From 64520260f7ec98726921d39b11145e6875bcab45 Mon Sep 17 00:00:00 2001 From: Donald Buczek Date: Thu, 5 Jan 2023 11:32:43 +0100 Subject: [PATCH] nfsd: Do no try to us idmapd for sec=mariux When the nfsd module parameter nfs4_disable_idmapping ist set, which is the default, than a user space idmapd is not required for AUTH_UNIX. The code used in nfsd to check whether the idmap cache and user space daemon should be used is if (nfs4_disable_idmapping && rqstp->rq_cred.cr_flavor < RPC_AUTH_GSS) However, we've added our own security flavor AUTH_MARIUX numerically after AUTH_GSS: enum rpc_auth_flavors { RPC_AUTH_NULL = 0, RPC_AUTH_UNIX = 1, RPC_AUTH_SHORT = 2, RPC_AUTH_DES = 3, RPC_AUTH_KRB = 4, RPC_AUTH_GSS = 6, RPC_AUTH_TLS = 7, RPC_AUTH_MARIUX = 8, RPC_AUTH_MAXFLAVOR = 9, /* pseudoflavors: */ RPC_AUTH_GSS_KRB5 = 390003, RPC_AUTH_GSS_KRB5I = 390004, RPC_AUTH_GSS_KRB5P = 390005, RPC_AUTH_GSS_LKEY = 390006, RPC_AUTH_GSS_LKEYI = 390007, RPC_AUTH_GSS_LKEYP = 390008, RPC_AUTH_GSS_SPKM = 390009, RPC_AUTH_GSS_SPKMI = 390010, RPC_AUTH_GSS_SPKMP = 390011, }; So the check fails for AUTH_MARIUX. Although it can and should work with numerical idents from the client, nfsd tries to use idmapd and this fails for certain operations, because we don't start idmapd in our environment Exlicitly allow RPC_AUTH_MARIUX to be used without idmapd. --- fs/nfsd/nfs4idmap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/nfsd/nfs4idmap.c b/fs/nfsd/nfs4idmap.c index f92161ce1f97d..d3eaa2a14ddd6 100644 --- a/fs/nfsd/nfs4idmap.c +++ b/fs/nfsd/nfs4idmap.c @@ -619,7 +619,7 @@ numeric_name_to_id(struct svc_rqst *rqstp, int type, const char *name, u32 namel static __be32 do_name_to_id(struct svc_rqst *rqstp, int type, const char *name, u32 namelen, u32 *id) { - if (nfs4_disable_idmapping && rqstp->rq_cred.cr_flavor < RPC_AUTH_GSS) + if (nfs4_disable_idmapping && (rqstp->rq_cred.cr_flavor < RPC_AUTH_GSS || rqstp->rq_cred.cr_flavor == RPC_AUTH_MARIUX)) if (numeric_name_to_id(rqstp, type, name, namelen, id)) return 0; /* @@ -632,7 +632,7 @@ do_name_to_id(struct svc_rqst *rqstp, int type, const char *name, u32 namelen, u static __be32 encode_name_from_id(struct xdr_stream *xdr, struct svc_rqst *rqstp, int type, u32 id) { - if (nfs4_disable_idmapping && rqstp->rq_cred.cr_flavor < RPC_AUTH_GSS) + if (nfs4_disable_idmapping && (rqstp->rq_cred.cr_flavor < RPC_AUTH_GSS || rqstp->rq_cred.cr_flavor == RPC_AUTH_MARIUX)) return encode_ascii_id(xdr, id); return idmap_id_to_name(xdr, rqstp, type, id); }