rpms/nfs-utils
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Import OL

Browse Source
This commit is contained in:
eabdullin 2025-05-07 18:07:02 +03:00
parent 7e7b4a502a
commit e6208053f3
6 changed files with 355 additions and 247 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
SOURCES/nfs-utils-2.3.3-nfsconf-usegssproxy.patch
View File

@ -1,7 +1,7 @@
diff -up nfs-utils-2.3.4/nfs.conf.orig nfs-utils-2.3.4/nfs.conf
--- nfs-utils-2.3.4/nfs.conf.orig 2019-05-10 14:49:49.000000000 -0400
+++ nfs-utils-2.3.4/nfs.conf 2019-05-10 14:58:20.198714920 -0400
@@ -13,7 +13,7 @@
diff -up nfs-utils-2.5.4/nfs.conf.orig nfs-utils-2.5.4/nfs.conf
--- nfs-utils-2.5.4/nfs.conf.orig 2024-04-30 14:42:44.551812808 -0400
+++ nfs-utils-2.5.4/nfs.conf 2024-04-30 14:43:29.985032677 -0400
@@ -20,7 +20,7 @@
# rpc-verbosity=0
# use-memcache=0
# use-machine-creds=1
@ -9,8 +9,8 @@ diff -up nfs-utils-2.3.4/nfs.conf.orig nfs-utils-2.3.4/nfs.conf
+use-gss-proxy=1
# avoid-dns=1
# limit-to-legacy-enctypes=0
# context-timeout=0
@@ -77,6 +77,5 @@
# allowed-enctypes=aes256-cts-hmac-sha384-192,aes128-cts-hmac-sha256-128,camellia256-cts-cmac,camellia128-cts-cmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
@@ -97,6 +97,5 @@ rdma-port=20049
# outgoing-port=
# outgoing-addr=
# lift-grace=y

38
SOURCES/nfs-utils-2.5.4-conffile-argument.patch Normal file
View File

@ -0,0 +1,38 @@
diff -up nfs-utils-2.5.4/support/nfs/conffile.c.orig nfs-utils-2.5.4/support/nfs/conffile.c
--- nfs-utils-2.5.4/support/nfs/conffile.c.orig 2021-06-10 14:07:47.000000000 -0400
+++ nfs-utils-2.5.4/support/nfs/conffile.c 2025-01-08 10:36:51.838168127 -0500
@@ -169,13 +169,15 @@ static void free_conftrans(struct conf_t
* Insert a tag-value combination from LINE (the equal sign is at POS)
*/
static int
-conf_remove_now(const char *section, const char *tag)
+conf_remove_now(const char *section, const char *arg, const char *tag)
{
struct conf_binding *cb, *next;
cb = LIST_FIRST(&conf_bindings[conf_hash (section)]);
for (; cb; cb = next) {
next = LIST_NEXT(cb, link);
+ if (arg && (cb->arg == NULL || strcasecmp(arg, cb->arg) != 0))
+ continue;
if (strcasecmp(cb->section, section) == 0
&& strcasecmp(cb->tag, tag) == 0) {
LIST_REMOVE(cb, link);
@@ -217,7 +219,7 @@ conf_set_now(const char *section, const
struct conf_binding *node = 0;
if (override)
- conf_remove_now(section, tag);
+ conf_remove_now(section, arg, tag);
else if (conf_get_section(section, arg, tag)) {
if (!is_default) {
xlog(LOG_INFO, "conf_set: duplicate tag [%s]:%s, ignoring...",
@@ -1252,7 +1254,7 @@ conf_end(int transaction, int commit)
node->is_default);
break;
case CONF_REMOVE:
- conf_remove_now(node->section, node->tag);
+ conf_remove_now(node->section, node->arg, node->tag);
break;
case CONF_REMOVE_SECTION:
conf_remove_section_now(node->section);

251
SOURCES/nfs-utils-2.5.4-gssd-allowed-enctypes.patch Normal file
View File

@ -0,0 +1,251 @@
commit 9b1f860a3457328a08395651d029a454e0303454
Author: Scott Mayhew <smayhew@redhat.com>
Date: Fri Mar 15 06:34:52 2024 -0400
gssd: add support for an "allowed-enctypes" option in nfs.conf
Newer kernels have support for newer krb5 encryption types, AES with
SHA2 and Camellia. An NFS client with an "old" kernel can talk to
and NFS server with a "new" kernel and it just works. An NFS client
with a "new" kernel can talk to an NFS server with an "old" kernel, but
that requires some additional configuration (particularly if the NFS
server does have support for the newer encryption types in its userspace
krb5 libraries) that may be unclear and/or burdensome to the admin.
