File 0031-mountd-don-t-advertise-krb5-for-v4root-when-not-conf.patch of Package nfs-utils.30711
From b41820042a63ceba39127efb0479faf4de0408c0 Mon Sep 17 00:00:00 2001
From: NeilBrown <neilb@suse.de>
Date: Mon, 17 Apr 2023 10:10:48 +1000
Subject: [PATCH] mountd: don't advertise krb5 for v4root when not configured.
If /etc/krb5.keytab does not exist, then krb5 cannot work, so
advertising it as an option for v4root is pointless.
Since linux commit 676e4ebd5f2c ("NFSD: SECINFO doesn't handle
unsupported pseudoflavors correctly") this can result in an unhelpful
warning if the krb5 code is not built, or built as a module which is not
installed.
So avoid advertising krb5 security options when krb5.keytab cannot be
found.
Link: https://lore.kernel.org/linux-nfs/20170104190327.v3wbpcbqtfa5jy7d@codemonkey.org.uk/
Signed-off-by: NeilBrown <neilb@suse.de>
---
support/include/pseudoflavors.h | 1 +
support/nfs/exports.c | 14 +++++++-------
utils/mountd/v4root.c | 2 ++
3 files changed, 10 insertions(+), 7 deletions(-)
--- a/support/include/pseudoflavors.h
+++ b/support/include/pseudoflavors.h
@@ -8,6 +8,7 @@
struct flav_info {
char *flavour;
int fnum;
+ int need_krb5;
};
extern struct flav_info flav_map[];
--- a/support/nfs/exports.c
+++ b/support/nfs/exports.c
@@ -36,13 +36,13 @@
(NFSEXP_READONLY|NFSEXP_ROOTSQUASH|NFSEXP_GATHERED_WRITES|NFSEXP_NOSUBTREECHECK)
struct flav_info flav_map[] = {
- { "krb5", RPC_AUTH_GSS_KRB5 },
- { "krb5i", RPC_AUTH_GSS_KRB5I },
- { "krb5p", RPC_AUTH_GSS_KRB5P },
- { "unix", AUTH_UNIX },
- { "sys", AUTH_SYS },
- { "null", AUTH_NULL },
- { "none", AUTH_NONE },
+ { "krb5", RPC_AUTH_GSS_KRB5, 1},
+ { "krb5i", RPC_AUTH_GSS_KRB5I, 1},
+ { "krb5p", RPC_AUTH_GSS_KRB5P, 1},
+ { "unix", AUTH_UNIX, 0},
+ { "sys", AUTH_SYS, 0},
+ { "null", AUTH_NULL, 0},
+ { "none", AUTH_NONE, 0},
};
const int flav_map_size = sizeof(flav_map)/sizeof(flav_map[0]);
--- a/utils/mountd/v4root.c
+++ b/utils/mountd/v4root.c
@@ -71,6 +71,8 @@ set_pseudofs_security(struct exportent *
if (!flav->fnum)
continue;
+ if (flav->need_krb5 && access("/etc/krb5.keytab", F_OK) != 0)
+ continue;
i = secinfo_addflavor(flav, pseudo);
new = &pseudo->e_secinfo[i];
