Blob Blame History Raw
diff -up nfs-utils-1.3.0/aclocal/libtirpc.m4.orig nfs-utils-1.3.0/aclocal/libtirpc.m4
--- nfs-utils-1.3.0/aclocal/libtirpc.m4.orig	2014-03-25 11:12:07.000000000 -0400
+++ nfs-utils-1.3.0/aclocal/libtirpc.m4	2016-04-15 11:42:49.532156526 -0400
@@ -2,61 +2,61 @@ dnl Checks for TI-RPC library and header
 dnl
 AC_DEFUN([AC_LIBTIRPC], [
 
+  AS_IF(
+    [test "$enable_tirpc" != "no"],
+    [PKG_CHECK_MODULES([TIRPC], [libtirpc],
+                      [LIBTIRPC="${TIRPC_LIBS}"
+                       AM_CPPFLAGS="${AM_CPPFLAGS} ${TIRPC_CFLAGS}"
+                       AC_DEFINE([HAVE_LIBTIRPC], [1],
+                                 [Define to 1 if you have and wish to use libtirpc.])],
+                      [AC_LIBTIRPC_OLD
+                       AS_IF([test "$enable_tirpc" = "yes" -a -z "${LIBTIRPC}"],
+                             [AC_MSG_ERROR([libtirpc not found.])])])])
+
+     AS_IF([test -n "${LIBTIRPC}"],
+           [AC_CHECK_LIB([tirpc], [authgss_free_private_data],
+                         [AC_DEFINE([HAVE_AUTHGSS_FREE_PRIVATE_DATA], [1],
+                                    [Define to 1 if your rpcsec library provides authgss_free_private_data])],,
+                         [${LIBS}])])
+
+     AS_IF([test -n "${LIBTIRPC}"],
+           [AC_CHECK_LIB([tirpc], [libtirpc_set_debug],
+                         [AC_DEFINE([HAVE_LIBTIRPC_SET_DEBUG], [1],
+                                    [Define to 1 if your tirpc library provides libtirpc_set_debug])],,
+                         [${LIBS}])])
+
+  AC_SUBST([AM_CPPFLAGS])
+  AC_SUBST(LIBTIRPC)
+
+])dnl
+
+dnl Old way of checking libtirpc without pkg-config
+dnl This can go away when virtually all libtirpc provide a .pc file
+dnl
+AC_DEFUN([AC_LIBTIRPC_OLD], [
+
   AC_ARG_WITH([tirpcinclude],
               [AC_HELP_STRING([--with-tirpcinclude=DIR],
                               [use TI-RPC headers in DIR])],
               [tirpc_header_dir=$withval],
               [tirpc_header_dir=/usr/include/tirpc])
 
-  dnl if --enable-tirpc was specifed, the following components
-  dnl must be present, and we set up HAVE_ macros for them.
-
-  if test "$enable_tirpc" != "no"; then
-
-    dnl look for the library
-    AC_CHECK_LIB([tirpc], [clnt_tli_create], [:],
-                 [if test "$enable_tirpc" = "yes"; then
-			AC_MSG_ERROR([libtirpc not found.])
-		  else
-			AC_MSG_WARN([libtirpc not found. TIRPC disabled!])
-			enable_tirpc="no"
-		  fi])
-  fi
-
-  if test "$enable_tirpc" != "no"; then
-
-    dnl Check if library contains authgss_free_private_data
-    AC_CHECK_LIB([tirpc], [authgss_free_private_data], [have_free_private_data=yes],
-			[have_free_private_data=no])
-  fi
-
-  if test "$enable_tirpc" != "no"; then
-    dnl also must have the headers installed where we expect
-    dnl look for headers; add -I compiler option if found
-    AC_CHECK_HEADERS([${tirpc_header_dir}/netconfig.h],
-    		      AC_SUBST([AM_CPPFLAGS], ["-I${tirpc_header_dir}"]),
-		      [if test "$enable_tirpc" = "yes"; then
-			 AC_MSG_ERROR([libtirpc headers not found.])
-		       else
-			 AC_MSG_WARN([libtirpc headers not found. TIRPC disabled!])
-			 enable_tirpc="no"
-		       fi])
-
-  fi
-
-  dnl now set $LIBTIRPC accordingly
-  if test "$enable_tirpc" != "no"; then
-    AC_DEFINE([HAVE_LIBTIRPC], 1,
-              [Define to 1 if you have and wish to use libtirpc.])
-    LIBTIRPC="-ltirpc"
-    if test "$have_free_private_data" = "yes"; then
-      AC_DEFINE([HAVE_AUTHGSS_FREE_PRIVATE_DATA], 1,
-	      [Define to 1 if your rpcsec library provides authgss_free_private_data,])
-    fi
-  else
-    LIBTIRPC=""
-  fi
-
-  AC_SUBST(LIBTIRPC)
+  dnl Look for the library
+  AC_CHECK_LIB([tirpc], [clnt_tli_create],
+               [has_libtirpc="yes"],
+               [has_libtirpc="no"])
+
+  dnl Also must have the headers installed where we expect
+  dnl to look for headers; add -I compiler option if found
+  AS_IF([test "$has_libtirpc" = "yes"],
+        [AC_CHECK_HEADERS([${tirpc_header_dir}/netconfig.h],
+                          [AC_SUBST([AM_CPPFLAGS], ["-I${tirpc_header_dir}"])],
+                          [has_libtirpc="no"])])
+
+  dnl Now set $LIBTIRPC accordingly
+  AS_IF([test "$has_libtirpc" = "yes"],
+        [AC_DEFINE([HAVE_LIBTIRPC], [1],
+                   [Define to 1 if you have and wish to use libtirpc.])
+         LIBTIRPC="-ltirpc"])
 
 ])dnl
diff -up nfs-utils-1.3.0/support/include/nfslib.h.orig nfs-utils-1.3.0/support/include/nfslib.h
--- nfs-utils-1.3.0/support/include/nfslib.h.orig	2016-04-15 11:42:13.930460892 -0400
+++ nfs-utils-1.3.0/support/include/nfslib.h	2016-04-15 11:42:38.365938345 -0400
@@ -17,6 +17,7 @@
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <stdio.h>
+#include <stdbool.h>
 #include <paths.h>
 #include <rpcsvc/nfs_prot.h>
 #include <nfs/nfs.h>
@@ -129,8 +130,8 @@ void			fendrmtabent(FILE *fp);
 void			frewindrmtabent(FILE *fp);
 
 /* mydaemon */
-void mydaemon(int nochdir, int noclose, int *pipefds);
-void release_parent(int *pipefds);
+void daemon_init(bool fg);
+void daemon_ready(void);
 
 /*
  * wildmat borrowed from INN
@@ -182,6 +183,9 @@ size_t  strlcpy(char *, const char *, si
 ssize_t atomicio(ssize_t (*f) (int, void*, size_t),
 		 int, void *, size_t);
 
+#ifdef HAVE_LIBTIRPC_SET_DEBUG
+void  libtirpc_set_debug(char *name, int level, int use_stderr);
+#endif
 
 #define UNUSED(x) UNUSED_ ## x __attribute__((unused))
 
diff -up nfs-utils-1.3.0/support/nfs/mydaemon.c.orig nfs-utils-1.3.0/support/nfs/mydaemon.c
--- nfs-utils-1.3.0/support/nfs/mydaemon.c.orig	2014-03-25 11:12:07.000000000 -0400
+++ nfs-utils-1.3.0/support/nfs/mydaemon.c	2016-04-15 11:42:38.366938365 -0400
@@ -46,56 +46,61 @@
 #include <errno.h>
 #include <unistd.h>
 #include <stdio.h>
+#include <stdbool.h>
 #include <stdlib.h>
 #include <string.h>
 #include <xlog.h>
 
+#include "nfslib.h"
+
+static int pipefds[2] = { -1, -1};
+
 /**
- * mydaemon - daemonize, but have parent wait to exit
- * @nochdir:	skip chdir()'ing the child to / after forking if true
- * @noclose:	skip closing stdin/stdout/stderr if true
- * @pipefds:	pointer to 2 element array of pipefds
+ * daemon_init - initial daemon setup
+ * @fg:		whether to run in the foreground
  *
  * This function is like daemon(), but with our own special sauce to delay
  * the exit of the parent until the child is set up properly. A pipe is created
  * between parent and child. The parent process will wait to exit until the
- * child dies or writes a '1' on the pipe signaling that it started
- * successfully.
+ * child dies or writes an int on the pipe signaling its status.
  */
 void
-mydaemon(int nochdir, int noclose, int *pipefds)
+daemon_init(bool fg)
 {
 	int pid, status, tempfd;
 
+	if (fg)
+		return;
+
 	if (pipe(pipefds) < 0) {
 		xlog_err("mydaemon: pipe() failed: errno %d (%s)\n",
 			 errno, strerror(errno));
-		exit(1);
+		exit(EXIT_FAILURE);
 	}
-	if ((pid = fork ()) < 0) {
+
+	pid = fork();
+	if (pid < 0) {
 		xlog_err("mydaemon: fork() failed: errno %d (%s)\n",
 			 errno, strerror(errno));
-		exit(1);
+		exit(EXIT_FAILURE);
 	}
 
-	if (pid != 0) {
-		/*
-		 * Parent. Wait for status from child.
-		 */
+	if (pid > 0) {
+		/* Parent */
 		close(pipefds[1]);
-		if (read(pipefds[0], &status, 1) != 1)
-			exit(1);
-		exit (0);
+		if (read(pipefds[0], &status, sizeof(status)) != sizeof(status))
+			exit(EXIT_FAILURE);
+		exit(status);
 	}
-	/* Child.	*/
+
+	/* Child */
 	close(pipefds[0]);
 	setsid ();
-	if (nochdir == 0) {
-		if (chdir ("/") == -1) {
-			xlog_err("mydaemon: chdir() failed: errno %d (%s)\n",
-				 errno, strerror(errno));
-			exit(1);
-		}
+
+	if (chdir ("/")) {
+		xlog_err("mydaemon: chdir() failed: errno %d (%s)\n",
+			 errno, strerror(errno));
+		exit(EXIT_FAILURE);
 	}
 
 	while (pipefds[1] <= 2) {
@@ -103,41 +108,39 @@ mydaemon(int nochdir, int noclose, int *
 		if (pipefds[1] < 0) {
 			xlog_err("mydaemon: dup() failed: errno %d (%s)\n",
 				 errno, strerror(errno));
-			exit(1);
+			exit(EXIT_FAILURE);
 		}
 	}
 