1) If the NFS server has support for the newer encryption types in the
userspace krb5 libraries, but not in the kernel's RPCSEC_GSS code,
then its possible that it also already has "nfs" keys using those
newer encryption types in its keytab. In that case, it's necessary
to regenerate the "nfs" keys without the newer encryption types.
The reason this is necessary is because if the NFS client requests
an "nfs" service ticket from the KDC, and the list of enctypes in
in that TGS-REQ contains a newer encryption type, and the KDC had
previously generated a key for the NFS server using the newer
encryption type, then the resulting service ticket in the TGS-REP
will be using the newer encryption type and the NFS server will not
be able to decrypt it.
2) It is necessary to either modify the permitted_enctypes field of the
krb5.conf or create a custom crypto-policy module (if the
crypto-policies package is being used) on the NFS *client* so that it
does not include the newer encryption types. The reason this is
necessary is because it affects the list of encryption types that
will be present in the RPCSEC_GSS_INIT request that the NFS client
sends to the NFS server. The kernel on the NFS server cannot not
process the request on its own; it has to upcall to gssproxy to do
that... and again if the userspace krb5 libraries on the NFS server
have support for the newer encryption types, then it will select one
of those and the kernel will not be able to import the context when
it gets the downcall. Also note that modifying the permitted_enctypes
field and/or crypto policy has the side effect of impacting everything
krb5 related, not just just NFS.
So add support for an "allowed-enctypes" field in nfs.conf. This allows
the admin to restrict gssd to using a subset of the encryption types
that are supported by the kernel and krb5 libraries. This will remove
the need for steps 1 & 2 above, and will only affect NFS rather than
krb5 as a whole.
For example, for a "new" NFS client talking to an "old" NFS server, the
admin will probably want this in the client's nfs.conf:
allowed-enctypes=aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
diff --git a/nfs.conf b/nfs.conf
index 323f072..23b5f7d 100644
--- a/nfs.conf
+++ b/nfs.conf
@@ -23,6 +23,7 @@
# use-gss-proxy=0
# avoid-dns=1
# limit-to-legacy-enctypes=0
+# allowed-enctypes=aes256-cts-hmac-sha384-192,aes128-cts-hmac-sha256-128,camellia256-cts-cmac,camellia128-cts-cmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
# context-timeout=0
# rpc-timeout=5
# keytab-file=/etc/krb5.keytab
diff --git a/utils/gssd/gssd.c b/utils/gssd/gssd.c
index ca9b326..10c731a 100644
--- a/utils/gssd/gssd.c
+++ b/utils/gssd/gssd.c
@@ -1232,6 +1232,12 @@ main(int argc, char *argv[])
daemon_init(fg);
+#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
+ rc = get_allowed_enctypes();
+ if (rc)
+ exit(EXIT_FAILURE);
+#endif
+
if (gssd_check_mechs() != 0)
errx(1, "Problem with gssapi library");
diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man
index 2a5384d..c735eff 100644
--- a/utils/gssd/gssd.man
+++ b/utils/gssd/gssd.man
@@ -346,6 +346,15 @@ flag.
Equivalent to
.BR -l .
.TP
+.B allowed-enctypes
+Allows you to restrict
+.B rpc.gssd
+to using a subset of the encryption types permitted by the kernel and the krb5
+libraries. This is useful if you need to interoperate with an NFS server that
+does not have support for the newer SHA2 and Camellia encryption types, for
+example. This configuration file option does not have an equivalent
+command-line option.
