LU-17528 gss: cleanup gss api usage The lucid context support has been available from at least krb5 1.7, and even RHEL7 ships with a more recent version. So drop support for non-lucid api, and cleanup gss api usage. Test-Parameters: trivial Test-Parameters: kerberos=true testlist=sanity-krb5 Test-Parameters: testgroup=review-dne-selinux-ssk-part-2 Signed-off-by: Sebastien Buisson <sbuisson@ddn.com> Change-Id: I91fb706d2444c199156423b57a8c1ef24a0c3420 Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/54063 Reviewed-by: Aurelien Degremont <adegremont@nvidia.com> Reviewed-by: Bruno Faccini <bfaccini@nvidia.com> Reviewed-by: Andreas Dilger <adilger@whamcloud.com> Reviewed-by: Oleg Drokin <green@whamcloud.com> Tested-by: jenkins <devops@whamcloud.com> Tested-by: Maloo <maloo@whamcloud.com>
LU-17257 build: use pkg-config to find krb5 libdir This patch fixes kerberos5.m4 to use pkg-config to find krb5 libdir instead of looking for the krb5 libraries in a static list of path. Test-Parameters: trivial kerberos=true testlist=sanity-krb5 Change-Id: Ia15812932942171b019f3e73034a78f9185c16ce Signed-off-by: Jian Yu <yujian@whamcloud.com> Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/53010 Tested-by: jenkins <devops@whamcloud.com> Tested-by: Maloo <maloo@whamcloud.com> Reviewed-by: Andreas Dilger <adilger@whamcloud.com> Reviewed-by: Sebastien Buisson <sbuisson@ddn.com> Reviewed-by: Aurelien Degremont <adegremont@nvidia.com> Reviewed-by: Oleg Drokin <green@whamcloud.com>
LU-15838 autoconf: fix use of obsolete macros This patch fixes the following warnings when using autoconf 2.71: configure.ac:2: warning: AC_INIT: not a literal: "m4_esyscmd(sh -c "./LUSTRE-VERSION-GEN | tr -d '\n'")" configure.ac:10: warning: The macro `AC_CANONICAL_SYSTEM' is obsolete. configure.ac:16: warning: The macro `AC_PROG_LIBTOOL' is obsolete. configure.ac:24: warning: The macro `AC_HELP_STRING' is obsolete. Like m4_esyscmd, macro m4_esyscmd_s (introduced in autoconf 2.64) expands to the result of running command in a shell. The difference is that any trailing newlines are removed. Since autoconf 2.50, macro 'AC_CANONICAL_TARGET' has been the new name of 'AC_CANONICAL_SYSTEM': AU_ALIAS([AC_CANONICAL_SYSTEM], [AC_CANONICAL_TARGET]) Since autoconf 2.58, macro 'AS_HELP_STRING' has been added to replace 'AC_HELP_STRING'. Since libtool 2.0, new 'LT_INIT' interface has been added to replace 'AC_PROG_LIBTOOL'. Change-Id: I3c06c21460d7a2cf643fe825e72a26a5416609cf Signed-off-by: Jian Yu <yujian@whamcloud.com> Reviewed-on: https://review.whamcloud.com/47288 Tested-by: jenkins <devops@whamcloud.com> Tested-by: Maloo <maloo@whamcloud.com> Reviewed-by: Neil Brown <neilb@suse.de> Reviewed-by: James Simmons <jsimmons@infradead.org> Reviewed-by: Oleg Drokin <green@whamcloud.com>
LU-14116 autoconf: check if DES3 enctype is supported krb5 releases 1.18 and later completely remove support for all DES3 enctypes (des3-cbc-raw, des3-hmac-sha1, des3-cbc-sha1-kd). This patch adds HAVE_DES3_SUPPORT to check if DES3 enctype is supported. Change-Id: Ibb51ec7961e8c775ea92dec6119f4de01e2d9b1d Signed-off-by: Jian Yu <yujian@whamcloud.com> Reviewed-on: https://review.whamcloud.com/40554 Tested-by: jenkins <devops@whamcloud.com> Reviewed-by: Sebastien Buisson <sbuisson@ddn.com> Tested-by: Maloo <maloo@whamcloud.com> Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