-	if (noclose == 0) {
-		tempfd = open("/dev/null", O_RDWR);
-		if (tempfd >= 0) {
-			dup2(tempfd, 0);
-			dup2(tempfd, 1);
-			dup2(tempfd, 2);
-			close(tempfd);
-		} else {
-			xlog_err("mydaemon: can't open /dev/null: errno %d "
-				 "(%s)\n", errno, strerror(errno));
-			exit(1);
-		}
+	tempfd = open("/dev/null", O_RDWR);
+	if (tempfd < 0) {
+		xlog_err("mydaemon: can't open /dev/null: errno %d "
+			 "(%s)\n", errno, strerror(errno));
+		exit(EXIT_FAILURE);
 	}
 
-	return;
+	dup2(tempfd, 0);
+	dup2(tempfd, 1);
+	dup2(tempfd, 2);
+	closelog();
+	dup2(pipefds[1], 3);
+	pipefds[1] = 3;
+	closeall(4);
 }
 
 /**
- * release_parent - tell the parent that it can exit now
- * @pipefds:	pipefd array that was previously passed to mydaemon()
+ * daemon_ready - tell interested parties that the daemon is ready
  *
- * This function tells the parent process of mydaemon() that it's now clear
- * to exit(0).
+ * This function tells e.g. the parent process that the daemon is up
+ * and running.
  */
 void
-release_parent(int *pipefds)
+daemon_ready(void)
 {
-	int status;
+	int status = 0;
 
 	if (pipefds[1] > 0) {
-		if (write(pipefds[1], &status, 1) != 1) {
+		if (write(pipefds[1], &status, sizeof(status)) != sizeof(status)) {
 			xlog_err("WARN: writing to parent pipe failed: errno "
 				 "%d (%s)\n", errno, strerror(errno));
 		}
diff -up nfs-utils-1.3.0/support/nfs/svc_create.c.orig nfs-utils-1.3.0/support/nfs/svc_create.c
--- nfs-utils-1.3.0/support/nfs/svc_create.c.orig	2016-04-15 11:42:13.931460911 -0400
+++ nfs-utils-1.3.0/support/nfs/svc_create.c	2016-04-15 11:42:38.366938365 -0400
@@ -133,7 +133,7 @@ svc_create_bindaddr(struct netconfig *nc
 		hint.ai_family = AF_INET6;
 #endif	/* IPV6_SUPPORTED */
 	else {
-		xlog(D_GENERAL, "Unrecognized bind address family: %s",
+		xlog(L_ERROR, "Unrecognized bind address family: %s",
 			nconf->nc_protofmly);
 		return NULL;
 	}
@@ -143,7 +143,7 @@ svc_create_bindaddr(struct netconfig *nc
 	else if (strcmp(nconf->nc_proto, NC_TCP) == 0)
 		hint.ai_protocol = (int)IPPROTO_TCP;
 	else {
-		xlog(D_GENERAL, "Unrecognized bind address protocol: %s",
+		xlog(L_ERROR, "Unrecognized bind address protocol: %s",
 			nconf->nc_proto);
 		return NULL;
 	}
@@ -275,7 +275,7 @@ svc_create_nconf_rand_port(const char *n
 	xprt = svc_tli_create(RPC_ANYFD, nconf, &bindaddr, 0, 0);
 	freeaddrinfo(ai);
 	if (xprt == NULL) {
-		xlog(D_GENERAL, "Failed to create listener xprt "
+		xlog(L_ERROR, "Failed to create listener xprt "
 			"(%s, %u, %s)", name, version, nconf->nc_netid);
 		return 0;
 	}
@@ -286,10 +286,12 @@ svc_create_nconf_rand_port(const char *n
 		return 0;
 	}
 
+	rpc_createerr.cf_stat = rpc_createerr.cf_error.re_errno = 0;
 	if (!svc_reg(xprt, program, version, dispatch, nconf)) {
 		/* svc_reg(3) destroys @xprt in this case */
-		xlog(D_GENERAL, "Failed to register (%s, %u, %s)",
-				name, version, nconf->nc_netid);
+		xlog(L_ERROR, "Failed to register (%s, %u, %s): %s",
+				name, version, nconf->nc_netid, 
+				clnt_spcreateerror("svc_reg() err"));
 		return 0;
 	}
 
diff -up nfs-utils-1.3.0/support/nfs/svc_socket.c.orig nfs-utils-1.3.0/support/nfs/svc_socket.c
--- nfs-utils-1.3.0/support/nfs/svc_socket.c.orig	2016-04-15 11:42:13.931460911 -0400
+++ nfs-utils-1.3.0/support/nfs/svc_socket.c	2016-04-15 11:42:38.367938385 -0400
@@ -24,6 +24,7 @@
 #include <sys/socket.h>
 #include <sys/fcntl.h>
 #include <errno.h>
+#include "xlog.h"
 
 #ifdef _LIBC
 # include <libintl.h>
@@ -90,9 +91,9 @@ svcsock_nonblock(int sock)
 	 * connection.
 	 */
 	if ((flags = fcntl(sock, F_GETFL)) < 0)
-		perror(_("svc_socket: can't get socket flags"));
+		xlog(L_ERROR, "svc_socket: can't get socket flags: %m");
 	else if (fcntl(sock, F_SETFL, flags|O_NONBLOCK) < 0)
-		perror(_("svc_socket: can't set socket flags"));
+		xlog(L_ERROR, "svc_socket: can't set socket flags: %m");
 	else
 		return sock;
 
@@ -110,7 +111,7 @@ svc_socket (u_long number, int type, int
 
   if ((sock = __socket (AF_INET, type, protocol)) < 0)
     {
-      perror (_("svc_socket: socket creation problem"));
+      xlog(L_ERROR, "svc_socket: socket creation problem: %m");
       return sock;
     }
 
@@ -121,7 +122,7 @@ svc_socket (u_long number, int type, int
 			sizeof (ret));
       if (ret < 0)
 	{
-	  perror (_("svc_socket: socket reuse problem"));
+	  xlog(L_ERROR, "svc_socket: socket reuse problem: %m");
 	  return ret;
 	}
     }
@@ -132,7 +133,7 @@ svc_socket (u_long number, int type, int
 
   if (bind(sock, (struct sockaddr *) &addr, len) < 0)
     {
-      perror (_("svc_socket: bind problem"));
+      xlog(L_ERROR, "svc_socket: bind problem: %m");
       (void) __close(sock);
       sock = -1;
     }
diff -up nfs-utils-1.3.0/utils/gssd/context_heimdal.c.orig nfs-utils-1.3.0/utils/gssd/context_heimdal.c
--- nfs-utils-1.3.0/utils/gssd/context_heimdal.c.orig	2014-03-25 11:12:07.000000000 -0400
+++ nfs-utils-1.3.0/utils/gssd/context_heimdal.c	2016-04-15 11:42:38.367938385 -0400
@@ -260,7 +260,7 @@ serialize_krb5_ctx(gss_ctx_id_t *_ctx, g
 	if (write_heimdal_seq_key(&p, end, ctx)) goto out_err;
 
 	buf->length = p - (char *)buf->value;
-	printerr(2, "serialize_krb5_ctx: returning buffer "
+	printerr(4, "serialize_krb5_ctx: returning buffer "
 		    "with %d bytes\n", buf->length);
 
 	return 0;
diff -up nfs-utils-1.3.0/utils/gssd/context_lucid.c.orig nfs-utils-1.3.0/utils/gssd/context_lucid.c
--- nfs-utils-1.3.0/utils/gssd/context_lucid.c.orig	2014-03-25 11:12:07.000000000 -0400
+++ nfs-utils-1.3.0/utils/gssd/context_lucid.c	2016-04-15 11:42:38.367938385 -0400
@@ -206,7 +206,7 @@ prepare_krb5_rfc4121_buffer(gss_krb5_luc
 	if (WRITE_BYTES(&p, end, lctx->send_seq)) goto out_err;
 
 	/* Protocol 0 here implies DES3 or RC4 */
-	printerr(2, "%s: protocol %d\n", __FUNCTION__, lctx->protocol);
+	printerr(4, "%s: protocol %d\n", __FUNCTION__, lctx->protocol);
 	if (lctx->protocol == 0) {
 		enctype = lctx->rfc1964_kd.ctx_key.type;
 		keysize = lctx->rfc1964_kd.ctx_key.length;
@@ -219,7 +219,7 @@ prepare_krb5_rfc4121_buffer(gss_krb5_luc
 			keysize = lctx->cfx_kd.ctx_key.length;
 		}
 	}
-	printerr(2, "%s: serializing key with enctype %d and size %d\n",
+	printerr(4, "%s: serializing key with enctype %d and size %d\n",
 		 __FUNCTION__, enctype, keysize);
 
 	if (WRITE_BYTES(&p, end, enctype)) goto out_err;
@@ -265,7 +265,7 @@ serialize_krb5_ctx(gss_ctx_id_t *ctx, gs
 	gss_krb5_lucid_context_v1_t *lctx = 0;
 	int retcode = 0;
 
-	printerr(2, "DEBUG: %s: lucid version!\n", __FUNCTION__);
+	printerr(4, "DEBUG: %s: lucid version!\n", __FUNCTION__);
 	maj_stat = gss_export_lucid_sec_context(&min_stat, ctx,
 						1, &return_ctx);
 	if (maj_stat != GSS_S_COMPLETE) {
diff -up nfs-utils-1.3.0/utils/gssd/gssd.c.orig nfs-utils-1.3.0/utils/gssd/gssd.c
--- nfs-utils-1.3.0/utils/gssd/gssd.c.orig	2016-04-15 11:42:13.917460638 -0400
+++ nfs-utils-1.3.0/utils/gssd/gssd.c	2016-04-15 11:42:38.369938424 -0400
@@ -1,7 +1,7 @@
 /*
   gssd.c
 
-  Copyright (c) 2000 The Regents of the University of Michigan.
+  Copyright (c) 2000, 2004 The Regents of the University of Michigan.
   All rights reserved.
 
