Commit 3c34ae11 authored by J. Bruce Fields's avatar J. Bruce Fields

nfsd: fix krb5 handling of anonymous principals

krb5 mounts started failing as of
683428fa "sunrpc: Update svcgss xdr
handle to rpsec_contect cache".

The problem is that mounts are usually done with some host principal
which isn't normally mapped to any user, in which case svcgssd passes
down uid -1, which the kernel is then expected to map to the
export-specific anonymous uid or gid.

The new uid_valid/gid_valid checks were therefore causing that downcall
to fail.

(Note the regression may not have been seen with older userspace that
tended to map unknown principals to an anonymous id on their own rather
than leaving it to the kernel.)
Reviewed-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
parent 6dbe51c2
...@@ -447,17 +447,21 @@ static int rsc_parse(struct cache_detail *cd, ...@@ -447,17 +447,21 @@ static int rsc_parse(struct cache_detail *cd,
else { else {
int N, i; int N, i;
/*
* NOTE: we skip uid_valid()/gid_valid() checks here:
* instead, * -1 id's are later mapped to the
* (export-specific) anonymous id by nfsd_setuser.
*
* (But supplementary gid's get no such special
* treatment so are checked for validity here.)
*/
/* uid */ /* uid */
rsci.cred.cr_uid = make_kuid(&init_user_ns, id); rsci.cred.cr_uid = make_kuid(&init_user_ns, id);
if (!uid_valid(rsci.cred.cr_uid))
goto out;
/* gid */ /* gid */
if (get_int(&mesg, &id)) if (get_int(&mesg, &id))
goto out; goto out;
rsci.cred.cr_gid = make_kgid(&init_user_ns, id); rsci.cred.cr_gid = make_kgid(&init_user_ns, id);
if (!gid_valid(rsci.cred.cr_gid))
goto out;
/* number of additional gid's */ /* number of additional gid's */
if (get_int(&mesg, &N)) if (get_int(&mesg, &N))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment