commit f9f5450f8f946ffc664397c86d05d27ba0406e21 Author: Simo Sorce Date: Fri Apr 19 10:10:33 2013 -0400 Avoid DNS reverse resolution for server names (take 3) A NFS client should be able to work properly even if the DNS Reverse record for the server is not set. This means a DNS lookup should not be done on server names at are passed to GSSAPI. This patch changes the default behavior to no longer do those types of lookups This change default behavior could negatively impact some current environments, so the -D option is also being added that will re-enable the DNS reverse looks on server names, which are passed to GSSAPI. Signed-off-by: Simo Sorce Signed-off-by: Steve Dickson commit f6d9b264109c49f426dba43122957466fdcd065e Author: Mike Frysinger Date: Fri Apr 19 13:27:57 2013 -0400 .gitignore: ignore more generated files Signed-off-by: Steve Dickson commit 61b21276f19a8791464ebf8620b3a40839652259 Author: Mike Frysinger Date: Fri Apr 19 13:21:47 2013 -0400 configure.ac: do not fail sqlite check when cross-compiling If we're cross-compiling, we can't do a runtime test of sqlite, so just assume that the user has a good enough version rather than falling over. Signed-off-by: Mike Frysinger Signed-off-by: Steve Dickson commit 37add3662de0339a75d3bed86a4235fc7efaf18d Author: Chuck Lever Date: Fri Apr 19 13:13:57 2013 -0400 sm-notify: "-v hostname" doesn't work when IPV6_SUPPORT is enabled Marc Eshel reports that using the -v command line option on the sm-notify command stopped working after nfs-utils 1.2.2, when IPv6 support was added. If nfs-utils is built without IPv6 support, it still works. Marc specified a hostname with a single A record. smn_bind_address() must construct a bind address with the same family as the RPC socket's protocol family. Add an AI_V4MAPPED hint so an appropriate IPv6 bind address is constructed even if -v specifies an IPv4 presentation address, or a hostname with only IPv4 mappings. We still use an IPv4 bind address if IPv6 support is compiled out or the host does not support IPv6. Signed-off-by: Chuck Lever Signed-off-by: Steve Dickson Cc: Marc Eshel commit 2a0f1422a891776ecad49109102f1dde8bef1cf9 Author: Steve Dickson Date: Fri Apr 19 13:11:43 2013 -0400 mount: No longer negotiate to v2 This patch remove the ability of negotiating to the v2 protocol. Explicitly setting the version on the command line will be the only way to use v2. Signed-off-by: Steve Dickson Signed-off-by: Steve Dickson commit 6eba4e22ce2b10bcfb19fbb253f7e235afbaa406 Author: NeilBrown Date: Fri Apr 19 13:09:27 2013 -0400 mountd: fix exporting of "/" with sec= setting. Commit 91bb95f2689e84856ecdf6fac365489d36709cf9 4set_root: force "fsid=0" for all exports of '/' set NFSEXP_FSID for the export of "/" if nothing else had any fsid set, however it didn't also set the flag for all security flavours. So the kernel complains that the flags on the security flavours don't match and it rejects the export. So call fix_pseudoflavor_flags() in write_secinfo() to make sure that any fiddling that has been done to e_flags gets copied to e_secinfo. Signed-off-by: NeilBrown Signed-off-by: Steve Dickson commit 302de786930a2c533068f9d8909a817b40f07c32 Author: Simo Sorce Date: Fri Apr 19 13:02:36 2013 -0400 gssd: Allow GSSAPI to try to acquire credentials first. GSSAPI can be given a uid number as a special name, and then gss_acquire_cred() can use the name to try to find credentials for the user. Give GSSAPI a chance to do it on its own, then fallback to the classic method of trolling through the file system to find a credential cache. This patch uses a little know feature of GSSAPI that permits to acquire crdentials specifying the user's UID. Normally GSSAPI will simply perform a getpwuid() call and use the user name to generate a principal name and then see if it can find a TGT for that principal