From: Sebastien Buisson <sbuisson@ddn.com>
Date: Mon, 3 Jun 2024 11:52:20 +0000 (+0200)
Subject: LU-17899 gss: lsvcgss service fix
X-Git-Tag: 2.15.64~82
X-Git-Url: https://git.whamcloud.com/?a=commitdiff_plain;h=refs%2Fchanges%2F93%2F55293%2F2;p=fs%2Flustre-release.git

LU-17899 gss: lsvcgss service fix

The lsvcgss service can fail to start if the daemon is invoked with
the '-k' option whereas no proper Kerberos configuration is in place
on the server. The daemon should ignore the '-k' option is such case
and try to start the other provided modes if any (SSK, Null).
And in case the daemon is started with the '-s' option (SSK), it
spawns a temporary additional thread to compute the number of rounds
used for Miller-Rabin prime testing. So the lsvcgss_sysd script should
support that.

Fixes: c6878334a1 ("LU-17741 gss: fix lsvcgss service for systemd")
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: Iba632bd0ea9696ccea52bff5982a4d4e490597a7
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/55293
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: James Simmons <jsimmons@infradead.org>
Reviewed-by: Jian Yu <yujian@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
---

diff --git a/lustre/scripts/lsvcgss_sysd b/lustre/scripts/lsvcgss_sysd
index 0eec92a..810931a 100644
--- a/lustre/scripts/lsvcgss_sysd
+++ b/lustre/scripts/lsvcgss_sysd
@@ -17,6 +17,6 @@ LSVCGSSDARGS="-k -s -z"
 
 /usr/sbin/lsvcgssd ${LSVCGSSDARGS}
 RETVAL=$?
-[ $RETVAL -eq 0 ] && echo $(pidof lsvcgssd) > $PIDFILE
+[ $RETVAL -eq 0 ] && echo $(pidof -s lsvcgssd) > $PIDFILE
 
 exit $RETVAL
diff --git a/lustre/utils/gss/svcgssd.c b/lustre/utils/gss/svcgssd.c
index a2c69fc..4711a49 100644
--- a/lustre/utils/gss/svcgssd.c
+++ b/lustre/utils/gss/svcgssd.c
@@ -304,13 +304,14 @@ main(int argc, char *argv[])
 		if (gssd_check_mechs()) {
 			printerr(LL_ERR,
 				 "ERROR: problem with gssapi library\n");
-			exit(1);
+			ret = -1;
+			goto err_krb;
 		}
 		ret = gss_get_realm(realm);
 		if (ret) {
 			printerr(LL_ERR, "ERROR: no Kerberos realm: %s\n",
 				 error_message(ret));
-			exit(1);
+			goto err_krb;
 		}
 		printerr(LL_WARN, "Kerberos realm: %s\n", krb5_this_realm);
 		if (get_creds &&
@@ -320,7 +321,16 @@ main(int argc, char *argv[])
 				 "unable to obtain root (machine) credentials\n");
 			printerr(LL_ERR,
 				 "do you have a keytab entry for <lustre_xxs>/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?\n");
-			exit(1);
+			ret = -1;
+			goto err_krb;
+		}
+
+err_krb:
+		if (ret) {
+			krb_enabled = 0;
+			printerr(LL_ERR, "ERROR: disabling Kerberos support\n");
+			if (!sk_enabled && !krb_enabled && !null_enabled)
+				exit(EXIT_FAILURE);
 		}
 	}