+.TP
.B context-timeout
Equivalent to
.BR -t .
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 6f66ef4..57b3cf8 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -129,6 +129,7 @@
#include "err_util.h"
#include "gss_util.h"
#include "krb5_util.h"
+#include "conffile.h"
/*
* List of principals from our keytab that we
@@ -155,6 +156,8 @@ static pthread_mutex_t ple_lock = PTHREAD_MUTEX_INITIALIZER;
#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
int limit_to_legacy_enctypes = 0;
+krb5_enctype *allowed_enctypes = NULL;
+int num_allowed_enctypes = 0;
#endif
/*==========================*/
@@ -1596,6 +1599,68 @@ out_cred:
}
#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
+int
+get_allowed_enctypes(void)
+{
+ struct conf_list *allowed_etypes = NULL;
+ struct conf_list_node *node;
+ char *buf = NULL, *old = NULL;
+ int len, ret = 0;
+
+ allowed_etypes = conf_get_list("gssd", "allowed-enctypes");
+ if (allowed_etypes) {
+ TAILQ_FOREACH(node, &(allowed_etypes->fields), link) {
+ allowed_enctypes = realloc(allowed_enctypes,
+ (num_allowed_enctypes + 1) *
+ sizeof(*allowed_enctypes));
+ if (allowed_enctypes == NULL) {
+ ret = ENOMEM;
+ goto out_err;
+ }
+ ret = krb5_string_to_enctype(node->field,
+ &allowed_enctypes[num_allowed_enctypes]);
+ if (ret) {
+ printerr(0, "%s: invalid enctype %s",
+ __func__, node->field);
+ goto out_err;
+ }
+ if (get_verbosity() > 1) {
+ if (buf == NULL) {
+ len = asprintf(&buf, "%s(%d)", node->field,
+ allowed_enctypes[num_allowed_enctypes]);
+ if (len < 0) {
+ ret = ENOMEM;
+ goto out_err;
+ }
+ } else {
+ old = buf;
+ len = asprintf(&buf, "%s,%s(%d)", old, node->field,
+ allowed_enctypes[num_allowed_enctypes]);
+ if (len < 0) {
+ ret = ENOMEM;
+ goto out_err;
+ }
+ free(old);
+ old = NULL;
+ }
+ }
+ num_allowed_enctypes++;
+ }
+ printerr(2, "%s: allowed_enctypes = %s", __func__, buf);
+ }
+ goto out;
+out_err:
+ num_allowed_enctypes = 0;
+ free(allowed_enctypes);
+out:
+ free(buf);
+ if (old != buf)
+ free(old);
+ if (allowed_etypes)
+ conf_free_list(allowed_etypes);
+ return ret;
+}
+
/*
* this routine obtains a credentials handle via gss_acquire_cred()
* then calls gss_krb5_set_allowable_enctypes() to limit the encryption
@@ -1619,6 +1684,10 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec)
int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]);
extern int num_krb5_enctypes;
extern krb5_enctype *krb5_enctypes;
+ extern int num_allowed_enctypes;
+ extern krb5_enctype *allowed_enctypes;
+ int num_set_enctypes;
+ krb5_enctype *set_enctypes;
int err = -1;
if (sec->cred == GSS_C_NO_CREDENTIAL) {
@@ -1631,12 +1700,26 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec)
* If we failed for any reason to produce global
* list of supported enctypes, use local default here.