LU-11750 krb5: krb5int_derive_key has 'hash' extra parameter From Kerberos 5 release 1.15, and introduction of support of aes-sha2, krb5int_derive_key() groks an additional 'hash' parameter. Signed-off-by: Sebastien Buisson <sbuisson@ddn.com> Change-Id: I7c6ea5ac2d6844371b254b7361d28c462afe5afa Reviewed-on: https://review.whamcloud.com/33817 Tested-by: Jenkins Reviewed-by: Andreas Dilger <adilger@whamcloud.com> Tested-by: Maloo <maloo@whamcloud.com> Reviewed-by: Jeremy Filizetti <jeremy.filizetti@gmail.com> Reviewed-by: Li Dongyang <dongyangli@ddn.com> Reviewed-by: James Simmons <uja.ornl@yahoo.com>
LU-8116 build: Cleanup GSS configure script messages Some of the GSS configure warning are unnecessarily multi-line, and also redundant. For instance: checking for keyctl_search in -lkeyutils... no configure: WARNING: libkeyutils is not found, which is required by gss keyring backend configure: WARNING: Cannot enable gss keyring. See above for details. Why so many lines? Why the double warning? Also, there is a bug in the "for Kerberos v5" check where it fails to use AC_MSG_RESULT in the negative case. A completely different function winds up appending an AC_MSG_WARN: checking for Kerberos v5... configure: WARNING: not found! This patch addresses those minor issues. Change-Id: Ic9fb8b5687849688d965cc67b394e4eb569204be Signed-off-by: Christopher J. Morrone <morrone2@llnl.gov> Reviewed-on: http://review.whamcloud.com/20056 Tested-by: Jenkins Tested-by: Maloo <hpdd-maloo@intel.com> Reviewed-by: Minh Diep <minh.diep@intel.com> Reviewed-by: Bob Glossman <bob.glossman@intel.com> Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
LU-6490 gss: 3.1x kernels adjustments for gssapi code There are a number of changes in 3.1x kernels concerning the GSSAPI: - libgssapi and libgssglue do not exist anymore, so call krb5 primitives directly, and remove associated config checks; - struct cred has no tgcred member anymore, so use cred directly; - struct key_type instantiate and update function prototypes have changed; - add new config checks on struct cred and struct key_type; - u_int is BSD specific, so it is replaced with unsigned int. Signed-off-by: Sebastien Buisson <sebastien.buisson@bull.net> Change-Id: I3b13c2afcb4b800bdcffb3b8713048f8e39f6866 Reviewed-on: http://review.whamcloud.com/15342 Reviewed-by: Bob Glossman <bob.glossman@intel.com> Tested-by: Jenkins Reviewed-by: James Simmons <uja.ornl@yahoo.com> Tested-by: Maloo <hpdd-maloo@intel.com> Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
LU-3953 build: configure output improvments Cleanup from mess in configure output and multi-line messages. Signed-off-by: Dmitry Eremin <dmitry.eremin@intel.com> Change-Id: If90b0962f1b44f28af41e30015cc2ab253d6b83e Reviewed-on: http://review.whamcloud.com/9309 Tested-by: Jenkins Reviewed-by: Bob Glossman <bob.glossman@intel.com> Tested-by: Maloo <hpdd-maloo@intel.com> Reviewed-by: Brian J. Murrell <brian.murrell@intel.com> Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
LU-4085 build: gss/krb5 is disabled despite functions found The function available check for krb5int_derive_key and krb5_derive_key by means of AC_CHECK_LIB($gssapi_lib,...) does not set shell variables HAVE_KRB5_DERIVE_KEY, HAVE_KRB5INT_DERIVE_KEY so the test AS_IF([test "x$HAVE_KRB5INT_DERIVE_KEY" = "x1" -o "x$HAVE_KRB5_DERIVE_KEY" = "x1"] gives false despite the functions are found. As a side effect this fix revealed that calls with real prototypes are required. Thus prototypes of krb5_derive_key(...) and krb5int_derive_key(...) are provided, and required structures from krb5-int.h are copied. Signed-off-by: Thomas Stibor <thomas@stibor.net> Change-Id: I8c4cce5f861c9e4d01071024c4b852a2274c1b40 Reviewed-on: http://review.whamcloud.com/7913 Tested-by: Jenkins Reviewed-by: Andreas Dilger <andreas.dilger@intel.com> Tested-by: Maloo <hpdd-maloo@intel.com> Reviewed-by: Bob Glossman <bob.glossman@intel.com> Reviewed-by: Nathaniel Clark <nathaniel.l.clark@intel.com>