in the local ccache. This feature is vital to allow the GSS-Proxy to be able to initiate crdentials on behalf of rpc.gssd using client keytabs stored in the filsystem. GSS-Proxy works through an interposer-type plugin (new feature in MIT 1.11) that allows to intercept all GSSAPI requestes and relay them to a system daemon via a socket. This daemon (GSS-Proxy) then can perform operations on behalf of other applications with additional logic. In the rpc.gssd case the GSS-Proxy daemon allows applications running as system users to properly access krb5 protected shares by creating a credential cache on the fly when necessary. This way all applications that need access to krb5 protected shares do not need to be taught how to initiate crdentials on their own, nor they need to be wrapped in additional init scripts like k5start or use wasteful cronjobs to keep credentials fresh. All is needed is to drop a keytab with the right keys in a special location on the system and gss-proxy will do the rest. Signed-off-by: Simo Sorce Signed-off-by: Steve Dickson commit 85352dd5ffd0d9a451b79fa61d24a518b553d280 Author: Jose Castillo Date: Fri Apr 19 10:51:57 2013 -0400 mountd: Add the missing '$' in auth_unix_ip() We found this problem because NFS clients to a RHEL6 NFS server were experiencing periods of ESTALE errors after being mounted and initially working successfully. Tests were run which snapshotted the nfs/sunrpc caches before and after the issue, and it was found that the '$' character at the beginning of the ID strings, used when in use_ipaddr mode, was getting lost: GOOD, while mount was working: nfsd 1.2.3.4 $1.2.3.4 BAD, after mount started returning ESTALE: nfsd 1.2.3.4 1.2.3.4 This would then cause the export checks to fail by passing '1.2.3.4' instead of '$1.2.3.4' up to rpc.mountd. The problem appears to be in the auth_unix_ip() function when renewing the auth.unix.ip cache entry. It would fail to add the '$' character back to the beginning of the string used for the domain string, breaking the use_ipaddr mode. Signed-off-by: Jose Castillo Signed-off-by: Steve Dickson commit 5acc87a87c012766a9d7f4e2f07e5de455e566e3 Author: Chuck Lever Date: Wed Apr 10 11:43:31 2013 -0400 nfs(5): Update description of sec= mount option Bryan recently added SECINFO support, and I've beefed up the NFSv3 MNT processing in kernel to do some security flavor negotiation. Thus the kernel can perform additional security flavor negotiation now. Update the description of the sec= mount option and the SECURITY CONSIDERATIONS section to reflect this change. Signed-off-by: Chuck Lever Signed-off-by: Steve Dickson commit 051eb4863cf880f0349a1de44517f9c99a9c5bd4 Author: Simo Sorce Date: Wed Apr 10 11:34:41 2013 -0400 gssd: Fix double free when exporting lucid context When using GSSAPI's gss_krb5_export_lucid_context the context passed into the function is actually deleted during the export (to avoid reuse as the context contains state that depends on its usage). Change the code to pass in a pointer to the context so that it can be properly NULLed if we are using the GSSAPI context and following calls to gss_delete_sec_context will not cause double free errors and segfaults. Signed-off-by: Simo Sorce Signed-off-by: Steve Dickson commit 0ce973a59ab3393481ba7c434a7353b5007cba71 Author: Simo Sorce Date: Tue Apr 2 15:06:13 2013 -0400 gssd: Fix segfault when using -R option The getopt string did not add : after the R option resulting in a sefgault whenever -R was used as optarg is NULL and it is dereferenced. Signed-off-by: Simo Sorce Signed-off-by: Steve Dickson commit 0ac50211fefb0d398ecc958ebe725dc6b6285103 Author: Simo Sorce Date: Tue Apr 2 15:04:37 2013 -0400 gssd: Switch to use standard GSSAPI by default Make libgssglue configurable still but disabled by default. There is no reason to use libgssglue