From 74890266a39297c1c3a41263a7bfd86e0d8e426a Mon Sep 17 00:00:00 2001 From: Sebastien Buisson Date: Fri, 21 Apr 2023 15:55:21 +0200 Subject: [PATCH] LU-16758 krb: use Kerberos machine principal in client In addition to having Lustre client rely on the lustre_root/@REALM principal to authenticate, support the more standard Kerberos machine principal host/@REALM. That avoids the need for additional keytab entries, and brings Lustre in line with other services such as OpenSSH and NFS. Signed-off-by: Sebastien Buisson Change-Id: Id50cef1a3a94248b958ce9ea42b5ae356f29cbf1 Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/50709 Tested-by: jenkins Tested-by: Maloo Reviewed-by: Aurelien Degremont Reviewed-by: Jonathan Calmels Reviewed-by: Oleg Drokin --- lustre/utils/gss/lgss_krb5_utils.c | 11 +++++++---- lustre/utils/gss/lgss_utils.h | 1 + lustre/utils/gss/svcgssd.h | 2 +- lustre/utils/gss/svcgssd_proc.c | 6 ++++-- 4 files changed, 13 insertions(+), 7 deletions(-) diff --git a/lustre/utils/gss/lgss_krb5_utils.c b/lustre/utils/gss/lgss_krb5_utils.c index 8b52f50..d59e49f 100644 --- a/lustre/utils/gss/lgss_krb5_utils.c +++ b/lustre/utils/gss/lgss_krb5_utils.c @@ -302,7 +302,9 @@ static int lkrb5_cc_check_tgt_princ(krb5_context ctx, else return -1; - if (lgss_krb5_strcmp(krb5_princ_name(ctx, princ), princ_name)) { + if (lgss_krb5_strcmp(krb5_princ_name(ctx, princ), princ_name) && + (strcmp(princ_name, LGSS_USR_ROOT_STR) || + lgss_krb5_strcmp(krb5_princ_name(ctx, princ), LGSS_SVC_HOST_STR))) { logmsg(LL_WARN, "%.*s: we expect %s instead\n", krb5_princ_name(ctx, princ)->length, krb5_princ_name(ctx, princ)->data, @@ -840,13 +842,14 @@ static int lkrb5_refresh_root_tgt_cc(krb5_context ctx, unsigned int root_flags, princname = krb5_princ_name(ctx, kte.principal); if ((root_flags & LGSS_ROOT_CRED_ROOT) != 0 && - lgss_krb5_strcmp(princname, LGSS_USR_ROOT_STR) == 0) { + (!lgss_krb5_strcmp(princname, LGSS_USR_ROOT_STR) || + !lgss_krb5_strcmp(princname, LGSS_SVC_HOST_STR))) { flag = LGSS_ROOT_CRED_ROOT; } else if ((root_flags & LGSS_ROOT_CRED_MDT) != 0 && - lgss_krb5_strcmp(princname, LGSS_SVC_MDS_STR) == 0) { + !lgss_krb5_strcmp(princname, LGSS_SVC_MDS_STR)) { flag = LGSS_ROOT_CRED_MDT; } else if ((root_flags & LGSS_ROOT_CRED_OST) != 0 && - lgss_krb5_strcmp(princname, LGSS_SVC_OSS_STR) == 0) { + !lgss_krb5_strcmp(princname, LGSS_SVC_OSS_STR)) { flag = LGSS_ROOT_CRED_OST; } else { logmsg(LL_TRACE, "not what we want, skip\n"); diff --git a/lustre/utils/gss/lgss_utils.h b/lustre/utils/gss/lgss_utils.h index 607fb31..c708bd4 100644 --- a/lustre/utils/gss/lgss_utils.h +++ b/lustre/utils/gss/lgss_utils.h @@ -50,6 +50,7 @@ #define LGSS_SVC_MGS_STR "lustre_mgs" #define LGSS_SVC_MDS_STR "lustre_mds" #define LGSS_SVC_OSS_STR "lustre_oss" +#define LGSS_SVC_HOST_STR "host" #define LGSS_USR_ROOT_STR "lustre_root" typedef enum { diff --git a/lustre/utils/gss/svcgssd.h b/lustre/utils/gss/svcgssd.h index 64c32f5..9cf996a 100644 --- a/lustre/utils/gss/svcgssd.h +++ b/lustre/utils/gss/svcgssd.h @@ -55,7 +55,7 @@ extern int sk_dh_checks; #define GSSD_SERVICE_MGS "lustre_mgs" #define GSSD_SERVICE_MDS "lustre_mds" #define GSSD_SERVICE_OSS "lustre_oss" +#define GSSD_SERVICE_HOST "host" #define LUSTRE_ROOT_NAME "lustre_root" -#define LUSTRE_ROOT_NAMELEN 11 #endif /* _RPC_SVCGSSD_H_ */ diff --git a/lustre/utils/gss/svcgssd_proc.c b/lustre/utils/gss/svcgssd_proc.c index 9931207..c2ef07f 100644 --- a/lustre/utils/gss/svcgssd_proc.c +++ b/lustre/utils/gss/svcgssd_proc.c @@ -340,7 +340,8 @@ get_ids(gss_name_t client_name, gss_OID mech, struct svc_cred *cred, /* Now we know we are dealing with a local realm */ - if (!strcmp(sname, LUSTRE_ROOT_NAME)) { + if (!strcmp(sname, LUSTRE_ROOT_NAME) || + !strcmp(sname, GSSD_SERVICE_HOST)) { cred->cr_uid = 0; cred->cr_usr_root = 1; goto valid; @@ -383,7 +384,8 @@ valid: } fallthrough; case LUSTRE_GSS_SVC_OSS: - if (!strcmp(sname, LUSTRE_ROOT_NAME)) { + if (!strcmp(sname, LUSTRE_ROOT_NAME) || + !strcmp(sname, GSSD_SERVICE_HOST)) { cred->cr_uid = 0; cred->cr_usr_root = 1; } else if (!strcmp(sname, GSSD_SERVICE_MDS)) { -- 1.8.3.1