LU-3490 autoconf: disable GSS when required libraries missing Add 'auto' functionality to GSS keyring configuration to match GSS configuration. When using the 'auto' setting for GSS and GSS keyring, set enable_gss/enable_gss_keyring to 'yes' if configuration tests pass so GSS is actually built. Disable GSS/KRB5 if both krb5_derive_key and krb5int_derive_key are missing. In some distro such as Sles11sp1 and Ubuntu 10.04, both of these libraries are missing Remove #ifdef HAVE_STRUCT_CRED since it's not defined anywhere. This is due to incomplete cleanup of autoconf from LU-2800 Signed-off-by: Patrick Farrell <paf@cray.com> Signed-off-by: Minh Diep <minh.diep@intel.com> Change-Id: I36eb1370afe42cbac3ac924ca8100acaa25558d9 Reviewed-on: http://review.whamcloud.com/7622 Tested-by: Hudson Reviewed-by: Dmitry Eremin <dmitry.eremin@intel.com> Tested-by: Maloo <whamcloud.maloo@gmail.com> Reviewed-by: Andreas Dilger <andreas.dilger@intel.com>
LU-3490 kerberos: Enable GSSAPI support by default This change enables GSSAPI support by default when its prerequisites are available. Without this change, the GSSAPI code does not get tested when commits are made to Gerrit, even if the prerequisite GSSAPI and Kerberos libraries are installed. Signed-off-by: Andrew Korty <ajk@iu.edu> Change-Id: If661cc6bb1188f3678f70189d5e333219c31052d Reviewed-on: http://review.whamcloud.com/6740 Reviewed-by: Andreas Dilger <andreas.dilger@intel.com> Tested-by: Hudson Tested-by: Maloo <whamcloud.maloo@gmail.com> Reviewed-by: Minh Diep <minh.diep@intel.com> Reviewed-by: Ken Hornstein <kenh@cmf.nrl.navy.mil> Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
LU-2384 kerberos: Support for MIT-kerberos >=1.8.X is broken Since version 1.8.X the function signature for deriving cryptographic keys of the MIT-kerberos library: krb5_derive_key(const struct krb5_enc_provider *enc, const krb5_keyblock *inkey, krb5_keyblock *outkey, const krb5_data *in_constant) is changed in: krb5int_derive_key(const struct krb5_enc_provider *enc, krb5_key inkey, krb5_key *outkey, const krb5_data *in_constant) The kerberos support for lustre thus is not working anymore with current linux distributions supporting MIT-kerberos library >= 1.8.X. Signed-off-by: Andrew Korty <ajk@iu.edu> Change-Id: I35e85a15e7fd846df6d63d430d7ac98ec53d7c56 Reviewed-on: http://review.whamcloud.com/4672 Tested-by: Hudson Reviewed-by: Andreas Dilger <andreas.dilger@intel.com> Reviewed-by: Keith Mannthey <keith.mannthey@intel.com> Tested-by: Maloo <whamcloud.maloo@gmail.com> Reviewed-by: Fan Yong <fan.yong@intel.com>
LU-1924 build: configure can not find libgssapi_krb5.so ./configure --enable-gss cannot find on Debian amd64/x86_64 wheezy the file libgssapi_krb5.so although it exists in the directory /usr/lib/x86_x64-linux-gnu. Probably some other amd64/x86_64 Linux distributions are effected as well. Signed-off-by: Thomas Stibor <thomas@stibor.net> Change-Id: Ife12e11224db4ef64adbcedb31cc1c07cf1c9b2e Reviewed-on: http://review.whamcloud.com/4378 Reviewed-by: Andreas Dilger <andreas.dilger@intel.com> Reviewed-by: Fan Yong <fan.yong@intel.com> Tested-by: Hudson Tested-by: Maloo <whamcloud.maloo@gmail.com>
land b_colibri_devel on HEAD: - redesigned remote acl support, by FanYong b=11842 r=pravin.shelar, eric.mei - new sptlrpc configure interface b=13642 r=yong.fan, rahul.deshmukh - split kerberos keytab for lustre_root b=13873 r=yong.fan, h.huang - fix setuid for gss with linux keyring b=13899 r=yong.fan, h.huang
- make HEAD from b_post_cmd3