an error message. Distinguish between SSK being
disabled or not included in the service at all.
Rate limit the number of error messages submitted to the logs.
Test-Parameters: trivial testlist=sanity-sec
Signed-off-by: Andreas Dilger <andreas.dilger@intel.com>
Change-Id: I0190c46b94ecf668ef629c5b864c43658f3560f3
Reviewed-on: https://review.whamcloud.com/25584
Tested-by: Jenkins
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: Chris Hanna <hannac@iu.edu>
Reviewed-by: Bob Glossman <bob.glossman@intel.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
else
cred->cr_mapped_uid = -1;
else
cred->cr_mapped_uid = -1;
- realm = strchr(sname, '@');
+ realm = strchr(sname, '@');
} else {
printerr(0, "ERROR: %s has no realm name\n", sname);
goto out_free;
}
} else {
printerr(0, "ERROR: %s has no realm name\n", sname);
goto out_free;
}
- host = strchr(sname, '/');
- if (host)
- *host++ = '\0';
+ host = strchr(sname, '/');
+ if (host)
+ *host++ = '\0';
if (strcmp(sname, GSSD_SERVICE_MGS) == 0) {
printerr(0, "forbid %s as a user name\n", sname);
if (strcmp(sname, GSSD_SERVICE_MGS) == 0) {
printerr(0, "forbid %s as a user name\n", sname);
printerr(1, "%s: authenticated %s%s%s@%s from %016llx\n",
lustre_svc_name[lustre_svc], sname,
host ? "/" : "", host ? host : "", realm, nid);
printerr(1, "%s: authenticated %s%s%s@%s from %016llx\n",
lustre_svc_name[lustre_svc], sname,
host ? "/" : "", host ? host : "", realm, nid);
- free(sname);
- return res;
+ free(sname);
+ return res;
}
typedef struct gss_union_ctx_id_t {
}
typedef struct gss_union_ctx_id_t {
switch (lustre_mech) {
case LGSS_MECH_KRB5:
if (!krb_enabled) {
switch (lustre_mech) {
case LGSS_MECH_KRB5:
if (!krb_enabled) {
- printerr(1, "WARNING: Request for kerberos but service "
- "support not enabled\n");
+ static time_t next_krb;
+
+ if (time(NULL) > next_krb) {
+ printerr(1, "warning: Request for kerberos but "
+ "service support not enabled\n");
+ next_krb = time(NULL) + 3600;
+ }
goto ignore;
}
snd.mech = &krb5oid;
break;
case LGSS_MECH_NULL:
if (!null_enabled) {
goto ignore;
}
snd.mech = &krb5oid;
break;
case LGSS_MECH_NULL:
if (!null_enabled) {
- printerr(1, "WARNING: Request for gssnull but service "
- "support not enabled\n");
+ static time_t next_null;
+
+ if (time(NULL) > next_null) {
+ printerr(1, "warning: Request for gssnull but "
+ "service support not enabled\n");
+ next_null = time(NULL) + 3600;
+ }
goto ignore;
}
snd.mech = &nulloid;
break;
case LGSS_MECH_SK:
goto ignore;
}
snd.mech = &nulloid;
break;
case LGSS_MECH_SK:
- printerr(1, "WARNING: Request for sk but service "
- "support not enabled\n");
+ static time_t next_ssk;
+
+ if (time(NULL) > next_ssk) {
+ printerr(1, "warning: Request for SSK but "
+ "service support not %s\n",
+#ifdef HAVE_OPENSSL_SSK
+ "enabled"
+#else
+ "included"
+#endif
+ );
+ next_ssk = time(NULL) + 3600;
+ }
+
goto ignore;
}
snd.mech = &skoid;
goto ignore;
}
snd.mech = &skoid;
-#else
- printerr(1, "ERROR: Request for sk but service "
- "support not enabled\n");
-#endif
break;
default:
printerr(0, "WARNING: invalid mechanism recevied: %d\n",
break;
default:
printerr(0, "WARNING: invalid mechanism recevied: %d\n",