anymore, and modern gssapi supports all needed features for nfs-utils. Signed-off-by: Simo Sorce Signed-off-by: Steve Dickson commit fff0d69c2fdc23c94a28276e60e03082e3de15b6 Author: Simo Sorce Date: Tue Apr 2 14:41:39 2013 -0400 gssd: Add configure check for gss_krb5_free_lucid_sec_context(). Signed-off-by: Simo Sorce Signed-off-by: GÃnther Deschner Signed-off-by: Steve Dickson commit e79baddaa1d8cf24cce929e14f6f91ac0d5e15d0 Author: Trond Myklebust Date: Mon Mar 25 16:07:59 2013 -0400 nfsd: Add support for the -V and --nfs-version optional arguments Add command line options to enable those NFS versions that are currently disabled by default. We choose to use the options '-V' and '--nfs-version' for compatibility with rpc.mountd. Acked-by: J. Bruce Fields Signed-off-by: Trond Myklebust Signed-off-by: Steve Dickson commit adabe938c17b22aec5e89c24e1856de9fffe9f0c Author: Mike Frysinger Date: Mon Mar 25 08:35:37 2013 -0400 rpcdebug: do not use build toolchain The rpcdebug program gets installed, so we don't want to use the build toolchain to compile it. I can't find any scripts in the build system that try to execute it, so this shouldn't be a problem. Signed-off-by: Mike Frysinger Signed-off-by: Steve Dickson commit 88d745b004cc0d57ce668829ca08c5d5dc3e6a9e Author: Mike Frysinger Date: Mon Mar 25 08:31:31 2013 -0400 configure: check for libio.h availability On some systems (like uClibc), there isn't a libio.h header. But it isn't also needed on them. So check for the header first. Signed-off-by: Mike Frysinger Signed-off-by: Steve Dickson commit 7aae1f31d06f133cebf2cfecca39a086d5376e0b Author: Mike Frysinger Date: Mon Mar 25 08:27:58 2013 -0400 README: drop version from file It clearly doesn't get maintained, so punt it. Signed-off-by: Mike Frysinger Signed-off-by: Steve Dickson commit b9ca017c0d0c425b7a5d22738e3e4e3fff63d44a Author: Mike Frysinger Date: Mon Mar 25 08:26:40 2013 -0400 nfsiostat: make it work w/python3 Simple fixes here to work with python 2 & 3: - use print() everywhere - dict.iteritems() -> dict.items() - file() -> open() - sys.maxint -> sys.maxsize Signed-off-by: Mike Frysinger Signed-off-by: Steve Dickson commit ebe2826ca571a3959c3b5c8e29686c621f2775cf Author: Steve Dickson Date: Sat Mar 23 10:30:17 2013 -0400 mountd: regression in crossmounts commit 8e2fb3fc cause a regression in mount export that are on different local file system. Exports like (all on different filesystems) /home *(rw,fsid=0,crossmnt) /home/fs1 *(rw,crossmnt) /home/fs1/fs2/fs3 *(rw,nohide) and then a mount of the root 'mount /home /mnt' would end up mounting /home/fs1/fs2/fs3 not /home Reverting the logic of commit 8e2fb3fc until a better solution can be found for the original problem. Signed-off-by: Steve Dickson commit 11ba3b1e01b67b7d19f26fba94fabdb60878e809 Author: Chuck Lever Date: Sat Mar 23 08:25:39 2013 -0400 Add a default flavor to an export's e_secinfo list The list of security flavors that mountd allows for the NFSv4 pseudo-fs is constructed from the union of flavors of all current exports. exports(5) documents that the default security flavor for an export, if "sec=" is not specified, is "sys". Suppose /etc/exports contains: /a *(rw) /b *(rw,sec=krb5:krb5i:krb5p) The resulting security flavor list for the pseudo-fs is missing "sec=sys". /proc/net/rpc/nfsd.export/content contains: /a *(rw,root_squash,sync,wdelay,no_subtree_check, uuid=095c95bc:08e4407a:91ab8601:05fe0bbf) /b *(rw,root_squash,sync,wdelay,no_subtree_check, uuid=2a6fe811:0cf044a7:8fc75ebe:65180068, sec=390003:390004:390005) / *(ro,root_squash,sync,no_wdelay,v4root,fsid=0, uuid=2a6fe811:0cf044a7:8fc75ebe:65180068, sec=390003:390004:390005) The root entry is not correct, as there does exist an export whose unspecified default security flavor is "sys". The security settings on the root cause sec=sys mount attempts to be incorrectly rejected. The reason is that when the line in /etc/exports for "/a" is parsed, the e_secinfo list for that exportent is left empty. Thus the union of e_secinfo lists created by set_pseudofs_security() is "krb5:krb5i:krb5p". I fixed this by ensuring that if no "sec=" option is specified for an export, its e_secinfo list gets at least an entry for AUTH_UNIX. [ Yes, we could make the security flavors allowed for the pseudo-fs a fixed list of all flavors the server supports. That becomes complicated by the special meaning of AUTH_NULL, and we still have to check /etc/exports for whether Kerberos flavors should be listed. I opted for a simple approach for now. ] Acked-by: J. Bruce Fields Signed-off-by: Chuck Lever Signed-off-by: Steve Dickson commit fb6e382f9eae38883cfed151fe5e80c021c8b961 Author: Chris Vogan Date: Sat Mar 23 08:22:41 2013 -0400 NFS man page patch that moves nordirplus/rdirplus NFS man page patch that moves nordirplus/rdirplus from "Options for NFS versions 2 and 3 only" to "Options supported by all versions". Its a better fit here since this option is also needed for some NFSv4 servers. Signed-off-by: Chris Vogan Signed-off-by: Steve Dickson commit 128bca853fc6df20a87d4d3dfe12c1b77204d673 Author: Chuck Lever Date: Sat Mar 23 08:13:22 2013 -0400 gssd: gethostname(3) returns zero or -1, not an errno According to "man gethostname," gssd is handling the return value of gethostname(3) incorrectly. It looks like other gethostname(3) call sites in nfs-utils are already correct. Acked-by: J. Bruce Fields Signed-off-by: Chuck Lever Signed-off-by: Steve Dickson commit 8239ec6587ce103d7bcb4b37c680c0c10ef5b37c Author: Chuck Lever Date: Sat Mar 23 08:12:16 2013 -0400 gssd: Fix whitespace nits Acked-by: J. Bruce Fields Signed-off-by: Chuck Lever Signed-off-by: Steve Dickson commit f1e171dcbe6fa182ff6d8ccf0ab9aff620106889 Author: Chuck Lever Date: Sat Mar 23 08:11:28 2013 -0400 gssd: Clean up gssd_setup_krb5_user_gss_ccache() Remove a contradictory portion of the block comment documenting gssd_find_existing_krb5_ccache(). This should have been removed by commit 289ad31e, which reversed the meaning of the function's return values. Note that, in user space, typically errno's are positive. But here we follow the kernel convention of using negative values to return error codes. Make the documenting comments explicit about the sign of an error return -- it will never be positive in the case of an error. And a nit: At the last return statement in gssd_setup_krb5_user_gss_ccache(), "err" always contains zero, as far as I can tell. Make it explicit (to human readers) that when execution reaches this point, gssd_setup_krb5_user_gss_ccache() is going to return "success." Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever Signed-off-by: Steve Dickson commit 020fc9855c69f74361a416be357fb882e80dcdd8 Author: Chuck Lever Date: Sat Mar 23 08:09:42 2013 -0400 gssd: Update description of "-l" option Move most of the text in the description of the "-l" option up to the DESCRIPTION section, to match what was done for "-n" and "-k". The discussion is then less restricted by formatting, and we can take the space to introduce a few concepts before describing the behavior of rpc.gssd. Fix a few misspellings and grammar issues while here. Acked-by: J. Bruce Fields Signed-off-by: Chuck Lever Signed-off-by: Steve Dickson commit 6888d305d8683d178239170794ce8debdaaaacd8 Author: Chuck Lever Date: Sat Mar 23 08:08:36 2013 -0400 gssd: Clarify use of the term "machine credentials" in rpc.gssd(8) Our NFSv4 implementation uses machine credentials for operations that manage state on behalf of the whole client (for example, SETCLIENTID or RENEW). The rpc.gssd man page is missing a description of this usage, especially in the discussion of the "-n" option. The issue is that rpc.gssd's "-n" option requires root to acquire a user credential. In the absense of a system keytab (for instance, if the system is diskless) root's credential is not to be used as the machine credential that manages NFSv4 state. Group the discussion of machine credentials and UID 0 in one place to help clarify the discussion and simplify the description of several of these options. Acked-by: J. Bruce Fields Signed-off-by: Chuck Lever Signed-off-by: Steve Dickson commit e661019a2827aa0b303f4b2be54f0670c68812bf Author: Chuck Lever Date: Sat Mar 23 08:07:46 2013 -0400 gssd: Provide an introduction in gssd(8) It's good practice in user documentation to define terms before they are used. Add an INTRODUCTION section that defines important terms that are used in the DESCRIPTION and OPTIONS sections. The key concepts are GSS context, user credential, machine credential, and keytab. The RFCs I looked at capitalize both "gss" and "rpcsec_gss". For consistency I changed this throughout the man page. Acked-by: J. Bruce Fields Signed-off-by: Chuck Lever Signed-off-by: Steve Dickson commit e6adba9609016bf30495105847ed02d5b7933bbe Author: Chuck Lever Date: Sat Mar 23 08:06:29 2013 -0400 gssd: gssd.man is missing a description of the "-M" option Acked-by: J. Bruce Fields Signed-off-by: Chuck Lever Signed-off-by: Steve Dickson commit 7a9d278e9aef620847087bb9a0e67961f92a9925 Author: Chuck Lever Date: Sat Mar 23 08:05:30 2013 -0400 gssd: Use italics for option values and pathnames Clean up: The usual convention for the values of command line options and for pathnames is for them to appear italicized, rather than emboldened or in double quotes. Acked-by: J. Bruce Fields Signed-off-by: Chuck Lever Signed-off-by: Steve Dickson commit bbee50bbebc245d4e1d496d046ff0ae04217612d Author: Chuck Lever Date: Sat Mar 23 08:03:56 2013 -0400 mountd: make local functions in v4root.c static Clean up. set_pseudofs_security() and pseudofs_update() have no call sites outside of v4root.c, and there are no header declarations for either function. Define both as static. Acked-by: J. Bruce Fields Signed-off-by: Chuck Lever Signed-off-by: Steve Dickson commit 2b445aa10fde7e84681f98a61e806e0c10da8be2 Author: Chuck Lever Date: Sat Mar 23 08:02:50 2013 -0400 mountd: remove unused variable Making all in mountd cache.c: In function 'subexport': cache.c:374:9: warning: unused variable 'l2' [-Wunused-variable] Commit 8e2fb3fc removed the last use of "l2" in the subexport() function. Signed-off-by: Chuck Lever Acked-by: J. Bruce Fields Signed-off-by: Steve Dickson commit da54dec3cb40095cac96fd2d838144129262ac7f Author: Lukas Hejtmanek Date: Wed Mar 20 13:24:02 2013 -0400 gssd - expired credentials problem I noticed that there is a problem with expired credentials if NFS client's time is even few seconds behind KDC's or NFS server's time. Client's kernel requests new GSS context but rpc.gssd is happy with existing krb cache as it valid according to local time. Signed-off-by: Steve Dickson commit 5b9108f73a5f15372f9be9238070cf8d62956a49 Author: NeilBrown Date: Wed Mar 20 13:03:58 2013 -0400 gssd: don't krb5_free_context if krb5_init_context fails Most places that call krb5_init_context() abort cleanly on failure. However these two then try to free the non-existent context, which doesn't end well. Signed-off-by: NeilBrown Signed-off-by: Steve Dickson commit da56ddf07ce41bd324c5c38db7d9ac03f4887258 Author: NeilBrown Date: Wed Mar 20 13:03:17 2013 -0400 gssd: use correct test for success of getrlimit() commit 7c5cb5e732a4b8704f8c79ec819c5d271e040339 gssd: base the size of the fd array on the RLIMIT_NOFILE limit. didn't actually work as claimed. It only uses the returned value if getrlimit() returns -1 -- which of course it only does when there was an error. So change the test to "== 0". Reported-by: Leonardo