   Copyright (c) 2000 Dug Song <dugsong@UMICH.EDU>.
@@ -40,9 +40,18 @@
 #include <config.h>
 #endif	/* HAVE_CONFIG_H */
 
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
+
 #include <sys/param.h>
 #include <sys/socket.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+#include <sys/inotify.h>
 #include <rpc/rpc.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
 
 #include <unistd.h>
 #include <err.h>
@@ -51,41 +60,684 @@
 #include <stdlib.h>
 #include <string.h>
 #include <signal.h>
+#include <memory.h>
+#include <fcntl.h>
+#include <dirent.h>
+#include <netdb.h>
+#include <event.h>
+
 #include "gssd.h"
 #include "err_util.h"
 #include "gss_util.h"
 #include "krb5_util.h"
 #include "nfslib.h"
 
-char pipefs_dir[PATH_MAX] = GSSD_PIPEFS_DIR;
-char keytabfile[PATH_MAX] = GSSD_DEFAULT_KEYTAB_FILE;
-char ccachedir[PATH_MAX] = GSSD_DEFAULT_CRED_DIR ":" GSSD_USER_CRED_DIR;
-char *ccachesearch[GSSD_MAX_CCACHE_SEARCH + 1];
+static char *pipefs_path = GSSD_PIPEFS_DIR;
+static DIR *pipefs_dir;
+static int pipefs_fd;
+static int inotify_fd;
+struct event inotify_ev;
+
+char *keytabfile = GSSD_DEFAULT_KEYTAB_FILE;
+char **ccachesearch;
 int  use_memcache = 0;
 int  root_uses_machine_creds = 1;
 unsigned int  context_timeout = 0;
 unsigned int  rpc_timeout = 5;
 char *preferred_realm = NULL;
-int pipefds[2] = { -1, -1 };
+/* Avoid DNS reverse lookups on server names */
+static bool avoid_dns = true;
+
+
+TAILQ_HEAD(topdir_list_head, topdir) topdir_list;
+
+struct topdir {
+	TAILQ_ENTRY(topdir) list;
+	TAILQ_HEAD(clnt_list_head, clnt_info) clnt_list;
+	int wd;
+	char name[];
+};
+
+/*
+ * topdir_list:
+ *	linked list of struct topdir with basic data about a topdir.
+ *
+ * clnt_list:
+ *      linked list of struct clnt_info with basic data about a clntXXX dir,
+ *      one per topdir.
+ *
+ * Directory structure: created by the kernel
+ *      {rpc_pipefs}/{topdir}/clntXX      : one per rpc_clnt struct in the kernel
+ *      {rpc_pipefs}/{topdir}/clntXX/krb5 : read uid for which kernel wants
+ *					    a context, write the resulting context
+ *      {rpc_pipefs}/{topdir}/clntXX/info : stores info such as server name
+ *      {rpc_pipefs}/{topdir}/clntXX/gssd : pipe for all gss mechanisms using
+ *					    a text-based string of parameters
+ *
+ * Algorithm:
+ *      Poll all {rpc_pipefs}/{topdir}/clntXX/YYYY files.  When data is ready,
+ *      read and process; performs rpcsec_gss context initialization protocol to
+ *      get a cred for that user.  Writes result to corresponding krb5 file
+ *      in a form the kernel code will understand.
+ *      In addition, we make sure we are notified whenever anything is
+ *      created or destroyed in {rpc_pipefs} or in any of the clntXX directories,
+ *      and rescan the whole {rpc_pipefs} when this happens.
+ */
+
+/*
+ * convert a presentation address string to a sockaddr_storage struct. Returns
+ * true on success or false on failure.
+ *
+ * Note that we do not populate the sin6_scope_id field here for IPv6 addrs.
+ * gssd nececessarily relies on hostname resolution and DNS AAAA records
+ * do not generally contain scope-id's. This means that GSSAPI auth really
+ * can't work with IPv6 link-local addresses.
+ *
+ * We *could* consider changing this if we did something like adopt the
+ * Microsoft "standard" of using the ipv6-literal.net domainname, but it's
+ * not really feasible at present.
+ */
+static bool
+gssd_addrstr_to_sockaddr(struct sockaddr *sa, const char *node, const char *port)
+{
+	int rc;
+	struct addrinfo *res;
+	struct addrinfo hints = { .ai_flags = AI_NUMERICHOST | AI_NUMERICSERV };
+
+#ifndef IPV6_SUPPORTED
+	hints.ai_family = AF_INET;
+#endif /* IPV6_SUPPORTED */
+
+	rc = getaddrinfo(node, port, &hints, &res);
+	if (rc) {
+		printerr(0, "ERROR: unable to convert %s|%s to sockaddr: %s\n",
+			 node, port,
+			 rc == EAI_SYSTEM ? strerror(errno) : gai_strerror(rc));
+		return false;
+	}
+
+#ifdef IPV6_SUPPORTED
+	/*
+	 * getnameinfo ignores the scopeid. If the address turns out to have
+	 * a non-zero scopeid, we can't use it -- the resolved host might be
+	 * completely different from the one intended.
+	 */
+	if (res->ai_addr->sa_family == AF_INET6) {
+		struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)res->ai_addr;
+		if (sin6->sin6_scope_id) {
+			printerr(0, "ERROR: address %s has non-zero "
+				    "sin6_scope_id!\n", node);
+			freeaddrinfo(res);
+			return false;
+		}
+	}
+#endif /* IPV6_SUPPORTED */
+
+	memcpy(sa, res->ai_addr, res->ai_addrlen);
+	freeaddrinfo(res);
+	return true;
+}
+
+/*
+ * convert a sockaddr to a hostname
+ */
+static char *
+gssd_get_servername(const char *name, const struct sockaddr *sa, const char *addr)
+{
+	socklen_t		addrlen;
+	int			err;
+	char			hbuf[NI_MAXHOST];
+	unsigned char		buf[sizeof(struct in6_addr)];
+
+	while (avoid_dns) {
+		/*
+		 * Determine if this is a server name, or an IP address.
+		 * If it is an IP address, do the DNS lookup otherwise
+		 * skip the DNS lookup.
+		 */
+		if (strchr(name, '.') == NULL)
+			break; /* local name */
+		else if (inet_pton(AF_INET, name, buf) == 1)
+			break; /* IPv4 address */
+		else if (inet_pton(AF_INET6, name, buf) == 1)
+			break; /* IPv6 addrss */
+
+		return strdup(name);
+	}
+
+	switch (sa->sa_family) {
+	case AF_INET:
+		addrlen = sizeof(struct sockaddr_in);
+		break;
+#ifdef IPV6_SUPPORTED
+	case AF_INET6:
+		addrlen = sizeof(struct sockaddr_in6);
+		break;
+#endif /* IPV6_SUPPORTED */
+	default:
+		printerr(0, "ERROR: unrecognized addr family %d\n",
+			 sa->sa_family);
+		return NULL;
+	}
+
+	err = getnameinfo(sa, addrlen, hbuf, sizeof(hbuf), NULL, 0,
+			  NI_NAMEREQD);
+	if (err) {
+		printerr(0, "ERROR: unable to resolve %s to hostname: %s\n",
+			 addr, err == EAI_SYSTEM ? strerror(errno) :
+						   gai_strerror(err));
+		return NULL;
+	}
+
+	return strdup(hbuf);
+}
+
+static void
+gssd_read_service_info(int dirfd, struct clnt_info *clp)
+{
+	int fd;
+	FILE *info = NULL;
+	int numfields;
+	char *server = NULL;
+	char *service = NULL;
+	int program;
+	int version;
+	char *address = NULL;
+	char *protoname = NULL;
+	char *port = NULL;
+	char *servername = NULL;
+
+	fd = openat(dirfd, "info", O_RDONLY);
+	if (fd < 0) {
+		printerr(0, "ERROR: can't open %s/info: %s\n",
+			 clp->relpath, strerror(errno));
+		goto fail;
+	}
+
+	info = fdopen(fd, "r");
+	if (!info) {
+		printerr(0, "ERROR: can't fdopen %s/info: %s\n",
+			 clp->relpath, strerror(errno));
+		close(fd);
+		goto fail;
+	}
+
+	/*
+	 * Some history:
+	 *
+	 * The first three lines were added with rpc_pipefs in 2003-01-13.
+	 * (commit af2f003391786fb632889c02142c941b212ba4ff)
+	 * 
+	 * The 'protocol' line was added in 2003-06-11.
+	 * (commit 9bd741ae48785d0c0e75cf906ff66f893d600c2d)
+	 *
+	 * The 'port' line was added in 2007-09-26.
+	 * (commit bf19aacecbeebccb2c3d150a8bd9416b7dba81fe)
+	 */
+	numfields = fscanf(info,
+			   "RPC server: %ms\n"
+			   "service: %ms (%d) version %d\n"
+			   "address: %ms\n"
+			   "protocol: %ms\n"
+			   "port: %ms\n",
+			   &server,
+			   &service, &program, &version,
+			   &address,
+			   &protoname,
+			   &port);
+
+
+	switch (numfields) {
+	case 5:
+		protoname = strdup("tcp");
+		if (!protoname)
+			goto fail;
+		/* fall through */
+	case 6:
+		/* fall through */
+	case 7:
+		break;
+	default:
+		goto fail;
+	}
+
+	if (!gssd_addrstr_to_sockaddr((struct sockaddr *)&clp->addr,
+				 address, port ? port : ""))
+		goto fail;
+
+	servername = gssd_get_servername(server, (struct sockaddr *)&clp->addr, address);
+	if (!servername)
+		goto fail;
+
+	if (asprintf(&clp->servicename, "%s@%s", service, servername) < 0)
+		goto fail;
+
+	clp->servername = servername;
+	clp->prog = program;
+	clp->vers = version;
+	clp->protocol = protoname;
+
+	goto out;
+
+fail:
+	printerr(0, "ERROR: failed to parse %s/info\n", clp->relpath);
+	free(servername);
+	free(protoname);
+	clp->servicename = NULL;
+	clp->servername = NULL;
+	clp->prog = 0;
+	clp->vers = 0;
+	clp->protocol = NULL;
+out:
+	if (info)
+		fclose(info);
+
+	free(server);
+	free(service);
+	free(address);
+	free(port);
+}
+
+static void
+gssd_destroy_client(struct clnt_info *clp)
+{
+	if (clp->krb5_fd >= 0) {
+		close(clp->krb5_fd);
+		event_del(&clp->krb5_ev);
+	}
+
+	if (clp->gssd_fd >= 0) {
+		close(clp->gssd_fd);
+		event_del(&clp->gssd_ev);
+	}
+
+	inotify_rm_watch(inotify_fd, clp->wd);
+	free(clp->relpath);
+	free(clp->servicename);
+	free(clp->servername);
+	free(clp->protocol);
+	free(clp);
+}
+
+static void gssd_scan(void);
+
+static void
+gssd_clnt_gssd_cb(int UNUSED(fd), short UNUSED(which), void *data)
+{
+	struct clnt_info *clp = data;
+
+	handle_gssd_upcall(clp);
+}
+
+static void
+gssd_clnt_krb5_cb(int UNUSED(fd), short UNUSED(which), void *data)
+{
+	struct clnt_info *clp = data;
+
+	handle_krb5_upcall(clp);
+}
+
+static struct clnt_info *
+gssd_get_clnt(struct topdir *tdi, const char *name)
+{
+	struct clnt_info *clp;
+
+	TAILQ_FOREACH(clp, &tdi->clnt_list, list)
+		if (!strcmp(clp->name, name))
+			return clp;
+
+	clp = calloc(1, sizeof(struct clnt_info));
+	if (!clp) {
+		printerr(0, "ERROR: can't malloc clnt_info: %s\n",
+			 strerror(errno));
+		return NULL;
+	}
+
+	if (asprintf(&clp->relpath, "%s/%s", tdi->name, name) < 0) {
+		clp->relpath = NULL;
+		goto out;
+	}
+
+	clp->wd = inotify_add_watch(inotify_fd, clp->relpath, IN_CREATE | IN_DELETE);
+	if (clp->wd < 0) {
+		if (errno != ENOENT)
+			printerr(0, "ERROR: inotify_add_watch failed for %s: %s\n",
+			 	clp->relpath, strerror(errno));
+		goto out;
+	}
+
+	clp->name = clp->relpath + strlen(tdi->name) + 1;
+	clp->krb5_fd = -1;
+	clp->gssd_fd = -1;
+
+	TAILQ_INSERT_HEAD(&tdi->clnt_list, clp, list);
+	return clp;
+
+out:
+	free(clp->relpath);
+	free(clp);
+	return NULL;
+}
+
+static int
+gssd_scan_clnt(struct clnt_info *clp)
+{
+	int clntfd;
+	bool gssd_was_closed;
+	bool krb5_was_closed;
+
+	gssd_was_closed = clp->gssd_fd < 0 ? true : false;
+	krb5_was_closed = clp->krb5_fd < 0 ? true : false;
+
+	clntfd = openat(pipefs_fd, clp->relpath, O_RDONLY);
+	if (clntfd < 0) {
+		printerr(0, "ERROR: can't openat %s: %s\n",
+			 clp->relpath, strerror(errno));
+		return -1;
+	}
+
+	if (clp->gssd_fd == -1)
+		clp->gssd_fd = openat(clntfd, "gssd", O_RDWR | O_NONBLOCK);
+
+	if (clp->gssd_fd == -1 && clp->krb5_fd == -1)
+		clp->krb5_fd = openat(clntfd, "krb5", O_RDWR | O_NONBLOCK);
+
+	if (gssd_was_closed && clp->gssd_fd >= 0) {
+		event_set(&clp->gssd_ev, clp->gssd_fd, EV_READ | EV_PERSIST,
+			  gssd_clnt_gssd_cb, clp);
+		event_add(&clp->gssd_ev, NULL);
+	}
+
+	if (krb5_was_closed && clp->krb5_fd >= 0) {
+		event_set(&clp->krb5_ev, clp->krb5_fd, EV_READ | EV_PERSIST,
+			  gssd_clnt_krb5_cb, clp);
+		event_add(&clp->krb5_ev, NULL);
+	}
+
+	if (clp->krb5_fd == -1 && clp->gssd_fd == -1)
+		/* not fatal, files might appear later */
+		goto out;
+
+	if (clp->prog == 0)
+		gssd_read_service_info(clntfd, clp);
+
+out:
+	close(clntfd);
+	clp->scanned = true;
+	return 0;
+}
+
+static int
+gssd_create_clnt(struct topdir *tdi, const char *name)
+{
+	struct clnt_info *clp;
+
+	clp = gssd_get_clnt(tdi, name);
+	if (!clp)
+		return -1;
+
+	return gssd_scan_clnt(clp);
+}
 