*/
- if (krb5_enctypes == NULL || limit_to_legacy_enctypes)
- maj_stat = gss_set_allowable_enctypes(&min_stat, sec->cred,
- &krb5oid, num_enctypes, enctypes);
- else
- maj_stat = gss_set_allowable_enctypes(&min_stat, sec->cred,
- &krb5oid, num_krb5_enctypes, krb5_enctypes);
+ if (krb5_enctypes == NULL || limit_to_legacy_enctypes ||
+ allowed_enctypes) {
+ if (allowed_enctypes) {
+ printerr(2, "%s: using allowed enctypes from config\n",
+ __func__);
+ num_set_enctypes = num_allowed_enctypes;
+ set_enctypes = allowed_enctypes;
+ } else {
+ printerr(2, "%s: using legacy enctypes\n", __func__);
+ num_set_enctypes = num_enctypes;
+ set_enctypes = enctypes;
+ }
+ } else {
+ printerr(2, "%s: using enctypes from the kernel\n", __func__);
+ num_set_enctypes = num_krb5_enctypes;
+ set_enctypes = krb5_enctypes;
+ }
+
+ maj_stat = gss_set_allowable_enctypes(&min_stat, sec->cred,
+ &krb5oid, num_set_enctypes, set_enctypes);
if (maj_stat != GSS_S_COMPLETE) {
pgsserr("gss_set_allowable_enctypes",
diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h
index 7ef8701..40ad323 100644
--- a/utils/gssd/krb5_util.h
+++ b/utils/gssd/krb5_util.h
@@ -27,6 +27,7 @@ int gssd_k5_remove_bad_service_cred(char *srvname);
#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
extern int limit_to_legacy_enctypes;
int limit_krb5_enctypes(struct rpc_gss_sec *sec);
+int get_allowed_enctypes(void);
#endif
/*

239
SOURCES/nfs-utils-2.5.4-gssd-bad-integ-error-support.patch
View File

@ -1,239 +0,0 @@
diff --git a/aclocal/libtirpc.m4 b/aclocal/libtirpc.m4
index 27368ff2..4379b14d 100644
--- a/aclocal/libtirpc.m4
+++ b/aclocal/libtirpc.m4
@@ -26,6 +26,11 @@ AC_DEFUN([AC_LIBTIRPC], [
[Define to 1 if your tirpc library provides libtirpc_set_debug])],,
[${LIBS}])])
+ AS_IF([test -n "${LIBTIRPC}"],
+ [AC_CHECK_LIB([tirpc], [rpc_gss_seccreate],
+ [AC_DEFINE([HAVE_TIRPC_GSS_SECCREATE], [1],
+ [Define to 1 if your tirpc library provides rpc_gss_seccreate])],,
+ [${LIBS}])])
AC_SUBST([AM_CPPFLAGS])
AC_SUBST(LIBTIRPC)
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index ae568f15..7629de0b 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -70,6 +70,9 @@
#include <sys/types.h>
#include <sys/wait.h>
#include <syscall.h>
+#ifdef HAVE_TIRPC_GSS_SECCREATE
+#include <rpc/rpcsec_gss.h>
+#endif
#include "gssd.h"
#include "err_util.h"
@@ -330,6 +333,11 @@ create_auth_rpc_client(struct clnt_info *clp,
struct timeval timeout;
struct sockaddr *addr = (struct sockaddr *) &clp->addr;
socklen_t salen;
+#ifdef HAVE_TIRPC_GSS_SECCREATE
+ rpc_gss_options_req_t req;
+ rpc_gss_options_ret_t ret;
+ char mechanism[] = "kerberos_v5";
+#endif
pthread_t tid = pthread_self();
sec.qop = GSS_C_QOP_DEFAULT;
@@ -410,15 +418,43 @@ create_auth_rpc_client(struct clnt_info *clp,
printerr(3, "create_auth_rpc_client(0x%lx): creating context with server %s\n",
tid, tgtname);
+#ifdef HAVE_TIRPC_GSS_SECCREATE
+ memset(&req, 0, sizeof(req));
+ req.my_cred = sec.cred;
+ auth = rpc_gss_seccreate(rpc_clnt, tgtname, mechanism,
+ rpcsec_gss_svc_none, NULL, &req, &ret);
+#else
auth = authgss_create_default(rpc_clnt, tgtname, &sec);
+#endif