Chiquitto< lchiquitto@suse.com> Signed-off-by: NeilBrown Signed-off-by: Steve Dickson commit 95894ff4467995659c4ce5e2523f3c8058d9c676 Author: NeilBrown Date: Wed Feb 13 15:11:05 2013 -0500 gssd: Call authgss_free_private_data() if library provides it. librpcsecgss provides authgss_free_private_data() as a pair to authgss_get_private_data(). libtirpc does not - until recently. This ommision results in authgss_destroy_context() sending an incorrect RPCSEC_GSS_DESTROY request when gssd calls AUTH_DESTROY(). The call has been added to libtirpc, so this patch updates nfs-utils to check for the presense of the function in libtirpc and to set HAVE_AUTHGSS_FREE_PRIVATE_DATA if it is present. This is also set unconditionally if librpcsecgss is used. gssd is changed to test this value rather than HAVE_LIBTIRPC when chosing whether to call authgss_free_private_data(). Signed-off-by: NeilBrown Signed-off-by: Steve Dickson commit eb8229338f060f3974fd5557c8bc86fdb9005a81 Author: Hemmo Nieminen Date: Wed Jan 16 15:29:14 2013 -0500 rpc.statd: Fix socket binding loop. From: Hemmo Nieminen Instead of closing the sockets before requesting a new one, keep them open until a suitable one is found. Otherwise bindresvport will return the same port over and over again. Signed-off-by: Steve Dickson commit 5ac9bcfd820f09af4d3f87f1f7346d896f70bc9a Author: David Jeffery Date: Wed Jan 16 15:21:55 2013 -0500 rpc.idmapd: Ignore open failures in dirscancb() From: David Jeffery The daemon "rpc.idmapd" scans the /var/lib/nfs/rpc_pipefs/nfs/ directory periodically looking for NFS client mounts to communicate to. The daemon tried to open communication with a client mount but it disappeared in between looking for directory entries and opening them. NFS mount was umounted just before rpc.idmapd tried to communicate with it. This behavior is usually seen when autofs is configured on the system. Signed-off-by: Steve Dickson commit 96892b29a50af1055bfc3ca74930e9782ead6c71 Author: Suresh Jayaraman Date: Mon Dec 17 16:29:44 2012 -0500 idmapd: allow non-ASCII characters (UTF-8) in NFSv4 domain name The validateascii() check in imconv() maps NFSv4 domain names with non-ASCII characters to 'nobody'. In setups where Active directory or LDAP is used this causes names with UTF-8 characters to being mapped to 'nobody' because of this check. As Bruce Fields puts it: "idmapd doesn't seem like the right place to enforce restrictions on names. Once the system has allowed a name it's too late to be complaining about it here." Replace the validateascii() call in imconv() with a check for null-termination just to be extra-careful and remove the validateascii() function itself as the only user of that function is being removed by this patch. Acked-by: J. Bruce Fields Signed-off-by: Suresh Jayaraman Signed-off-by: Steve Dickson commit 8e2fb3fc8e46e61eeba7978a03c9fb50ff01b666 Author: NeilBrown Date: Mon Dec 17 16:21:15 2012 -0500 mountd: fix is_subdirectory to understand '/' The is_subdirectory() function checks if a given 'child' is a subdirectory of the given 'parent'. However it always fails if 'parent' == "/" (because 'child' doesn't begin with 'parent' followed by "/"). So change is_subdirectory() to special-case "/". subexport() also tests if one directory is a subdirectory of the other, and contains the same bug. So change it to use is_subdirectory(). Finally, move is_subdirectory() and related path_matches() and export_matches() earlier in the file to avoid a forward-reference. This patch fixes a bug wherein if you export "/" with 'crossmnt', the crossmnt flag is ineffective and you can only access the root filesystem, not any descendants. Acked-by: J. Bruce Fields Signed-off-by: NeilBrown Signed-off-by: Steve Dickson commit ffe1b3f8483c96e85409e5ea5ed69ab98128a3a1 Author: NeilBrown Date: Mon Dec 17 16:19:09 2012 -0500 mountd: fix checking for