-void
+static struct topdir *
+gssd_get_topdir(const char *name)
+{
+	struct topdir *tdi;
+
+	TAILQ_FOREACH(tdi, &topdir_list, list)
+		if (!strcmp(tdi->name, name))
+			return tdi;
+
+	tdi = malloc(sizeof(*tdi) + strlen(name) + 1);
+	if (!tdi) {
+		printerr(0, "ERROR: Couldn't allocate struct topdir\n");
+		return NULL;
+	}
+
+	tdi->wd = inotify_add_watch(inotify_fd, name, IN_CREATE);
+	if (tdi->wd < 0) {
+		printerr(0, "ERROR: inotify_add_watch failed for top dir %s: %s\n",
+			 tdi->name, strerror(errno));
+		free(tdi);
+		return NULL;
+	}
+
+	strcpy(tdi->name, name);
+	TAILQ_INIT(&tdi->clnt_list);
+
+	TAILQ_INSERT_HEAD(&topdir_list, tdi, list);
+	return tdi;
+}
+
+static void
+gssd_scan_topdir(const char *name)
+{
+	struct topdir *tdi;
+	int dfd;
+	DIR *dir;
+	struct clnt_info *clp;
+	struct dirent *d;
+
+	tdi = gssd_get_topdir(name);
+	if (!tdi)
+		return;
+
+	dfd = openat(pipefs_fd, tdi->name, O_RDONLY);
+	if (dfd < 0) {
+		printerr(0, "ERROR: can't openat %s: %s\n",
+			 tdi->name, strerror(errno));
+		return;
+	}
+
+	dir = fdopendir(dfd);
+	if (!dir) {
+		printerr(0, "ERROR: can't fdopendir %s: %s\n",
+			 tdi->name, strerror(errno));
+		return;
+	}
+
+	TAILQ_FOREACH(clp, &tdi->clnt_list, list)
+		clp->scanned = false;
+
+	while ((d = readdir(dir))) {
+		if (d->d_type != DT_DIR)
+			continue;
+
+		if (strncmp(d->d_name, "clnt", strlen("clnt")))
+			continue;
+
+		gssd_create_clnt(tdi, d->d_name);
+	}
+
+	closedir(dir);
+
+	TAILQ_FOREACH(clp, &tdi->clnt_list, list) {
+		void *saveprev;
+
+		if (clp->scanned)
+			continue;
+
+		printerr(3, "destroying client %s\n", clp->relpath);
+		saveprev = clp->list.tqe_prev;
+		TAILQ_REMOVE(&tdi->clnt_list, clp, list);
+		gssd_destroy_client(clp);
+		clp = saveprev;
+	}
+}
+
+static void
+gssd_scan(void)
+{
+	struct dirent *d;
+
+	printerr(3, "doing a full rescan\n");
+	rewinddir(pipefs_dir);
+
+	while ((d = readdir(pipefs_dir))) {
+		if (d->d_type != DT_DIR)
+			continue;
+
+		if (d->d_name[0] == '.')
+			continue;
+
+		gssd_scan_topdir(d->d_name);
+	}
+
+	if (TAILQ_EMPTY(&topdir_list)) {
+		printerr(0, "ERROR: the rpc_pipefs directory is empty!\n");
+		exit(EXIT_FAILURE);
+	}
+}
+
+static void
+gssd_scan_cb(int UNUSED(fd), short UNUSED(which), void *UNUSED(data))
+{
+	gssd_scan();
+}
+
+static bool
+gssd_inotify_topdir(struct topdir *tdi, const struct inotify_event *ev)
+{
+	printerr(5, "inotify event for topdir (%s) - "
+		 "ev->wd (%d) ev->name (%s) ev->mask (0x%08x)\n",
+		 tdi->name, ev->wd, ev->len > 0 ? ev->name : "<?>", ev->mask);
+
+	if (ev->mask & IN_IGNORED) {
+		printerr(0, "ERROR: topdir disappeared!\n");
+		return false;
+	}
+
+	if (ev->len == 0)
+		return false;
+
+	if (ev->mask & IN_CREATE) {
+		if (!(ev->mask & IN_ISDIR))
+			return true;
+
+		if (strncmp(ev->name, "clnt", strlen("clnt")))
+			return true;
+
+		if (gssd_create_clnt(tdi, ev->name))
+			return false;
+
+		return true;
+	} 
+
+	return false;
+}
+
+static bool
+gssd_inotify_clnt(struct topdir *tdi, struct clnt_info *clp, const struct inotify_event *ev)
+{
+	printerr(5, "inotify event for clntdir (%s) - "
+		 "ev->wd (%d) ev->name (%s) ev->mask (0x%08x)\n",
+		 clp->relpath, ev->wd, ev->len > 0 ? ev->name : "<?>", ev->mask);
+
+	if (ev->mask & IN_IGNORED) {
+		TAILQ_REMOVE(&tdi->clnt_list, clp, list);
+		gssd_destroy_client(clp);
+		return true;
+	}
+
+	if (ev->len == 0)
+		return false;
+
+	if (ev->mask & IN_CREATE) {
+		if (!strcmp(ev->name, "gssd") ||
+		    !strcmp(ev->name, "krb5") ||
+		    !strcmp(ev->name, "info"))
+			if (gssd_scan_clnt(clp))
+				return false;
+
+		return true;
+
+	} else if (ev->mask & IN_DELETE) {
+		if (!strcmp(ev->name, "gssd") && clp->gssd_fd >= 0) {
+			close(clp->gssd_fd);
+			event_del(&clp->gssd_ev);
+			clp->gssd_fd = -1;
+
+		} else if (!strcmp(ev->name, "krb5") && clp->krb5_fd >= 0) {
+			close(clp->krb5_fd);
+			event_del(&clp->krb5_ev);
+			clp->krb5_fd = -1;
+		}
+
+		return true;
+	}
+
+	return false;
+}
+
+static void
+gssd_inotify_cb(int ifd, short UNUSED(which), void *UNUSED(data))
+{
+	bool rescan = false;
+	struct topdir *tdi;
+	struct clnt_info *clp;
+
+	while (true) {
+		char buf[4096] __attribute__ ((aligned(__alignof__(struct inotify_event))));
+		const struct inotify_event *ev;
+		ssize_t len;
+		char *ptr;
+
+		len = read(ifd, buf, sizeof(buf));
+		if (len == -1 && errno == EINTR)
+			continue;
+
+		if (len <= 0)
+			break;
+
+		for (ptr = buf; ptr < buf + len;
+		     ptr += sizeof(struct inotify_event) + ev->len) {
+			ev = (const struct inotify_event *)ptr;
+
+			if (ev->mask & IN_Q_OVERFLOW) {
+				printerr(0, "ERROR: inotify queue overflow\n");
+				rescan = true;
+				break;
+			}
+
+			TAILQ_FOREACH(tdi, &topdir_list, list) {
+				if (tdi->wd == ev->wd) {
+					if (!gssd_inotify_topdir(tdi, ev))
+						rescan = true;
+					goto found;
+				}
+
+				TAILQ_FOREACH(clp, &tdi->clnt_list, list) {
+					if (clp->wd == ev->wd) {
+						if (!gssd_inotify_clnt(tdi, clp, ev))
+							rescan = true;
+						goto found;
+					}
+				}
+			}
+
+found:
+			if (!tdi) {
+				printerr(5, "inotify event for unknown wd!!! - "
+					 "ev->wd (%d) ev->name (%s) ev->mask (0x%08x)\n",
+					 ev->wd, ev->len > 0 ? ev->name : "<?>", ev->mask);
+				rescan = true;
+			}
+		}
+	}
+
+	if (rescan)
+		gssd_scan();
+}
+
+static void
 sig_die(int signal)
 {
-	/* destroy krb5 machine creds */
 	if (root_uses_machine_creds)
 		gssd_destroy_krb5_machine_creds();
 	printerr(1, "exiting on signal %d\n", signal);
 	exit(0);
 }
 
