diff --git a/SOURCES/nfs-utils-2.3.3-nfsconf-usegssproxy.patch b/SOURCES/nfs-utils-2.3.3-nfsconf-usegssproxy.patch index d87ae7d..023fc1f 100644 --- a/SOURCES/nfs-utils-2.3.3-nfsconf-usegssproxy.patch +++ b/SOURCES/nfs-utils-2.3.3-nfsconf-usegssproxy.patch @@ -1,7 +1,7 @@ -diff -up nfs-utils-2.3.4/nfs.conf.orig nfs-utils-2.3.4/nfs.conf ---- nfs-utils-2.3.4/nfs.conf.orig 2019-05-10 14:49:49.000000000 -0400 -+++ nfs-utils-2.3.4/nfs.conf 2019-05-10 14:58:20.198714920 -0400 -@@ -13,7 +13,7 @@ +diff -up nfs-utils-2.5.4/nfs.conf.orig nfs-utils-2.5.4/nfs.conf +--- nfs-utils-2.5.4/nfs.conf.orig 2024-04-30 14:42:44.551812808 -0400 ++++ nfs-utils-2.5.4/nfs.conf 2024-04-30 14:43:29.985032677 -0400 +@@ -20,7 +20,7 @@ # rpc-verbosity=0 # use-memcache=0 # use-machine-creds=1 @@ -9,8 +9,8 @@ diff -up nfs-utils-2.3.4/nfs.conf.orig nfs-utils-2.3.4/nfs.conf +use-gss-proxy=1 # avoid-dns=1 # limit-to-legacy-enctypes=0 - # context-timeout=0 -@@ -77,6 +77,5 @@ + # allowed-enctypes=aes256-cts-hmac-sha384-192,aes128-cts-hmac-sha256-128,camellia256-cts-cmac,camellia128-cts-cmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 +@@ -97,6 +97,5 @@ rdma-port=20049 # outgoing-port= # outgoing-addr= # lift-grace=y diff --git a/SOURCES/nfs-utils-2.5.4-conffile-argument.patch b/SOURCES/nfs-utils-2.5.4-conffile-argument.patch new file mode 100644 index 0000000..5a770d6 --- /dev/null +++ b/SOURCES/nfs-utils-2.5.4-conffile-argument.patch @@ -0,0 +1,38 @@ +diff -up nfs-utils-2.5.4/support/nfs/conffile.c.orig nfs-utils-2.5.4/support/nfs/conffile.c +--- nfs-utils-2.5.4/support/nfs/conffile.c.orig 2021-06-10 14:07:47.000000000 -0400 ++++ nfs-utils-2.5.4/support/nfs/conffile.c 2025-01-08 10:36:51.838168127 -0500 +@@ -169,13 +169,15 @@ static void free_conftrans(struct conf_t + * Insert a tag-value combination from LINE (the equal sign is at POS) + */ + static int +-conf_remove_now(const char *section, const char *tag) ++conf_remove_now(const char *section, const char *arg, const char *tag) + { + struct conf_binding *cb, *next; + + cb = LIST_FIRST(&conf_bindings[conf_hash (section)]); + for (; cb; cb = next) { + next = LIST_NEXT(cb, link); ++ if (arg && (cb->arg == NULL || strcasecmp(arg, cb->arg) != 0)) ++ continue; + if (strcasecmp(cb->section, section) == 0 + && strcasecmp(cb->tag, tag) == 0) { + LIST_REMOVE(cb, link); +@@ -217,7 +219,7 @@ conf_set_now(const char *section, const + struct conf_binding *node = 0; + + if (override) +- conf_remove_now(section, tag); ++ conf_remove_now(section, arg, tag); + else if (conf_get_section(section, arg, tag)) { + if (!is_default) { + xlog(LOG_INFO, "conf_set: duplicate tag [%s]:%s, ignoring...", +@@ -1252,7 +1254,7 @@ conf_end(int transaction, int commit) + node->is_default); + break; + case CONF_REMOVE: +- conf_remove_now(node->section, node->tag); ++ conf_remove_now(node->section, node->arg, node->tag); + break; + case CONF_REMOVE_SECTION: + conf_remove_section_now(node->section); diff --git a/SOURCES/nfs-utils-2.5.4-gssd-allowed-enctypes.patch b/SOURCES/nfs-utils-2.5.4-gssd-allowed-enctypes.patch new file mode 100644 index 0000000..298d4cf --- /dev/null +++ b/SOURCES/nfs-utils-2.5.4-gssd-allowed-enctypes.patch @@ -0,0 +1,251 @@ +commit 9b1f860a3457328a08395651d029a454e0303454 +Author: Scott Mayhew +Date: Fri Mar 15 06:34:52 2024 -0400 + + gssd: add support for an "allowed-enctypes" option in nfs.conf + + Newer kernels have support for newer krb5 encryption types, AES with + SHA2 and Camellia. An NFS client with an "old" kernel can talk to + and NFS server with a "new" kernel and it just works. An NFS client + with a "new" kernel can talk to an NFS server with an "old" kernel, but + that requires some additional configuration (particularly if the NFS + server does have support for the newer encryption types in its userspace + krb5 libraries) that may be unclear and/or burdensome to the admin. + + 1) If the NFS server has support for the newer encryption types in the + userspace krb5 libraries, but not in the kernel's RPCSEC_GSS code, + then its possible that it also already has "nfs" keys using those + newer encryption types in its keytab. In that case, it's necessary + to regenerate the "nfs" keys without the newer encryption types. + The reason this is necessary is because if the NFS client requests + an "nfs" service ticket from the KDC, and the list of enctypes in + in that TGS-REQ contains a newer encryption type, and the KDC had + previously generated a key for the NFS server using the newer + encryption type, then the resulting service ticket in the TGS-REP + will be using the newer encryption type and the NFS server will not + be able to decrypt it. + + 2) It is necessary to either modify the permitted_enctypes field of the + krb5.conf or create a custom crypto-policy module (if the + crypto-policies package is being used) on the NFS *client* so that it + does not include the newer encryption types. The reason this is + necessary is because it affects the list of encryption types that + will be present in the RPCSEC_GSS_INIT request that the NFS client + sends to the NFS server. The kernel on the NFS server cannot not + process the request on its own; it has to upcall to gssproxy to do + that... and again if the userspace krb5 libraries on the NFS server + have support for the newer encryption types, then it will select one + of those and the kernel will not be able to import the context when + it gets the downcall. Also note that modifying the permitted_enctypes + field and/or crypto policy has the side effect of impacting everything + krb5 related, not just just NFS. + + So add support for an "allowed-enctypes" field in nfs.conf. This allows + the admin to restrict gssd to using a subset of the encryption types + that are supported by the kernel and krb5 libraries. This will remove + the need for steps 1 & 2 above, and will only affect NFS rather than + krb5 as a whole. + + For example, for a "new" NFS client talking to an "old" NFS server, the + admin will probably want this in the client's nfs.conf: + + allowed-enctypes=aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 + + Signed-off-by: Scott Mayhew + Signed-off-by: Steve Dickson + +diff --git a/nfs.conf b/nfs.conf +index 323f072..23b5f7d 100644 +--- a/nfs.conf ++++ b/nfs.conf +@@ -23,6 +23,7 @@ + # use-gss-proxy=0 + # avoid-dns=1 + # limit-to-legacy-enctypes=0 ++# allowed-enctypes=aes256-cts-hmac-sha384-192,aes128-cts-hmac-sha256-128,camellia256-cts-cmac,camellia128-cts-cmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 + # context-timeout=0 + # rpc-timeout=5 + # keytab-file=/etc/krb5.keytab +diff --git a/utils/gssd/gssd.c b/utils/gssd/gssd.c +index ca9b326..10c731a 100644 +--- a/utils/gssd/gssd.c ++++ b/utils/gssd/gssd.c +@@ -1232,6 +1232,12 @@ main(int argc, char *argv[]) + + daemon_init(fg); + ++#ifdef HAVE_SET_ALLOWABLE_ENCTYPES ++ rc = get_allowed_enctypes(); ++ if (rc) ++ exit(EXIT_FAILURE); ++#endif ++ + if (gssd_check_mechs() != 0) + errx(1, "Problem with gssapi library"); + +diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man +index 2a5384d..c735eff 100644 +--- a/utils/gssd/gssd.man ++++ b/utils/gssd/gssd.man +@@ -346,6 +346,15 @@ flag. + Equivalent to + .BR -l . + .TP ++.B allowed-enctypes ++Allows you to restrict ++.B rpc.gssd ++to using a subset of the encryption types permitted by the kernel and the krb5 ++libraries. This is useful if you need to interoperate with an NFS server that ++does not have support for the newer SHA2 and Camellia encryption types, for ++example. This configuration file option does not have an equivalent ++command-line option. ++.TP + .B context-timeout + Equivalent to + .BR -t . +diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c +index 6f66ef4..57b3cf8 100644 +--- a/utils/gssd/krb5_util.c ++++ b/utils/gssd/krb5_util.c +@@ -129,6 +129,7 @@ + #include "err_util.h" + #include "gss_util.h" + #include "krb5_util.h" ++#include "conffile.h" + + /* + * List of principals from our keytab that we +@@ -155,6 +156,8 @@ static pthread_mutex_t ple_lock = PTHREAD_MUTEX_INITIALIZER; + + #ifdef HAVE_SET_ALLOWABLE_ENCTYPES + int limit_to_legacy_enctypes = 0; ++krb5_enctype *allowed_enctypes = NULL; ++int num_allowed_enctypes = 0; + #endif + + /*==========================*/ +@@ -1596,6 +1599,68 @@ out_cred: + } + + #ifdef HAVE_SET_ALLOWABLE_ENCTYPES ++int ++get_allowed_enctypes(void) ++{ ++ struct conf_list *allowed_etypes = NULL; ++ struct conf_list_node *node; ++ char *buf = NULL, *old = NULL; ++ int len, ret = 0; ++ ++ allowed_etypes = conf_get_list("gssd", "allowed-enctypes"); ++ if (allowed_etypes) { ++ TAILQ_FOREACH(node, &(allowed_etypes->fields), link) { ++ allowed_enctypes = realloc(allowed_enctypes, ++ (num_allowed_enctypes + 1) * ++ sizeof(*allowed_enctypes)); ++ if (allowed_enctypes == NULL) { ++ ret = ENOMEM; ++ goto out_err; ++ } ++ ret = krb5_string_to_enctype(node->field, ++ &allowed_enctypes[num_allowed_enctypes]); ++ if (ret) { ++ printerr(0, "%s: invalid enctype %s", ++ __func__, node->field); ++ goto out_err; ++ } ++ if (get_verbosity() > 1) { ++ if (buf == NULL) { ++ len = asprintf(&buf, "%s(%d)", node->field, ++ allowed_enctypes[num_allowed_enctypes]); ++ if (len < 0) { ++ ret = ENOMEM; ++ goto out_err; ++ } ++ } else { ++ old = buf; ++ len = asprintf(&buf, "%s,%s(%d)", old, node->field, ++ allowed_enctypes[num_allowed_enctypes]); ++ if (len < 0) { ++ ret = ENOMEM; ++ goto out_err; ++ } ++ free(old); ++ old = NULL; ++ } ++ } ++ num_allowed_enctypes++; ++ } ++ printerr(2, "%s: allowed_enctypes = %s", __func__, buf); ++ } ++ goto out; ++out_err: ++ num_allowed_enctypes = 0; ++ free(allowed_enctypes); ++out: ++ free(buf); ++ if (old != buf) ++ free(old); ++ if (allowed_etypes) ++ conf_free_list(allowed_etypes); ++ return ret; ++} ++ + /* + * this routine obtains a credentials handle via gss_acquire_cred() + * then calls gss_krb5_set_allowable_enctypes() to limit the encryption +@@ -1619,6 +1684,10 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec) + int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]); + extern int num_krb5_enctypes; + extern krb5_enctype *krb5_enctypes; ++ extern int num_allowed_enctypes; ++ extern krb5_enctype *allowed_enctypes; ++ int num_set_enctypes; ++ krb5_enctype *set_enctypes; + int err = -1; + + if (sec->cred == GSS_C_NO_CREDENTIAL) { +@@ -1631,12 +1700,26 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec) + * If we failed for any reason to produce global + * list of supported enctypes, use local default here. + */ +- if (krb5_enctypes == NULL || limit_to_legacy_enctypes) +- maj_stat = gss_set_allowable_enctypes(&min_stat, sec->cred, +- &krb5oid, num_enctypes, enctypes); +- else +- maj_stat = gss_set_allowable_enctypes(&min_stat, sec->cred, +- &krb5oid, num_krb5_enctypes, krb5_enctypes); ++ if (krb5_enctypes == NULL || limit_to_legacy_enctypes || ++ allowed_enctypes) { ++ if (allowed_enctypes) { ++ printerr(2, "%s: using allowed enctypes from config\n", ++ __func__); ++ num_set_enctypes = num_allowed_enctypes; ++ set_enctypes = allowed_enctypes; ++ } else { ++ printerr(2, "%s: using legacy enctypes\n", __func__); ++ num_set_enctypes = num_enctypes; ++ set_enctypes = enctypes; ++ } ++ } else { ++ printerr(2, "%s: using enctypes from the kernel\n", __func__); ++ num_set_enctypes = num_krb5_enctypes; ++ set_enctypes = krb5_enctypes; ++ } ++ ++ maj_stat = gss_set_allowable_enctypes(&min_stat, sec->cred, ++ &krb5oid, num_set_enctypes, set_enctypes); + + if (maj_stat != GSS_S_COMPLETE) { + pgsserr("gss_set_allowable_enctypes", +diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h +index 7ef8701..40ad323 100644 +--- a/utils/gssd/krb5_util.h ++++ b/utils/gssd/krb5_util.h +@@ -27,6 +27,7 @@ int gssd_k5_remove_bad_service_cred(char *srvname); + #ifdef HAVE_SET_ALLOWABLE_ENCTYPES + extern int limit_to_legacy_enctypes; + int limit_krb5_enctypes(struct rpc_gss_sec *sec); ++int get_allowed_enctypes(void); + #endif + + /* diff --git a/SOURCES/nfs-utils-2.5.4-gssd-bad-integ-error-support.patch b/SOURCES/nfs-utils-2.5.4-gssd-bad-integ-error-support.patch deleted file mode 100644 index 6966ae2..0000000 --- a/SOURCES/nfs-utils-2.5.4-gssd-bad-integ-error-support.patch +++ /dev/null @@ -1,239 +0,0 @@ -diff --git a/aclocal/libtirpc.m4 b/aclocal/libtirpc.m4 -index 27368ff2..4379b14d 100644 ---- a/aclocal/libtirpc.m4 -+++ b/aclocal/libtirpc.m4 -@@ -26,6 +26,11 @@ AC_DEFUN([AC_LIBTIRPC], [ - [Define to 1 if your tirpc library provides libtirpc_set_debug])],, - [${LIBS}])]) - -+ AS_IF([test -n "${LIBTIRPC}"], -+ [AC_CHECK_LIB([tirpc], [rpc_gss_seccreate], -+ [AC_DEFINE([HAVE_TIRPC_GSS_SECCREATE], [1], -+ [Define to 1 if your tirpc library provides rpc_gss_seccreate])],, -+ [${LIBS}])]) - AC_SUBST([AM_CPPFLAGS]) - AC_SUBST(LIBTIRPC) - -diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c -index ae568f15..7629de0b 100644 ---- a/utils/gssd/gssd_proc.c -+++ b/utils/gssd/gssd_proc.c -@@ -70,6 +70,9 @@ - #include - #include - #include -+#ifdef HAVE_TIRPC_GSS_SECCREATE -+#include -+#endif - - #include "gssd.h" - #include "err_util.h" -@@ -330,6 +333,11 @@ create_auth_rpc_client(struct clnt_info *clp, - struct timeval timeout; - struct sockaddr *addr = (struct sockaddr *) &clp->addr; - socklen_t salen; -+#ifdef HAVE_TIRPC_GSS_SECCREATE -+ rpc_gss_options_req_t req; -+ rpc_gss_options_ret_t ret; -+ char mechanism[] = "kerberos_v5"; -+#endif - pthread_t tid = pthread_self(); - - sec.qop = GSS_C_QOP_DEFAULT; -@@ -410,15 +418,43 @@ create_auth_rpc_client(struct clnt_info *clp, - - printerr(3, "create_auth_rpc_client(0x%lx): creating context with server %s\n", - tid, tgtname); -+#ifdef HAVE_TIRPC_GSS_SECCREATE -+ memset(&req, 0, sizeof(req)); -+ req.my_cred = sec.cred; -+ auth = rpc_gss_seccreate(rpc_clnt, tgtname, mechanism, -+ rpcsec_gss_svc_none, NULL, &req, &ret); -+#else - auth = authgss_create_default(rpc_clnt, tgtname, &sec); -+#endif - if (!auth) { -+#ifdef HAVE_TIRPC_GSS_SECCREATE -+ if (ret.minor_status == KRB5KRB_AP_ERR_BAD_INTEGRITY) { -+ printerr(2, "WARNING: server=%s failed context " -+ "creation with KRB5_AP_ERR_BAD_INTEGRITY\n", -+ clp->servername); -+ if (cred == GSS_C_NO_CREDENTIAL) -+ retval = gssd_refresh_krb5_machine_credential(clp->servername, -+ "*", NULL, 1); -+ else -+ retval = gssd_k5_remove_bad_service_cred(clp->servername); -+ if (!retval) { -+ auth = rpc_gss_seccreate(rpc_clnt, tgtname, -+ mechanism, rpcsec_gss_svc_none, -+ NULL, &req, &ret); -+ if (auth) -+ goto success; -+ } -+ } -+#endif - /* Our caller should print appropriate message */ - printerr(2, "WARNING: Failed to create krb5 context for " - "user with uid %d for server %s\n", - uid, tgtname); - goto out_fail; - } -- -+#ifdef HAVE_TIRPC_GSS_SECCREATE -+success: -+#endif - /* Success !!! */ - rpc_clnt->cl_auth = auth; - *clnt_return = rpc_clnt; -@@ -571,7 +607,7 @@ krb5_use_machine_creds(struct clnt_info *clp, uid_t uid, - - do { - gssd_refresh_krb5_machine_credential(clp->servername, -- service, srchost); -+ service, srchost, 0); - /* - * Get a list of credential cache names and try each - * of them until one works or we've tried them all -diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c -index e3f270e9..6f66ef4f 100644 ---- a/utils/gssd/krb5_util.c -+++ b/utils/gssd/krb5_util.c -@@ -165,7 +165,7 @@ static int select_krb5_ccache(const struct dirent *d); - static int gssd_find_existing_krb5_ccache(uid_t uid, char *dirname, - const char **cctype, struct dirent **d); - static int gssd_get_single_krb5_cred(krb5_context context, -- krb5_keytab kt, struct gssd_k5_kt_princ *ple); -+ krb5_keytab kt, struct gssd_k5_kt_princ *ple, int force_renew); - static int query_krb5_ccache(const char* cred_cache, char **ret_princname, - char **ret_realm); - -@@ -391,7 +391,8 @@ gssd_check_if_cc_exists(struct gssd_k5_kt_princ *ple) - static int - gssd_get_single_krb5_cred(krb5_context context, - krb5_keytab kt, -- struct gssd_k5_kt_princ *ple) -+ struct gssd_k5_kt_princ *ple, -+ int force_renew) - { - #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS - krb5_get_init_creds_opt *init_opts = NULL; -@@ -421,7 +422,7 @@ gssd_get_single_krb5_cred(krb5_context context, - */ - now += 300; - pthread_mutex_lock(&ple_lock); -- if (ple->ccname && ple->endtime > now && !nocache) { -+ if (ple->ccname && ple->endtime > now && !nocache && !force_renew) { - printerr(3, "%s(0x%lx): Credentials in CC '%s' are good until %s", - __func__, tid, ple->ccname, ctime((time_t *)&ple->endtime)); - code = 0; -@@ -1155,7 +1156,8 @@ err_cache: - static int - gssd_refresh_krb5_machine_credential_internal(char *hostname, - struct gssd_k5_kt_princ *ple, -- char *service, char *srchost) -+ char *service, char *srchost, -+ int force_renew) - { - krb5_error_code code = 0; - krb5_context context; -@@ -1221,7 +1223,7 @@ gssd_refresh_krb5_machine_credential_internal(char *hostname, - goto out_free_kt; - } - } -- retval = gssd_get_single_krb5_cred(context, kt, ple); -+ retval = gssd_get_single_krb5_cred(context, kt, ple, force_renew); - out_free_kt: - krb5_kt_close(context, kt); - out_free_context: -@@ -1344,7 +1346,7 @@ gssd_get_krb5_machine_cred_list(char ***list) - pthread_mutex_unlock(&ple_lock); - /* Make sure cred is up-to-date before returning it */ - retval = gssd_refresh_krb5_machine_credential_internal(NULL, ple, -- NULL, NULL); -+ NULL, NULL, 0); - pthread_mutex_lock(&ple_lock); - if (gssd_k5_kt_princ_list == NULL) { - /* Looks like we did shutdown... abort */ -@@ -1456,10 +1458,12 @@ gssd_destroy_krb5_principals(int destroy_machine_creds) - */ - int - gssd_refresh_krb5_machine_credential(char *hostname, -- char *service, char *srchost) -+ char *service, char *srchost, -+ int force_renew) - { - return gssd_refresh_krb5_machine_credential_internal(hostname, NULL, -- service, srchost); -+ service, srchost, -+ force_renew); - } - - /* -@@ -1549,6 +1553,48 @@ gssd_acquire_user_cred(gss_cred_id_t *gss_cred) - return ret; - } - -+/* Removed a service ticket for nfs/ from the ticket cache -+ */ -+int -+gssd_k5_remove_bad_service_cred(char *name) -+{ -+ krb5_creds in_creds, out_creds; -+ krb5_error_code ret; -+ krb5_context context; -+ krb5_ccache cache; -+ krb5_principal principal; -+ int retflags = KRB5_TC_MATCH_SRV_NAMEONLY; -+ char srvname[1024]; -+ -+ ret = krb5_init_context(&context); -+ if (ret) -+ goto out_cred; -+ ret = krb5_cc_default(context, &cache); -+ if (ret) -+ goto out_free_context; -+ ret = krb5_cc_get_principal(context, cache, &principal); -+ if (ret) -+ goto out_close_cache; -+ memset(&in_creds, 0, sizeof(in_creds)); -+ in_creds.client = principal; -+ sprintf(srvname, "nfs/%s", name); -+ ret = krb5_parse_name(context, srvname, &in_creds.server); -+ if (ret) -+ goto out_free_principal; -+ ret = krb5_cc_retrieve_cred(context, cache, retflags, &in_creds, &out_creds); -+ if (ret) -+ goto out_free_principal; -+ ret = krb5_cc_remove_cred(context, cache, 0, &out_creds); -+out_free_principal: -+ krb5_free_principal(context, principal); -+out_close_cache: -+ krb5_cc_close(context, cache); -+out_free_context: -+ krb5_free_context(context); -+out_cred: -+ return ret; -+} -+ - #ifdef HAVE_SET_ALLOWABLE_ENCTYPES - /* - * this routine obtains a credentials handle via gss_acquire_cred() -diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h -index 2415205a..7ef87018 100644 ---- a/utils/gssd/krb5_util.h -+++ b/utils/gssd/krb5_util.h -@@ -16,11 +16,13 @@ int gssd_get_krb5_machine_cred_list(char ***list); - void gssd_free_krb5_machine_cred_list(char **list); - void gssd_destroy_krb5_principals(int destroy_machine_creds); - int gssd_refresh_krb5_machine_credential(char *hostname, -- char *service, char *srchost); -+ char *service, char *srchost, -+ int force_renew); - char *gssd_k5_err_msg(krb5_context context, krb5_error_code code); - void gssd_k5_get_default_realm(char **def_realm); - - int gssd_acquire_user_cred(gss_cred_id_t *gss_cred); -+int gssd_k5_remove_bad_service_cred(char *srvname); - - #ifdef HAVE_SET_ALLOWABLE_ENCTYPES - extern int limit_to_legacy_enctypes; diff --git a/SOURCES/nfs-utils-2.5.4-gssd-segfault.patch b/SOURCES/nfs-utils-2.5.4-gssd-segfault.patch new file mode 100644 index 0000000..1ffd41a --- /dev/null +++ b/SOURCES/nfs-utils-2.5.4-gssd-segfault.patch @@ -0,0 +1,32 @@ +commit 92995e0d38dc00e930c562cf936220f83c09d082 +Author: Paulo Andrade +Date: Tue Jul 23 12:03:30 2024 -0400 + + rpc-gssd.service has status failed (due to rpc.gssd segfault) + + Ensure strings are not NULL before doing a strdup() in error path. + + Fixes: https://issues.redhat.com/browse/RHEL-43286 + Signed-off-by: Steve Dickson + +diff --git a/utils/gssd/gssd.c b/utils/gssd/gssd.c +index d7a28225..01ce7d18 100644 +--- a/utils/gssd/gssd.c ++++ b/utils/gssd/gssd.c +@@ -365,12 +365,12 @@ gssd_read_service_info(int dirfd, struct clnt_info *clp) + + fail: + printerr(0, "ERROR: failed to parse %s/info\n", clp->relpath); +- clp->upcall_address = strdup(address); +- clp->upcall_port = strdup(port); ++ clp->upcall_address = address ? strdup(address) : NULL; ++ clp->upcall_port = port ? strdup(port) : NULL; + clp->upcall_program = program; + clp->upcall_vers = version; +- clp->upcall_protoname = strdup(protoname); +- clp->upcall_service = strdup(service); ++ clp->upcall_protoname = protoname ? strdup(protoname) : NULL; ++ clp->upcall_service = service ? strdup(service) : NULL; + free(servername); + free(protoname); + clp->servicename = NULL; diff --git a/SPECS/nfs-utils.spec b/SPECS/nfs-utils.spec index a9cefb2..bd37199 100644 --- a/SPECS/nfs-utils.spec +++ b/SPECS/nfs-utils.spec @@ -2,7 +2,7 @@ Summary: NFS utilities and supporting clients and daemons for the kernel NFS ser Name: nfs-utils URL: http://linux-nfs.org/ Version: 2.5.4 -Release: 25%{?dist} +Release: 27.0.1%{?dist}.1 Epoch: 1 # group all 32bit related archs @@ -52,13 +52,25 @@ Patch018: nfs-utils-2.5.4-man-nfsconf.patch # RHEL9.4 # Patch019: nfs-utils-2.5.4-gssd-dns-failure.patch -Patch020: nfs-utils-2.5.4-gssd-bad-integ-error-support.patch +# Patch disabled downstream in Oracle Linux +# Patch020: nfs-utils-2.5.4-gssd-bad-integ-error-support.patch Patch021: nfs-utils-2.5.4-mount-mountconf-typo.patch Patch022: nfs-utils-2.5.4-support-for-rpc-with-tls.patch Patch023: nfs-utils-2.5.4-fix-typos-in-messages.patch Patch024: nfs-utils-2.5.4-blkmapd-double-free.patch Patch025: nfs-utils-2.5.4-rpcdebug-check-read-return.patch +# +# RHEL9.5 +# +Patch026: nfs-utils-2.5.4-gssd-allowed-enctypes.patch +Patch027: nfs-utils-2.5.4-gssd-segfault.patch + +# +# RHEL9.5-z +# +Patch028: nfs-utils-2.5.4-conffile-argument.patch + Patch100: nfs-utils-1.2.1-statdpath-man.patch Patch101: nfs-utils-1.2.1-exp-subtree-warn-off.patch Patch102: nfs-utils-1.2.5-idmap-errmsg.patch @@ -339,6 +351,7 @@ if [ $1 -eq 0 ] ; then fi %triggerin -- nfs-utils > 1:2.1.1-3 +/bin/systemctl --system daemon-reload >/dev/null 2>&1 || : /bin/systemctl try-restart gssproxy || : %triggerun -- nfs-utils < 1:2.5.4-3 @@ -499,6 +512,19 @@ fi %{_mandir}/*/nfsiostat.8.gz %changelog +* Tue May 06 2025 EL Errata - 2.5.4-27.0.1 +- Disable nfs-utils-2.5.4-gssd-bad-integ-error-support.patch [Orabug: 36563788] +- spec: remove multiple warnings when upgrading nfs-utils with gssproxy [Orabug: 36044562] + +* Mon Mar 10 2025 Scott Mayhew - 2.5.4-27.1 +- conffile: add 'arg' argument to conf_remove_now() (RHEL-82881) + +* Fri Aug 9 2024 Steve Dickson 2.5.4-27 +- rpc-gssd.service has status failed (due to rpc.gssd segfault) (RHEL-43286) + +* Tue Apr 30 2024 Steve Dickson 2.5.4-26 +- gssd: add support for an "allowed-enctypes" option in nfs.conf (RHEL-31858) + * Sun Feb 18 2024 Steve Dickson 2.5.4-25 - Update: Typos and documentation fixes (RHEL-22654)