errors when exporting filesystems commit 5604b35a61e22930873ffc4e9971002f578e7978 nfs-utils: Increase the stdio file buffer size for procfs files changed writes to some sysfs files to be line buffered (_IOLBF) where they weren't before. While this probably makes sense, it introduced a bug. With fully buffered streams, you don't expect to get an error until you call fflush(). With line buffered streams you can get the error from fprintf() et al. qword_eol() only tests the return from fflush(), not from fprintf(). Consequently errors were not noticed. One result of this is that if you export, with crossmnt, a filesystem underneath which are mounted non-exportable filesystems (e.g. /proc) then an 'ls -l' on the client will block indefinitely waiting for a meaningful 'yes' or 'no' from the server, but will never get one. This patch changes qword_eol to test both fprintf and fflush. Acked-by: J. Bruce Fields Signed-off-by: NeilBrown Signed-off-by: Steve Dickson commit 11d4f1d2feae160caa35c4eb8565c969dc16a24d Author: Chuck Lever Date: Wed Dec 12 10:31:06 2012 -0500 mountd: Report the absolute path used to load the junction plug-in As a debugging feature, report the absolute pathname of the plug-in library that mountd loads to resolve junctions. Since mountd passes a relative path to dlopen(3), dlopen(3) must search for the right library. Displaying the absolute pathname of the object that it found verifies that mountd loaded the correct plug-in. Note: dlinfo(3) is provided by libdl, but there doesn't seem to be a man page on Fedora 16 for dlinfo(3). Instead, see: http://www.unix.com/man-page/all/3/dlinfo/ Signed-off-by: Chuck Lever Signed-off-by: Steve Dickson commit 3d0b8f58fbfa6e17c9b7ec7f73b5a3bb1fa81bcc Author: Chuck Lever Date: Wed Dec 12 10:30:25 2012 -0500 libexport.a: xtab.c no longer needs #include xmalloc.h Signed-off-by: Chuck Lever Signed-off-by: Steve Dickson commit a36bdceb99f6f08c6a0659d2cb38a7bbd4871220 Author: Chuck Lever Date: Wed Dec 12 10:29:40 2012 -0500 libexport.a: rmtab.c no longer needs #include xmalloc.h Signed-off-by: Chuck Lever Signed-off-by: Steve Dickson commit 768ab6039b53d767158c50bcc5fceb2ec2516a8a Author: Chuck Lever Date: Wed Dec 12 10:26:59 2012 -0500 mountd: cache.c no longer needs #include xmalloc.h Signed-off-by: Chuck Lever Signed-off-by: Steve Dickson commit 2a23164bf5283df1ff60d8b678ac12e2e3883350 Author: Chuck Lever Date: Wed Dec 12 10:26:09 2012 -0500 mountd: auth.c no longer needs #include xmalloc.h Signed-off-by: Chuck Lever Signed-off-by: Steve Dickson commit 7c5cb5e732a4b8704f8c79ec819c5d271e040339 Author: NeilBrown Date: Wed Nov 28 14:35:25 2012 -0500 gssd: base the size of the fd array on the RLIMIT_NOFILE limit. We have previously raised the size of the 'pollarray' once (32 -> 256) and I have had another request to make it bigger. Rather than changing the hard-coded value, make it depend on RLIMIT_NOFILE. This is an upper limit on the size of the array that can be passed to poll() anyway. Signed-off-by: NeilBrown Signed-off-by: Steve Dickson commit 19024076a7497a2423ff06d36496385f27395332 Author: NeilBrown Date: Wed Nov 28 14:33:59 2012 -0500 gssd_proc: remove pointless test against FD_ALLOC_BLOCK in process_pipedir I can see no possible point for this test against FD_ALLOC_BLOCK, so just remove the test. Signed-off-by: NeilBrown Signed-off-by: Steve Dickson commit c889e30a376e18fdef8ec74ade9897aa9e3d803a Author: NeilBrown Date: Wed Nov 28 14:32:00 2012 -0500 gssd_proc: use pollsize, not FD_ALLOC_BLOCK, in get_poll_index() get_poll_index wants to walk the entire "pollarray", but uses the constant FD_ALLOC_BLOCK, rather than the variable pollsize (which has the same value). If we want to make the size of the array variable, it is best not to use the constant. As pollsize is 'unsigned long', 'i' should be too. Signed-off-by: NeilBrown Signed-off-by: Steve Dickson commit a56989b6658c3555d965f51ff636754dec440e87 Author: Trond Myklebust Date: Wed Nov 28 14:30:07 2012 -0500 gssd: Handle the target name correctly The target name contains a hostname in the realm that we are authenticating to. Since we may be authenticating to a different realm than the default realm for the server, we should not assume that the target name and host name point to the same string. In fact, the kernel NFS client will always use its own hostname as the target name, since it is always authenticating to its own default realm. On the other hand, the NFS server's callback channel will pass the hostname of the NFS client that it is authenticating too (Section 3.4, RFC3530). This patch fixes the handling of the target name in process_krb5_upcall, and ensures that it gets passed to find_keytab_entry(). Signed-off-by: Trond Myklebust Signed-off-by: Steve Dickson commit a1f8afc560d59ddebd82b7620a1e70b5b0ca6216 Author: Trond Myklebust Date: Wed Nov 28 14:25:33 2012 -0500 gssd: Remove insane sanity checks of the service name Either we trust the info file, or we don't. The current 'checks' only work for the combination 'nfs', '100003' and a version number between 2 and 4. The problem is that the callback channel also wants to use 'nfs' in combination with a different program number and version number. This patch throws the bogus checks out altogether and lets the kernel use whatever combination it wants.... Signed-off-by: Trond Myklebust Signed-off-by: Steve Dickson commit bf64ebb2faaba0666068c502353fb0c49c23c756 Author: Jeff Layton Date: Wed Nov 28 14:03:55 2012 -0500 nfsdcltrack: skip "." and ".." when trying to clean out legacy recdir readdir picks up these two entries as "normal" dentries, but rmdir'ing them won't work (and we wouldn't want to remove them anyway). Signed-off-by: Jeff Layton Signed-off-by: Steve Dickson commit 5dfc6e239102e3a957c102f0ad194992361b3dc4 Author: Steve Dickson Date: Wed Nov 28 09:26:18 2012 -0500 mount.nfs: error message clean up. Remove a unnecessary newline in an error message. Signed-off-by: Steve Dickson commit 7600e19437e34585af1651bb73c6ae9d2951ede8 Author: Steve Dickson Date: Wed Nov 28 09:20:15 2012 -0500 mount.nfs: Continue to trying address when the server return EACCES With recent changes to the /etc/hosts file, the 'localhost' host name is now multiply defined as both an IPv4 address (127.0.01) and an IPv6 address (::1). This causes first address returned by getaddrinfo('localhost') to be the IPv6 address instead of the IPv4 address. The change in the default 'localhost' address type causes existing exports using '127.0.0.1' to fail, because the '::1' address is tried first and fails. The problem is not all the addresses in the address list are being tried. So this patch allows that address list to continue to be process when a 'EACCES' error is returned by the server. Signed-off-by: Steve Dickson commit cb3b81d6c4167ede8886115e271584a96ea55565 Author: J. Bruce Fields Date: Wed Nov 28 09:11:29 2012 -0500 mountd: auth_unix_ip should downcall on error to prevent hangs Since bf6a4febaa78bf188896b7b5b02c46562dd08b70 "mountd: handle allocation failures in auth_unix_ip upcall", a failure to map the address of an incoming client to a name could result in a hang. We should be responding with an error in the case, not just skipping the downcall and leaving everybody hanging. Signed-off-by: J. Bruce Fields Signed-off-by: Steve Dickson commit e07913c2c5e4dc5e406c2cb12cf78150cab3d95a Author: Steve Dickson Date: Sat Nov 17 08:50:09 2012 -0500 svcgssd: Encryption types not being parsed correctly When svcgssd reads the supported encrytion types from the kernel, they are prefixed with a 'enctypes='. That prefix has to be ignored to correctly parse the rest of the types. Signed-off-by: Steve Dickson