-void
-sig_hup(int signal)
-{
-	/* don't exit on SIGHUP */
-	printerr(1, "Received SIGHUP(%d)... Ignoring.\n", signal);
-	return;
-}
-
 static void
 usage(char *progname)
 {
@@ -104,8 +756,9 @@ main(int argc, char *argv[])
 	int i;
 	extern char *optarg;
 	char *progname;
+	char *ccachedir = NULL;
+	struct event sighup_ev;
 
-	memset(ccachesearch, 0, sizeof(ccachesearch));
 	while ((opt = getopt(argc, argv, "DfvrlmnMp:k:d:t:T:R:")) != -1) {
 		switch (opt) {
 			case 'f':
@@ -127,19 +780,13 @@ main(int argc, char *argv[])
 				rpc_verbosity++;
 				break;
 			case 'p':
-				strncpy(pipefs_dir, optarg, sizeof(pipefs_dir));
-				if (pipefs_dir[sizeof(pipefs_dir)-1] != '\0')
-					errx(1, "pipefs path name too long");
+				pipefs_path = optarg;
 				break;
 			case 'k':
-				strncpy(keytabfile, optarg, sizeof(keytabfile));
-				if (keytabfile[sizeof(keytabfile)-1] != '\0')
-					errx(1, "keytab path name too long");
+				keytabfile = optarg;
 				break;
 			case 'd':
-				strncpy(ccachedir, optarg, sizeof(ccachedir));
-				if (ccachedir[sizeof(ccachedir)-1] != '\0')
-					errx(1, "ccachedir path name too long");
+				ccachedir = optarg;
 				break;
 			case 't':
 				context_timeout = atoi(optarg);
@@ -158,7 +805,7 @@ main(int argc, char *argv[])
 #endif
 				break;
 			case 'D':
-				avoid_dns = 0;
+				avoid_dns = false;
 				break;
 			default:
 				usage(argv[0]);
@@ -174,15 +821,41 @@ main(int argc, char *argv[])
 	 * the results of getpw*.
 	 */
 	if (setenv("HOME", "/", 1)) {
-		printerr(1, "Unable to set $HOME: %s\n", strerror(errno));
+		printerr(0, "gssd: Unable to set $HOME: %s\n", strerror(errno));
 		exit(1);
 	}
 
-	i = 0;
-	ccachesearch[i++] = strtok(ccachedir, ":");
-	do {
-		ccachesearch[i++] = strtok(NULL, ":");
-	} while (ccachesearch[i-1] != NULL && i < GSSD_MAX_CCACHE_SEARCH);
+	if (ccachedir) {
+		char *ccachedir_copy;
+		char *ptr;
+
+		for (ptr = ccachedir, i = 2; *ptr; ptr++)
+			if (*ptr == ':')
+				i++;
+
+		ccachesearch = malloc(i * sizeof(char *));
+	       	ccachedir_copy = strdup(ccachedir);
+		if (!ccachedir_copy || !ccachesearch) {
+			printerr(0, "malloc failure\n");
+			exit(EXIT_FAILURE);
+		}
+
+		i = 0;
+		ccachesearch[i++] = strtok(ccachedir, ":");
+		while(ccachesearch[i - 1])
+			ccachesearch[i++] = strtok(NULL, ":");
+
+	} else {
+		ccachesearch = malloc(3 * sizeof(char *));
+		if (!ccachesearch) {
+			printerr(0, "malloc failure\n");
+			exit(EXIT_FAILURE);
+		}
+
+		ccachesearch[0] = GSSD_DEFAULT_CRED_DIR;
+		ccachesearch[1] = GSSD_USER_CRED_DIR;
+		ccachesearch[2] = NULL;
+	}
 
 	if (preferred_realm == NULL)
 		gssd_k5_get_default_realm(&preferred_realm);
@@ -197,6 +870,13 @@ main(int argc, char *argv[])
 	if (verbosity && rpc_verbosity == 0)
 		rpc_verbosity = verbosity;
 	authgss_set_debug_level(rpc_verbosity);
+#elif HAVE_LIBTIRPC_SET_DEBUG
+	/*
+	 * Only set the libtirpc debug level if explicitly requested via -r...
+	 * gssd is chatty enough as it is.
+	 */
+	if (rpc_verbosity > 0)
+		libtirpc_set_debug(progname, rpc_verbosity, fg);
 #else
         if (rpc_verbosity > 0)
 		printerr(0, "Warning: rpcsec_gss library does not "
@@ -206,14 +886,42 @@ main(int argc, char *argv[])
 	if (gssd_check_mechs() != 0)
 		errx(1, "Problem with gssapi library");
 
-	if (!fg)
-		mydaemon(0, 0, pipefds);
+	daemon_init(fg);
+
+	event_init();
+
+	pipefs_dir = opendir(pipefs_path);
+	if (!pipefs_dir) {
+		printerr(0, "ERROR: opendir(%s) failed: %s\n", pipefs_path, strerror(errno));
+		exit(EXIT_FAILURE);
+	}
+
+	pipefs_fd = dirfd(pipefs_dir);
+	if (fchdir(pipefs_fd)) {
+		printerr(0, "ERROR: fchdir(%s) failed: %s\n", pipefs_path, strerror(errno));
+		exit(EXIT_FAILURE);
+	}
+
+	inotify_fd = inotify_init1(IN_NONBLOCK);
+	if (inotify_fd == -1) {
+		printerr(0, "ERROR: inotify_init1 failed: %s\n", strerror(errno));
+		exit(EXIT_FAILURE);
+	}
 
 	signal(SIGINT, sig_die);
 	signal(SIGTERM, sig_die);
-	signal(SIGHUP, sig_hup);
+	signal_set(&sighup_ev, SIGHUP, gssd_scan_cb, NULL);
+	signal_add(&sighup_ev, NULL);
+	event_set(&inotify_ev, inotify_fd, EV_READ | EV_PERSIST, gssd_inotify_cb, NULL);
+	event_add(&inotify_ev, NULL);
+
+	TAILQ_INIT(&topdir_list);
+	gssd_scan();
+	daemon_ready();
 
-	gssd_run();
-	printerr(0, "gssd_run returned!\n");
-	abort();
+	event_dispatch();
+
+	printerr(0, "ERROR: event_dispatch() returned!\n");
+	return EXIT_FAILURE;
 }
+
diff -up nfs-utils-1.3.0/utils/gssd/gssd.h.orig nfs-utils-1.3.0/utils/gssd/gssd.h
--- nfs-utils-1.3.0/utils/gssd/gssd.h.orig	2016-04-15 11:42:13.917460638 -0400
+++ nfs-utils-1.3.0/utils/gssd/gssd.h	2016-04-15 11:42:38.369938424 -0400
@@ -34,14 +34,12 @@
 #include <sys/types.h>
 #include <sys/queue.h>
 #include <gssapi/gssapi.h>
+#include <event.h>
+#include <stdbool.h>
 
-#define MAX_FILE_NAMELEN	32
-#define FD_ALLOC_BLOCK		256
 #ifndef GSSD_PIPEFS_DIR
 #define GSSD_PIPEFS_DIR		"/var/lib/nfs/rpc_pipefs"
 #endif
-#define INFO			"info"
-#define KRB5			"krb5"
 #define DNOTIFY_SIGNAL		(SIGRTMIN + 3)
 
 #define GSSD_DEFAULT_CRED_DIR			"/tmp"
@@ -50,60 +48,40 @@
 #define GSSD_DEFAULT_MACHINE_CRED_SUFFIX	"machine"
 #define GSSD_DEFAULT_KEYTAB_FILE		"/etc/krb5.keytab"
 #define GSSD_SERVICE_NAME			"nfs"
-#define GSSD_SERVICE_NAME_LEN			3
-#define GSSD_MAX_CCACHE_SEARCH			16
 
 /*
  * The gss mechanisms that we can handle
  */
 enum {AUTHTYPE_KRB5, AUTHTYPE_LIPKEY};
 
-
-
-extern char			pipefs_dir[PATH_MAX];
-extern char			keytabfile[PATH_MAX];
-extern char			*ccachesearch[];
+extern char		       *keytabfile;
+extern char		      **ccachesearch;
 extern int			use_memcache;
 extern int			root_uses_machine_creds;
 extern unsigned int 		context_timeout;
 extern unsigned int rpc_timeout;
 extern char			*preferred_realm;
-extern int			pipefds[2];
-
-TAILQ_HEAD(clnt_list_head, clnt_info) clnt_list;
 
 struct clnt_info {
 	TAILQ_ENTRY(clnt_info)	list;
-	char			*dirname;
-	char			*pdir;
-	int			dir_fd;
+	int			wd;
+	bool			scanned;
+	char			*name;
+	char			*relpath;
 	char			*servicename;
 	char			*servername;
 	int			prog;
 	int			vers;
 	char			*protocol;
 	int			krb5_fd;
-	int			krb5_poll_index;
-	int			krb5_close_me;
-	int                     gssd_fd;
-	int                     gssd_poll_index;
-	int			gssd_close_me;
-	struct sockaddr_storage addr;
-};
-
-TAILQ_HEAD(topdirs_list_head, topdirs_info) topdirs_list;
-
-struct topdirs_info {
-	TAILQ_ENTRY(topdirs_info)   list;
-	char			*dirname;
-	int			fd;
+	struct event		krb5_ev;
+	int			gssd_fd;
+	struct event		gssd_ev;
+	struct			sockaddr_storage addr;
 };
 
-void init_client_list(void);
-int update_client_list(void);
 void handle_krb5_upcall(struct clnt_info *clp);
 void handle_gssd_upcall(struct clnt_info *clp);
-void gssd_run(void);
 
 
 #endif /* _RPC_GSSD_H_ */
diff -up nfs-utils-1.3.0/utils/gssd/gssd_proc.c.orig nfs-utils-1.3.0/utils/gssd/gssd_proc.c
--- nfs-utils-1.3.0/utils/gssd/gssd_proc.c.orig	2016-04-15 11:42:13.949461263 -0400
+++ nfs-utils-1.3.0/utils/gssd/gssd_proc.c	2016-04-15 11:42:38.371938463 -0400
@@ -9,6 +9,7 @@
   Copyright (c) 2002 Marius Aamodt Eriksen <marius@UMICH.EDU>.
   Copyright (c) 2002 Bruce Fields <bfields@UMICH.EDU>
   Copyright (c) 2004 Kevin Coffman <kwc@umich.edu>
+  Copyright (c) 2014 David H?rdeman <david@hardeman.nu>
   All rights reserved, all wrongs reversed.
 