if (!auth) {
+#ifdef HAVE_TIRPC_GSS_SECCREATE
+ if (ret.minor_status == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
+ printerr(2, "WARNING: server=%s failed context "
+ "creation with KRB5_AP_ERR_BAD_INTEGRITY\n",
+ clp->servername);
+ if (cred == GSS_C_NO_CREDENTIAL)
+ retval = gssd_refresh_krb5_machine_credential(clp->servername,
+ "*", NULL, 1);
+ else
+ retval = gssd_k5_remove_bad_service_cred(clp->servername);
+ if (!retval) {
+ auth = rpc_gss_seccreate(rpc_clnt, tgtname,
+ mechanism, rpcsec_gss_svc_none,
+ NULL, &req, &ret);
+ if (auth)
+ goto success;
+ }
+ }
+#endif
/* Our caller should print appropriate message */
printerr(2, "WARNING: Failed to create krb5 context for "
"user with uid %d for server %s\n",
uid, tgtname);
goto out_fail;
}
-
+#ifdef HAVE_TIRPC_GSS_SECCREATE
+success:
+#endif
/* Success !!! */
rpc_clnt->cl_auth = auth;
*clnt_return = rpc_clnt;
@@ -571,7 +607,7 @@ krb5_use_machine_creds(struct clnt_info *clp, uid_t uid,
do {
gssd_refresh_krb5_machine_credential(clp->servername,
- service, srchost);
+ service, srchost, 0);
/*
* Get a list of credential cache names and try each
* of them until one works or we've tried them all
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index e3f270e9..6f66ef4f 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -165,7 +165,7 @@ static int select_krb5_ccache(const struct dirent *d);
static int gssd_find_existing_krb5_ccache(uid_t uid, char *dirname,
const char **cctype, struct dirent **d);
static int gssd_get_single_krb5_cred(krb5_context context,
- krb5_keytab kt, struct gssd_k5_kt_princ *ple);
+ krb5_keytab kt, struct gssd_k5_kt_princ *ple, int force_renew);
static int query_krb5_ccache(const char* cred_cache, char **ret_princname,
char **ret_realm);
@@ -391,7 +391,8 @@ gssd_check_if_cc_exists(struct gssd_k5_kt_princ *ple)
static int
gssd_get_single_krb5_cred(krb5_context context,
krb5_keytab kt,
- struct gssd_k5_kt_princ *ple)
+ struct gssd_k5_kt_princ *ple,
+ int force_renew)
{
#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS
krb5_get_init_creds_opt *init_opts = NULL;
@@ -421,7 +422,7 @@ gssd_get_single_krb5_cred(krb5_context context,
*/
now += 300;
pthread_mutex_lock(&ple_lock);
- if (ple->ccname && ple->endtime > now && !nocache) {
+ if (ple->ccname && ple->endtime > now && !nocache && !force_renew) {
printerr(3, "%s(0x%lx): Credentials in CC '%s' are good until %s",
__func__, tid, ple->ccname, ctime((time_t *)&ple->endtime));
code = 0;
@@ -1155,7 +1156,8 @@ err_cache:
static int
gssd_refresh_krb5_machine_credential_internal(char *hostname,
struct gssd_k5_kt_princ *ple,
- char *service, char *srchost)
+ char *service, char *srchost,
+ int force_renew)
{
krb5_error_code code = 0;
krb5_context context;
@@ -1221,7 +1223,7 @@ gssd_refresh_krb5_machine_credential_internal(char *hostname,
goto out_free_kt;
}
}
- retval = gssd_get_single_krb5_cred(context, kt, ple);
+ retval = gssd_get_single_krb5_cred(context, kt, ple, force_renew);
out_free_kt:
krb5_kt_close(context, kt);
out_free_context:
@@ -1344,7 +1346,7 @@ gssd_get_krb5_machine_cred_list(char ***list)
pthread_mutex_unlock(&ple_lock);
