cifs.upcall: try getting a "cifs/" principal and fall back to "host/"
authorJeff Layton <jlayton@redhat.com>
Fri, 14 Aug 2009 11:59:50 +0000 (07:59 -0400)
committerJeff Layton <jlayton@redhat.com>
Fri, 14 Aug 2009 11:59:50 +0000 (07:59 -0400)
cifs.upcall takes a "-c" flag that tells the upcall to get a principal
in the form of "cifs/hostname.example.com@REALM" instead of
"host/hostname.example.com@REALM". This has turned out to be a source of
great confusion for users.

Instead of requiring this flag, have the upcall try to get a "cifs/"
principal first. If that fails, fall back to getting a "host/"
principal.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
client/cifs.upcall.c
docs-xml/manpages-3/cifs.upcall.8.xml

index 0ddcc75660c1cfc333d7fbb3f716eeaa8a16e5b2..e60fb50e5770c2090418d7549d0593f56d11bc9d 100644 (file)
@@ -30,7 +30,7 @@ create dns_resolver * * /usr/local/sbin/cifs.upcall %k
 
 #include "cifs_spnego.h"
 
 
 #include "cifs_spnego.h"
 
-const char *CIFSSPNEGO_VERSION = "1.2";
+const char *CIFSSPNEGO_VERSION = "1.3";
 static const char *prog = "cifs.upcall";
 typedef enum _sectype {
        NONE = 0,
 static const char *prog = "cifs.upcall";
 typedef enum _sectype {
        NONE = 0,
@@ -291,8 +291,8 @@ cifs_resolver(const key_serial_t key, const char *key_descr)
 static void
 usage(void)
 {
 static void
 usage(void)
 {
-       syslog(LOG_INFO, "Usage: %s [-c] [-v] key_serial", prog);
-       fprintf(stderr, "Usage: %s [-c] [-v] key_serial\n", prog);
+       syslog(LOG_INFO, "Usage: %s [-v] key_serial", prog);
+       fprintf(stderr, "Usage: %s [-v] key_serial\n", prog);
 }
 
 int main(const int argc, char *const argv[])
 }
 
 int main(const int argc, char *const argv[])
@@ -303,7 +303,7 @@ int main(const int argc, char *const argv[])
        key_serial_t key = 0;
        size_t datalen;
        long rc = 1;
        key_serial_t key = 0;
        size_t datalen;
        long rc = 1;
-       int c, use_cifs_service_prefix = 0;
+       int c;
        char *buf, *princ, *ccname = NULL;
        struct decoded_args arg = { };
        const char *oid;
        char *buf, *princ, *ccname = NULL;
        struct decoded_args arg = { };
        const char *oid;
@@ -313,7 +313,7 @@ int main(const int argc, char *const argv[])
        while ((c = getopt(argc, argv, "cv")) != -1) {
                switch (c) {
                case 'c':
        while ((c = getopt(argc, argv, "cv")) != -1) {
                switch (c) {
                case 'c':
-                       use_cifs_service_prefix = 1;
+                       /* legacy option -- skip it */
                        break;
                case 'v':
                        printf("version: %s\n", CIFSSPNEGO_VERSION);
                        break;
                case 'v':
                        printf("version: %s\n", CIFSSPNEGO_VERSION);
@@ -395,19 +395,23 @@ int main(const int argc, char *const argv[])
                        break;
                }
 
                        break;
                }
 
-               if (use_cifs_service_prefix)
-                       strlcpy(princ, "cifs/", datalen);
-               else
-                       strlcpy(princ, "host/", datalen);
-
-               strlcpy(princ + 5, arg.hostname, datalen - 5);
-
                if (arg.sec == MS_KRB5)
                        oid = OID_KERBEROS5_OLD;
                else
                        oid = OID_KERBEROS5;
 
                if (arg.sec == MS_KRB5)
                        oid = OID_KERBEROS5_OLD;
                else
                        oid = OID_KERBEROS5;
 
+               /*
+                * try getting a cifs/ principal first and then fall back to
+                * getting a host/ principal if that doesn't work.
+                */
+               strlcpy(princ, "cifs/", datalen);
+               strlcpy(princ + 5, arg.hostname, datalen - 5);
                rc = handle_krb5_mech(oid, princ, &secblob, &sess_key, ccname);
                rc = handle_krb5_mech(oid, princ, &secblob, &sess_key, ccname);
+               if (rc) {
+                       memcpy(princ, "host/", 5);
+                       rc = handle_krb5_mech(oid, princ, &secblob, &sess_key,
+                                               ccname);
+               }
                SAFE_FREE(princ);
                break;
        default:
                SAFE_FREE(princ);
                break;
        default:
index 6e22bff9c27542bb509a25f4433d6f8c897a292e..427bb44479e885968bd8298b3a7cb5026ca7f51d 100644 (file)
@@ -48,7 +48,7 @@ to be run that way.</para>
        <variablelist>
                <varlistentry>
                <term>-c</term>
        <variablelist>
                <varlistentry>
                <term>-c</term>
-               <listitem><para>When handling a kerberos upcall, use a service principal that starts with "cifs/". The default is to use the "host/" service principal.
+               <listitem><para>This option is deprecated and is currently ignored.
                </para></listitem>
                </varlistentry>
 
                </para></listitem>
                </varlistentry>
 
@@ -86,7 +86,7 @@ to be run that way.</para>
 <programlisting>
 #OPERATION  TYPE           D C PROGRAM ARG1 ARG2...
 #=========  =============  = = ==========================================
 <programlisting>
 #OPERATION  TYPE           D C PROGRAM ARG1 ARG2...
 #=========  =============  = = ==========================================
-create     cifs.spnego    * * /usr/local/sbin/cifs.upcall -c %k
+create      cifs.spnego    * * /usr/local/sbin/cifs.upcall %k
 create      dns_resolver   * * /usr/local/sbin/cifs.upcall %k
 </programlisting>
 <para>
 create      dns_resolver   * * /usr/local/sbin/cifs.upcall %k
 </programlisting>
 <para>