gssd: Fix handling of the gssname=<name> NFS mount option

If an NFS mount using "sec=krb5[ip],gssname=<name>" is done, the gssd daemon fails. There is a long delay (several seconds) in the gss_acquire_cred() call and then it returns success, but the credentials returned are junk. I have no idea how long this has been broken, due to some change in the Heimdal gssapi library call, but I suspect it has been quite some time. Anyhow, it turns out that replacing the "desired_name" argument with GSS_C_NO_NAME fixes the problem. Replacing the argument should not be a problem, since the TGT for the host based initiator credential in the default keytab file should be the only TGT in the gssd'd credential cache (which is not the one for uid 0). I will try and determine if FreeBSD13 and/or FreeBSD12 needs this same fix and will MFC if they need the fix. This problem only affected Kerberized NFS mounts when the "gssname" mount option was used. Other Kerberized NFS mount cases already used GSS_C_NO_NAME and work ok. A workaround if you do not have this patch is to do a "kinit -k host/FQDN" as root on the machine, followed by the Kerberized NFS mount without the "gssname" mount option. MFC after: 1 month
2023-01-07 13:49:25 -08:00 · 2023-01-07 13:49:25 -08:00 · c33509d49a
commit c33509d49a
parent 4dd3e76881
1 changed files with 1 additions and 1 deletions
--- a/usr.sbin/gssd/gssd.c
+++ b/usr.sbin/gssd/gssd.c
@ -847,7 +847,7 @@ gssd_acquire_cred_1_svc(acquire_cred_args *argp, acquire_cred_res *result, struc
 	}

 	result->major_status = gss_acquire_cred(&result->minor_status,
-	    desired_name, argp->time_req, argp->desired_mechs,
+	    GSS_C_NO_NAME, argp->time_req, argp->desired_mechs,
 	    argp->cred_usage, &cred, &result->actual_mechs, &result->time_rec);
 	gssd_verbose_out("gssd_acquire_cred: done major=0x%x minor=%d\n",
 	    (unsigned int)result->major_status, (int)result->minor_status);