/* Make sure cred is up-to-date before returning it */
retval = gssd_refresh_krb5_machine_credential_internal(NULL, ple,
- NULL, NULL);
+ NULL, NULL, 0);
pthread_mutex_lock(&ple_lock);
if (gssd_k5_kt_princ_list == NULL) {
/* Looks like we did shutdown... abort */
@@ -1456,10 +1458,12 @@ gssd_destroy_krb5_principals(int destroy_machine_creds)
*/
int
gssd_refresh_krb5_machine_credential(char *hostname,
- char *service, char *srchost)
+ char *service, char *srchost,
+ int force_renew)
{
return gssd_refresh_krb5_machine_credential_internal(hostname, NULL,
- service, srchost);
+ service, srchost,
+ force_renew);
}
/*
@@ -1549,6 +1553,48 @@ gssd_acquire_user_cred(gss_cred_id_t *gss_cred)
return ret;
}
+/* Removed a service ticket for nfs/<name> from the ticket cache
+ */
+int
+gssd_k5_remove_bad_service_cred(char *name)
+{
+ krb5_creds in_creds, out_creds;
+ krb5_error_code ret;
+ krb5_context context;
+ krb5_ccache cache;
+ krb5_principal principal;
+ int retflags = KRB5_TC_MATCH_SRV_NAMEONLY;
+ char srvname[1024];
+
+ ret = krb5_init_context(&context);
+ if (ret)
+ goto out_cred;
+ ret = krb5_cc_default(context, &cache);
+ if (ret)
+ goto out_free_context;
+ ret = krb5_cc_get_principal(context, cache, &principal);
+ if (ret)
+ goto out_close_cache;
+ memset(&in_creds, 0, sizeof(in_creds));
+ in_creds.client = principal;
+ sprintf(srvname, "nfs/%s", name);
+ ret = krb5_parse_name(context, srvname, &in_creds.server);
+ if (ret)
+ goto out_free_principal;
+ ret = krb5_cc_retrieve_cred(context, cache, retflags, &in_creds, &out_creds);
+ if (ret)
+ goto out_free_principal;
+ ret = krb5_cc_remove_cred(context, cache, 0, &out_creds);
+out_free_principal:
+ krb5_free_principal(context, principal);
+out_close_cache:
+ krb5_cc_close(context, cache);
+out_free_context:
+ krb5_free_context(context);
+out_cred:
+ return ret;
+}
+
#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
/*
* this routine obtains a credentials handle via gss_acquire_cred()
diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h
index 2415205a..7ef87018 100644
--- a/utils/gssd/krb5_util.h
+++ b/utils/gssd/krb5_util.h
@@ -16,11 +16,13 @@ int gssd_get_krb5_machine_cred_list(char ***list);
void gssd_free_krb5_machine_cred_list(char **list);
void gssd_destroy_krb5_principals(int destroy_machine_creds);
int gssd_refresh_krb5_machine_credential(char *hostname,
- char *service, char *srchost);
+ char *service, char *srchost,
+ int force_renew);
char *gssd_k5_err_msg(krb5_context context, krb5_error_code code);
void gssd_k5_get_default_realm(char **def_realm);
int gssd_acquire_user_cred(gss_cred_id_t *gss_cred);
+int gssd_k5_remove_bad_service_cred(char *srvname);
#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
extern int limit_to_legacy_enctypes;

32
SOURCES/nfs-utils-2.5.4-gssd-segfault.patch Normal file
View File

@ -0,0 +1,32 @@
commit 92995e0d38dc00e930c562cf936220f83c09d082
Author: Paulo Andrade <pandrade@redhat.com>
Date: Tue Jul 23 12:03:30 2024 -0400
rpc-gssd.service has status failed (due to rpc.gssd segfault)
Ensure strings are not NULL before doing a strdup() in error path.
Fixes: https://issues.redhat.com/browse/RHEL-43286
Signed-off-by: Steve Dickson <steved@redhat.com>
diff --git a/utils/gssd/gssd.c b/utils/gssd/gssd.c
index d7a28225..01ce7d18 100644
--- a/utils/gssd/gssd.c
+++ b/utils/gssd/gssd.c
@@ -365,12 +365,12 @@ gssd_read_service_info(int dirfd, struct clnt_info *clp)
fail:
printerr(0, "ERROR: failed to parse %s/info\n", clp->relpath);
- clp->upcall_address = strdup(address);
- clp->upcall_port = strdup(port);
+ clp->upcall_address = address ? strdup(address) : NULL;
+ clp->upcall_port = port ? strdup(port) : NULL;
clp->upcall_program = program;
clp->upcall_vers = version;
- clp->upcall_protoname = strdup(protoname);
- clp->upcall_service = strdup(service);
+ clp->upcall_protoname = protoname ? strdup(protoname) : NULL;
+ clp->upcall_service = service ? strdup(service) : NULL;
free(servername);
free(protoname);
clp->servicename = NULL;

30
SPECS/nfs-utils.spec
View File

@ -2,7 +2,7 @@ Summary: NFS utilities and supporting clients and daemons for the kernel NFS ser
Name: nfs-utils
URL: http://linux-nfs.org/
Version: 2.5.4
Release: 25%{?dist}
Release: 27.0.1%{?dist}.1
Epoch: 1
# group all 32bit related archs
@ -52,13 +52,25 @@ Patch018: nfs-utils-2.5.4-man-nfsconf.patch
# RHEL9.4
#
Patch019: nfs-utils-2.5.4-gssd-dns-failure.patch
Patch020: nfs-utils-2.5.4-gssd-bad-integ-error-support.patch
# Patch disabled downstream in Oracle Linux
# Patch020: nfs-utils-2.5.4-gssd-bad-integ-error-support.patch
Patch021: nfs-utils-2.5.4-mount-mountconf-typo.patch
Patch022: nfs-utils-2.5.4-support-for-rpc-with-tls.patch
Patch023: nfs-utils-2.5.4-fix-typos-in-messages.patch
Patch024: nfs-utils-2.5.4-blkmapd-double-free.patch
Patch025: nfs-utils-2.5.4-rpcdebug-check-read-return.patch
#
# RHEL9.5
#
Patch026: nfs-utils-2.5.4-gssd-allowed-enctypes.patch
Patch027: nfs-utils-2.5.4-gssd-segfault.patch
#
# RHEL9.5-z
#
Patch028: nfs-utils-2.5.4-conffile-argument.patch
Patch100: nfs-utils-1.2.1-statdpath-man.patch
Patch101: nfs-utils-1.2.1-exp-subtree-warn-off.patch
Patch102: nfs-utils-1.2.5-idmap-errmsg.patch
@ -339,6 +351,7 @@ if [ $1 -eq 0 ] ; then
fi
%triggerin -- nfs-utils > 1:2.1.1-3
/bin/systemctl --system daemon-reload >/dev/null 2>&1 || :
/bin/systemctl try-restart gssproxy || :
%triggerun -- nfs-utils < 1:2.5.4-3
@ -499,6 +512,19 @@ fi
%{_mandir}/*/nfsiostat.8.gz
%changelog
* Tue May 06 2025 EL Errata <el-errata_ww@oracle.com> - 2.5.4-27.0.1
- Disable nfs-utils-2.5.4-gssd-bad-integ-error-support.patch [Orabug: 36563788]
- spec: remove multiple warnings when upgrading nfs-utils with gssproxy [Orabug: 36044562]
* Mon Mar 10 2025 Scott Mayhew <smayhew@redhat.com> - 2.5.4-27.1
- conffile: add 'arg' argument to conf_remove_now() (RHEL-82881)
* Fri Aug 9 2024 Steve Dickson <steved@redhat.com> 2.5.4-27
- rpc-gssd.service has status failed (due to rpc.gssd segfault) (RHEL-43286)
* Tue Apr 30 2024 Steve Dickson <steved@redhat.com> 2.5.4-26
- gssd: add support for an "allowed-enctypes" option in nfs.conf (RHEL-31858)
* Sun Feb 18 2024 Steve Dickson <steved@redhat.com> 2.5.4-25
- Update: Typos and documentation fixes (RHEL-22654)