   Redistribution and use in source and binary forms, with or without
@@ -52,7 +53,6 @@
 #include <sys/socket.h>
 #include <arpa/inet.h>
 #include <sys/fsuid.h>
-#include <sys/resource.h>
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -79,548 +79,6 @@
 #include "nfslib.h"
 #include "gss_names.h"
 
-/*
- * pollarray:
- *      array of struct pollfd suitable to pass to poll. initialized to
- *      zero - a zero struct is ignored by poll() because the events mask is 0.
- *
- * clnt_list:
- *      linked list of struct clnt_info which associates a clntXXX directory
- *	with an index into pollarray[], and other basic data about that client.
- *
- * Directory structure: created by the kernel
- *      {rpc_pipefs}/{dir}/clntXX         : one per rpc_clnt struct in the kernel
- *      {rpc_pipefs}/{dir}/clntXX/krb5    : read uid for which kernel wants
- *					    a context, write the resulting context
- *      {rpc_pipefs}/{dir}/clntXX/info    : stores info such as server name
- *      {rpc_pipefs}/{dir}/clntXX/gssd    : pipe for all gss mechanisms using
- *					    a text-based string of parameters
- *
- * Algorithm:
- *      Poll all {rpc_pipefs}/{dir}/clntXX/YYYY files.  When data is ready,
- *      read and process; performs rpcsec_gss context initialization protocol to
- *      get a cred for that user.  Writes result to corresponding krb5 file
- *      in a form the kernel code will understand.
- *      In addition, we make sure we are notified whenever anything is
- *      created or destroyed in {rpc_pipefs} or in any of the clntXX directories,
- *      and rescan the whole {rpc_pipefs} when this happens.
- */
-
-struct pollfd * pollarray;
-
-unsigned long pollsize;  /* the size of pollaray (in pollfd's) */
-
-/* Avoid DNS reverse lookups on server names */
-int avoid_dns = 1;
-
-/*
- * convert a presentation address string to a sockaddr_storage struct. Returns
- * true on success or false on failure.
- *
- * Note that we do not populate the sin6_scope_id field here for IPv6 addrs.
- * gssd nececessarily relies on hostname resolution and DNS AAAA records
- * do not generally contain scope-id's. This means that GSSAPI auth really
- * can't work with IPv6 link-local addresses.
- *
- * We *could* consider changing this if we did something like adopt the
- * Microsoft "standard" of using the ipv6-literal.net domainname, but it's
- * not really feasible at present.
- */
-static int
-addrstr_to_sockaddr(struct sockaddr *sa, const char *node, const char *port)
-{
-	int rc;
-	struct addrinfo *res;
-	struct addrinfo hints = { .ai_flags = AI_NUMERICHOST | AI_NUMERICSERV };
-
-#ifndef IPV6_SUPPORTED
-	hints.ai_family = AF_INET;
-#endif /* IPV6_SUPPORTED */
-
-	rc = getaddrinfo(node, port, &hints, &res);
-	if (rc) {
-		printerr(0, "ERROR: unable to convert %s|%s to sockaddr: %s\n",
-			 node, port, rc == EAI_SYSTEM ? strerror(errno) :
-						gai_strerror(rc));
-		return 0;
-	}
-
-#ifdef IPV6_SUPPORTED
-	/*
-	 * getnameinfo ignores the scopeid. If the address turns out to have
-	 * a non-zero scopeid, we can't use it -- the resolved host might be
-	 * completely different from the one intended.
-	 */
-	if (res->ai_addr->sa_family == AF_INET6) {
-		struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)res->ai_addr;
-		if (sin6->sin6_scope_id) {
-			printerr(0, "ERROR: address %s has non-zero "
-				    "sin6_scope_id!\n", node);
-			freeaddrinfo(res);
-			return 0;
-		}
-	}
-#endif /* IPV6_SUPPORTED */
-
-	memcpy(sa, res->ai_addr, res->ai_addrlen);
-	freeaddrinfo(res);
-	return 1;
-}
-
-/*
- * convert a sockaddr to a hostname
- */
-static char *
-get_servername(const char *name, const struct sockaddr *sa, const char *addr)
-{
-	socklen_t		addrlen;
-	int			err;
-	char			*hostname;
-	char			hbuf[NI_MAXHOST];
-	unsigned char		buf[sizeof(struct in6_addr)];
-
-	if (avoid_dns) {
-		/*
-		 * Determine if this is a server name, or an IP address.
-		 * If it is an IP address, do the DNS lookup otherwise
-		 * skip the DNS lookup.
-		 */
-		int is_fqdn = 1;
-		if (strchr(name, '.') == NULL)
-			is_fqdn = 0; /* local name */
-		else if (inet_pton(AF_INET, name, buf) == 1)
-			is_fqdn = 0; /* IPv4 address */
-		else if (inet_pton(AF_INET6, name, buf) == 1)
-			is_fqdn = 0; /* IPv6 addrss */
-
-		if (is_fqdn) {
-			return strdup(name);
-		}
-		/* Sorry, cannot avoid dns after all */
-	}
-
-	switch (sa->sa_family) {
-	case AF_INET:
-		addrlen = sizeof(struct sockaddr_in);
-		break;
-#ifdef IPV6_SUPPORTED
-	case AF_INET6:
-		addrlen = sizeof(struct sockaddr_in6);
-		break;
-#endif /* IPV6_SUPPORTED */
-	default:
-		printerr(0, "ERROR: unrecognized addr family %d\n",
-			 sa->sa_family);
-		return NULL;
-	}
-
-	err = getnameinfo(sa, addrlen, hbuf, sizeof(hbuf), NULL, 0,
-			  NI_NAMEREQD);
-	if (err) {
-		printerr(0, "ERROR: unable to resolve %s to hostname: %s\n",
-			 addr, err == EAI_SYSTEM ? strerror(errno) :
-						   gai_strerror(err));
-		return NULL;
-	}
-
-	hostname = strdup(hbuf);
-
-	return hostname;
-}
-
-/* XXX buffer problems: */
-static int
-read_service_info(char *info_file_name, char **servicename, char **servername,
-		  int *prog, int *vers, char **protocol,
-		  struct sockaddr *addr) {
-#define INFOBUFLEN 256
-	char		buf[INFOBUFLEN + 1];
-	static char	server[128];
-	int		nbytes;
-	static char	service[128];
-	static char	address[128];
-	char		program[16];
-	char		version[16];
-	char		protoname[16];
-	char		port[128];
-	char		*p;
-	int		fd = -1;
-	int		numfields;
-
-	*servicename = *servername = *protocol = NULL;
-
-	if ((fd = open(info_file_name, O_RDONLY)) == -1) {
-		printerr(0, "ERROR: can't open %s: %s\n", info_file_name,
-			 strerror(errno));
-		goto fail;
-	}
-	if ((nbytes = read(fd, buf, INFOBUFLEN)) == -1)
-		goto fail;
-	close(fd);
-	fd = -1;
-	buf[nbytes] = '\0';
-
-	numfields = sscanf(buf,"RPC server: %127s\n"
-		   "service: %127s %15s version %15s\n"
-		   "address: %127s\n"
-		   "protocol: %15s\n",
-		   server,
-		   service, program, version,
-		   address,
-		   protoname);
-
-	if (numfields == 5) {
-		strcpy(protoname, "tcp");
-	} else if (numfields != 6) {
-		goto fail;
-	}
-
-	port[0] = '\0';
-	if ((p = strstr(buf, "port")) != NULL)
-		sscanf(p, "port: %127s\n", port);
-
-	/* get program, and version numbers */
-	*prog = atoi(program + 1); /* skip open paren */
-	*vers = atoi(version);
-
-	if (!addrstr_to_sockaddr(addr, address, port))
-		goto fail;
-
-	*servername = get_servername(server, addr, address);
-	if (*servername == NULL)
-		goto fail;
-
-	nbytes = snprintf(buf, INFOBUFLEN, "%s@%s", service, *servername);
-	if (nbytes > INFOBUFLEN)
-		goto fail;
-
-	if (!(*servicename = calloc(strlen(buf) + 1, 1)))
-		goto fail;
-	memcpy(*servicename, buf, strlen(buf));
-
-	if (!(*protocol = strdup(protoname)))
-		goto fail;
-	return 0;
-fail:
-	printerr(0, "ERROR: failed to read service info\n");
-	if (fd != -1) close(fd);
-	free(*servername);
-	free(*servicename);
-	free(*protocol);
-	*servicename = *servername = *protocol = NULL;
-	return -1;
-}
-
-static void
-destroy_client(struct clnt_info *clp)
-{
-	if (clp->krb5_poll_index != -1)
-		memset(&pollarray[clp->krb5_poll_index], 0,
-					sizeof(struct pollfd));
-	if (clp->gssd_poll_index != -1)
-		memset(&pollarray[clp->gssd_poll_index], 0,
-					sizeof(struct pollfd));
-	if (clp->dir_fd != -1) close(clp->dir_fd);
-	if (clp->krb5_fd != -1) close(clp->krb5_fd);
-	if (clp->gssd_fd != -1) close(clp->gssd_fd);
-	free(clp->dirname);
-	free(clp->pdir);
-	free(clp->servicename);
-	free(clp->servername);
-	free(clp->protocol);
-	free(clp);
-}
-
-static struct clnt_info *
-insert_new_clnt(void)
-{
-	struct clnt_info	*clp = NULL;
-
-	if (!(clp = (struct clnt_info *)calloc(1,sizeof(struct clnt_info)))) {
-		printerr(0, "ERROR: can't malloc clnt_info: %s\n",
-			 strerror(errno));
-		goto out;
-	}
-	clp->krb5_poll_index = -1;
-	clp->gssd_poll_index = -1;
-	clp->krb5_fd = -1;
-	clp->gssd_fd = -1;
-	clp->dir_fd = -1;
-
-	TAILQ_INSERT_HEAD(&clnt_list, clp, list);
-out:
-	return clp;
-}
-
-static int
-process_clnt_dir_files(struct clnt_info * clp)
-{
-	char	name[PATH_MAX];
-	char	gname[PATH_MAX];
-	char	info_file_name[PATH_MAX];
-
-	if (clp->gssd_close_me) {
-		printerr(2, "Closing 'gssd' pipe for %s\n", clp->dirname);
-		close(clp->gssd_fd);
-		memset(&pollarray[clp->gssd_poll_index], 0,
-			sizeof(struct pollfd));
-		clp->gssd_fd = -1;
-		clp->gssd_poll_index = -1;
-		clp->gssd_close_me = 0;
-	}
-	if (clp->krb5_close_me) {
-		printerr(2, "Closing 'krb5' pipe for %s\n", clp->dirname);
-		close(clp->krb5_fd);
-		memset(&pollarray[clp->krb5_poll_index], 0,
-			sizeof(struct pollfd));
-		clp->krb5_fd = -1;
-		clp->krb5_poll_index = -1;
-		clp->krb5_close_me = 0;
-	}
-
-	if (clp->gssd_fd == -1) {
-		snprintf(gname, sizeof(gname), "%s/gssd", clp->dirname);
-		clp->gssd_fd = open(gname, O_RDWR);
-	}
-	if (clp->gssd_fd == -1) {
-		if (clp->krb5_fd == -1) {
-			snprintf(name, sizeof(name), "%s/krb5", clp->dirname);
-			clp->krb5_fd = open(name, O_RDWR);
-		}
-
-		/* If we opened a gss-specific pipe, let's try opening
-		 * the new upcall pipe again. If we succeed, close
-		 * gss-specific pipe(s).
-		 */
-		if (clp->krb5_fd != -1) {
-			clp->gssd_fd = open(gname, O_RDWR);
-			if (clp->gssd_fd != -1) {
-				if (clp->krb5_fd != -1)
-					close(clp->krb5_fd);
-				clp->krb5_fd = -1;
-			}
-		}
-	}
-
-	if ((clp->krb5_fd == -1) && (clp->gssd_fd == -1))
-		return -1;
-	snprintf(info_file_name, sizeof(info_file_name), "%s/info",
-			clp->dirname);
-	if (clp->prog == 0)
-		read_service_info(info_file_name, &clp->servicename,
-				  &clp->servername, &clp->prog, &clp->vers,
-				  &clp->protocol, (struct sockaddr *) &clp->addr);
-	return 0;
-}
-
-static int
-get_poll_index(int *ind)
-{
-	unsigned int i;
-
-	*ind = -1;
-	for (i=0; i<pollsize; i++) {
-		if (pollarray[i].events == 0) {
-			*ind = i;
-			break;
-		}
-	}
-	if (*ind == -1) {
-		printerr(0, "ERROR: No pollarray slots open\n");
-		return -1;
-	}
-	return 0;
-}
-
-
-static int
-insert_clnt_poll(struct clnt_info *clp)
-{
-	if ((clp->gssd_fd != -1) && (clp->gssd_poll_index == -1)) {
-		if (get_poll_index(&clp->gssd_poll_index)) {
-			printerr(0, "ERROR: Too many gssd clients\n");
-			return -1;
-		}
-		pollarray[clp->gssd_poll_index].fd = clp->gssd_fd;
-		pollarray[clp->gssd_poll_index].events |= POLLIN;
-	}
-
-	if ((clp->krb5_fd != -1) && (clp->krb5_poll_index == -1)) {
-		if (get_poll_index(&clp->krb5_poll_index)) {
-			printerr(0, "ERROR: Too many krb5 clients\n");
-			return -1;
-		}
-		pollarray[clp->krb5_poll_index].fd = clp->krb5_fd;
-		pollarray[clp->krb5_poll_index].events |= POLLIN;
-	}
-
-	return 0;
-}
-
-static void
-process_clnt_dir(char *dir, char *pdir)
-{
-	struct clnt_info *	clp;
-
-	if (!(clp = insert_new_clnt()))
-		goto fail_destroy_client;
-
-	if (!(clp->pdir = strdup(pdir)))
-		goto fail_destroy_client;
-
-	/* An extra for the '/', and an extra for the null */
-	if (!(clp->dirname = calloc(strlen(dir) + strlen(pdir) + 2, 1))) {
-		goto fail_destroy_client;
-	}
-	sprintf(clp->dirname, "%s/%s", pdir, dir);
-	if ((clp->dir_fd = open(clp->dirname, O_RDONLY)) == -1) {
-		if (errno != ENOENT)
-			printerr(0, "ERROR: can't open %s: %s\n",
-				 clp->dirname, strerror(errno));
-		goto fail_destroy_client;
-	}
-	fcntl(clp->dir_fd, F_SETSIG, DNOTIFY_SIGNAL);
-	fcntl(clp->dir_fd, F_NOTIFY, DN_CREATE | DN_DELETE | DN_MULTISHOT);
-
-	if (process_clnt_dir_files(clp))
-		goto fail_keep_client;
-
-	if (insert_clnt_poll(clp))
-		goto fail_destroy_client;
-
-	return;
-
-fail_destroy_client:
-	if (clp) {
-		TAILQ_REMOVE(&clnt_list, clp, list);
-		destroy_client(clp);
-	}
-fail_keep_client:
-	/* We couldn't find some subdirectories, but we keep the client
-	 * around in case we get a notification on the directory when the
-	 * subdirectories are created. */
-	return;
-}
-
-void
-init_client_list(void)
-{
-	struct rlimit rlim;
-	TAILQ_INIT(&clnt_list);
-	/* Eventually plan to grow/shrink poll array: */
-	pollsize = FD_ALLOC_BLOCK;
-	if (getrlimit(RLIMIT_NOFILE, &rlim) == 0 &&
-	    rlim.rlim_cur != RLIM_INFINITY)
-		pollsize = rlim.rlim_cur;
-	pollarray = calloc(pollsize, sizeof(struct pollfd));
-}
-
-/*
- * This is run after a DNOTIFY signal, and should clear up any
- * directories that are no longer around, and re-scan any existing
- * directories, since the DNOTIFY could have been in there.
- */
-static void
-update_old_clients(struct dirent **namelist, int size, char *pdir)
-{
-	struct clnt_info *clp;
-	void *saveprev;
-	int i, stillhere;
-	char fname[PATH_MAX];
-
-	for (clp = clnt_list.tqh_first; clp != NULL; clp = clp->list.tqe_next) {
-		/* only compare entries in the global list that are from the
-		 * same pipefs parent directory as "pdir"
-		 */
-		if (strcmp(clp->pdir, pdir) != 0) continue;
-
-		stillhere = 0;
-		for (i=0; i < size; i++) {
-			snprintf(fname, sizeof(fname), "%s/%s",
-				 pdir, namelist[i]->d_name);
-			if (strcmp(clp->dirname, fname) == 0) {
-				stillhere = 1;
-				break;
-			}
-		}
-		if (!stillhere) {
-			printerr(2, "destroying client %s\n", clp->dirname);
-			saveprev = clp->list.tqe_prev;
-			TAILQ_REMOVE(&clnt_list, clp, list);
-			destroy_client(clp);
-			clp = saveprev;
-		}
-	}
-	for (clp = clnt_list.tqh_first; clp != NULL; clp = clp->list.tqe_next) {
-		if (!process_clnt_dir_files(clp))
-			insert_clnt_poll(clp);
-	}
-}
-
-/* Search for a client by directory name, return 1 if found, 0 otherwise */
-static int
-find_client(char *dirname, char *pdir)
-{
-	struct clnt_info	*clp;
-	char fname[PATH_MAX];
-
-	for (clp = clnt_list.tqh_first; clp != NULL; clp = clp->list.tqe_next) {
-		snprintf(fname, sizeof(fname), "%s/%s", pdir, dirname);
-		if (strcmp(clp->dirname, fname) == 0)
-			return 1;
-	}
-	return 0;
-}
-
-static int
-process_pipedir(char *pipe_name)
-{
-	struct dirent **namelist;
-	int i, j;
-
-	if (chdir(pipe_name) < 0) {
-		printerr(0, "ERROR: can't chdir to %s: %s\n",
-			 pipe_name, strerror(errno));
-		return -1;
-	}
-
-	j = scandir(pipe_name, &namelist, NULL, alphasort);
-	if (j < 0) {
-		printerr(0, "ERROR: can't scandir %s: %s\n",
-			 pipe_name, strerror(errno));
-		return -1;
-	}
-
-	update_old_clients(namelist, j, pipe_name);
-	for (i=0; i < j; i++) {
-		if (!strncmp(namelist[i]->d_name, "clnt", 4)
-		    && !find_client(namelist[i]->d_name, pipe_name))
-			process_clnt_dir(namelist[i]->d_name, pipe_name);
-		free(namelist[i]);
-	}
-
-	free(namelist);
-
-	return 0;
-}
-
-/* Used to read (and re-read) list of clients, set up poll array. */
-int
-update_client_list(void)
-{
-	int retval = -1;
-	struct topdirs_info *tdi;
-
-	TAILQ_FOREACH(tdi, &topdirs_list, list) {
-		retval = process_pipedir(tdi->dirname);
-		if (retval)
-			printerr(1, "WARNING: error processing %s\n",
-				 tdi->dirname);
-
-	}
-	return retval;
-}
-
 /* Encryption types supported by the kernel rpcsec_gss code */
 int num_krb5_enctypes = 0;
 krb5_enctype *krb5_enctypes = NULL;
@@ -691,7 +149,7 @@ do_downcall(int k5_fd, uid_t uid, struct
 	unsigned int timeout = context_timeout;
 	unsigned int buf_size = 0;
 
-	printerr(1, "doing downcall: lifetime_rec=%u acceptor=%.*s\n",
+	printerr(2, "doing downcall: lifetime_rec=%u acceptor=%.*s\n",
 		lifetime_rec, acceptor->length, acceptor->value);
 	buf_size = sizeof(uid) + sizeof(timeout) + sizeof(pd->pd_seq_win) +
 		sizeof(pd->pd_ctx_hndl.length) + pd->pd_ctx_hndl.length +
@@ -730,7 +188,7 @@ do_error_downcall(int k5_fd, uid_t uid,
 	unsigned int timeout = 0;
 	int	zero = 0;
 
-	printerr(1, "doing error downcall\n");
+	printerr(2, "doing error downcall\n");
 
 	if (WRITE_BYTES(&p, end, uid)) goto out_err;
 	if (WRITE_BYTES(&p, end, timeout)) goto out_err;
@@ -772,7 +230,7 @@ populate_port(struct sockaddr *sa, const
 	switch (sa->sa_family) {
 	case AF_INET:
 		if (s4->sin_port != 0) {
-			printerr(2, "DEBUG: port already set to %d\n",
+			printerr(4, "DEBUG: port already set to %d\n",
 				 ntohs(s4->sin_port));
 			return 1;
 		}
@@ -780,7 +238,7 @@ populate_port(struct sockaddr *sa, const
 #ifdef IPV6_SUPPORTED
 	case AF_INET6:
 		if (s6->sin6_port != 0) {
-			printerr(2, "DEBUG: port already set to %d\n",
+			printerr(4, "DEBUG: port already set to %d\n",
 				 ntohs(s6->sin6_port));
 			return 1;
 		}
@@ -941,7 +399,7 @@ create_auth_rpc_client(struct clnt_info
 	auth = authgss_create_default(rpc_clnt, tgtname, &sec);
 	if (!auth) {
 		/* Our caller should print appropriate message */
-		printerr(2, "WARNING: Failed to create krb5 context for "
+		printerr(1, "WARNING: Failed to create krb5 context for "
 			    "user with uid %d for server %s\n",
 			 uid, tgtname);
 		goto out_fail;
@@ -1032,7 +490,7 @@ krb5_not_machine_creds(struct clnt_info
 	char		**dname;
 	int		err, resp = -1;
 
-	printerr(1, "krb5_not_machine_creds: uid %d tgtname %s\n", 
+	printerr(2, "krb5_not_machine_creds: uid %d tgtname %s\n", 
 		uid, tgtname);
 
 	*chg_err = change_identity(uid);
@@ -1079,7 +537,7 @@ krb5_use_machine_creds(struct clnt_info
 	int	nocache = 0;
 	int	success = 0;
 
-	printerr(1, "krb5_use_machine_creds: uid %d tgtname %s\n", 
+	printerr(2, "krb5_use_machine_creds: uid %d tgtname %s\n", 
 		uid, tgtname);
 
 	do {
@@ -1149,8 +607,6 @@ process_krb5_upcall(struct clnt_info *cl
 	gss_OID			mech;
 	gss_buffer_desc		acceptor  = {0};
 
-	printerr(1, "handling krb5 upcall (%s)\n", clp->dirname);
-
 	token.length = 0;
 	token.value = NULL;
 	memset(&pd, 0, sizeof(struct authgss_private_data));
@@ -1176,8 +632,6 @@ process_krb5_upcall(struct clnt_info *cl
 	 * used for this case is not important.
 	 *
 	 */
-	printerr(2, "%s: service is '%s'\n", __func__,
-		 service ? service : "<null>");
 	if (uid != 0 || (uid == 0 && root_uses_machine_creds == 0 &&
 				service == NULL)) {
 
@@ -1191,7 +645,7 @@ process_krb5_upcall(struct clnt_info *cl
 			/* Child: fall through to rest of function */
 			childpid = getpid();
 			unsetenv("KRB5CCNAME");
-			printerr(1, "CHILD forked pid %d \n", childpid);
+			printerr(2, "CHILD forked pid %d \n", childpid);
 			break;
 		case -1:
 			/* fork() failed! */
@@ -1224,9 +678,7 @@ no_fork:
 			if (auth == NULL)
 				goto out_return_error;
 		} else {
-			printerr(1, "WARNING: Failed to create krb5 context "
-				 "for user with uid %d for server %s\n",
-				 uid, clp->servername);
+			/* krb5_not_machine_creds logs the error */
 			goto out_return_error;
 		}
 	}
@@ -1257,7 +709,7 @@ no_fork:
 	 * try to use it after this point.
 	 */
 	if (serialize_context_for_kernel(&pd.pd_ctx, &token, &krb5oid, NULL)) {
-		printerr(0, "WARNING: Failed to serialize krb5 context for "
+		printerr(1, "WARNING: Failed to serialize krb5 context for "
 			    "user with uid %d for server %s\n",
 			 uid, clp->servername);
 		goto out_return_error;
@@ -1300,6 +752,8 @@ handle_krb5_upcall(struct clnt_info *clp
 		return;
 	}
 
+	printerr(2, "\n%s: uid %d (%s)\n", __func__, uid, clp->relpath);
+
 	process_krb5_upcall(clp, uid, clp->krb5_fd, NULL, NULL);
 }
 
@@ -1311,85 +765,66 @@ handle_gssd_upcall(struct clnt_info *clp
 	int			lbuflen = 0;
 	char			*p;
 	char			*mech = NULL;
+	char			*uidstr = NULL;
 	char			*target = NULL;
 	char			*service = NULL;
 	char			*enctypes = NULL;
 
-	printerr(1, "handling gssd upcall (%s)\n", clp->dirname);
-
 	if (readline(clp->gssd_fd, &lbuf, &lbuflen) != 1) {
 		printerr(0, "WARNING: handle_gssd_upcall: "
 			    "failed reading request\n");
 		return;
 	}
-	printerr(2, "%s: '%s'\n", __func__, lbuf);
 
-	/* find the mechanism name */
-	if ((p = strstr(lbuf, "mech=")) != NULL) {
-		mech = malloc(lbuflen);
-		if (!mech)
-			goto out;
-		if (sscanf(p, "mech=%s", mech) != 1) {
-			printerr(0, "WARNING: handle_gssd_upcall: "
-				    "failed to parse gss mechanism name "
-				    "in upcall string '%s'\n", lbuf);
-			goto out;
-		}
-	} else {
+	printerr(2, "\n%s: '%s' (%s)\n", __func__, lbuf, clp->relpath);
+
+	for (p = strtok(lbuf, " "); p; p = strtok(NULL, " ")) {
+		if (!strncmp(p, "mech=", strlen("mech=")))
+			mech = p + strlen("mech=");
+		else if (!strncmp(p, "uid=", strlen("uid=")))
+			uidstr = p + strlen("uid=");
+		else if (!strncmp(p, "enctypes=", strlen("enctypes=")))
+			enctypes = p + strlen("enctypes=");
+		else if (!strncmp(p, "target=", strlen("target=")))
+			target = p + strlen("target=");
+		else if (!strncmp(p, "service=", strlen("service=")))
+			service = p + strlen("service=");
+	}
+
+	if (!mech || strlen(mech) < 1) {
 		printerr(0, "WARNING: handle_gssd_upcall: "
 			    "failed to find gss mechanism name "
 			    "in upcall string '%s'\n", lbuf);
-		goto out;
+		return;
 	}
 
-	/* read uid */
-	if ((p = strstr(lbuf, "uid=")) != NULL) {
-		if (sscanf(p, "uid=%d", &uid) != 1) {
-			printerr(0, "WARNING: handle_gssd_upcall: "
-				    "failed to parse uid "
-				    "in upcall string '%s'\n", lbuf);
-			goto out;
-		}
-	} else {
+	if (uidstr) {
+		uid = (uid_t)strtol(uidstr, &p, 10);
+		if (p == uidstr || *p != '\0')
+			uidstr = NULL;
+	}
+
+	if (!uidstr) {
 		printerr(0, "WARNING: handle_gssd_upcall: "
 			    "failed to find uid "
 			    "in upcall string '%s'\n", lbuf);
-		goto out;
+		return;
 	}
 
-	/* read supported encryption types if supplied */
-	if ((p = strstr(lbuf, "enctypes=")) != NULL) {
-		enctypes = malloc(lbuflen);
-		if (!enctypes)
-			goto out;
-		if (sscanf(p, "enctypes=%s", enctypes) != 1) {
-			printerr(0, "WARNING: handle_gssd_upcall: "
-				    "failed to parse encryption types "
-				    "in upcall string '%s'\n", lbuf);
-			goto out;
-		}
-		if (parse_enctypes(enctypes) != 0) {
-			printerr(0, "WARNING: handle_gssd_upcall: "
-				"parsing encryption types failed: errno %d\n", errno);
-		}
+	if (enctypes && parse_enctypes(enctypes) != 0) {
+		printerr(0, "WARNING: handle_gssd_upcall: "
+			 "parsing encryption types failed: errno %d\n", errno);
+		return;
 	}
 
-	/* read target name */
-	if ((p = strstr(lbuf, "target=")) != NULL) {
-		target = malloc(lbuflen);
-		if (!target)
-			goto out;
-		if (sscanf(p, "target=%s", target) != 1) {
-			printerr(0, "WARNING: handle_gssd_upcall: "
-				    "failed to parse target name "
-				    "in upcall string '%s'\n", lbuf);
-			goto out;
-		}
+	if (target && strlen(target) < 1) {
+		printerr(0, "WARNING: handle_gssd_upcall: "
+			 "failed to parse target name "
+			 "in upcall string '%s'\n", lbuf);
+		return;
 	}
 
 	/*
-	 * read the service name
-	 *
 	 * The presence of attribute "service=" indicates that machine
 	 * credentials should be used for this request.  If the value
 	 * is "*", then any machine credentials available can be used.
@@ -1397,16 +832,11 @@ handle_gssd_upcall(struct clnt_info *clp
 	 * the specified service name (always "nfs" for now) should be
 	 * used.
 	 */
-	if ((p = strstr(lbuf, "service=")) != NULL) {
-		service = malloc(lbuflen);
-		if (!service)
-			goto out;
-		if (sscanf(p, "service=%s", service) != 1) {
-			printerr(0, "WARNING: handle_gssd_upcall: "
-				    "failed to parse service type "
-				    "in upcall string '%s'\n", lbuf);
-			goto out;
-		}
+	if (service && strlen(service) < 1) {
+		printerr(0, "WARNING: handle_gssd_upcall: "
+			 "failed to parse service type "
+			 "in upcall string '%s'\n", lbuf);
+		return;
 	}
 
 	if (strcmp(mech, "krb5") == 0 && clp->servername)
@@ -1417,13 +847,5 @@ handle_gssd_upcall(struct clnt_info *clp
 				 "received unknown gss mech '%s'\n", mech);
 		do_error_downcall(clp->gssd_fd, uid, -EACCES);
 	}
-
-out:
-	free(lbuf);
-	free(mech);
-	free(enctypes);
-	free(target);
-	free(service);
-	return;
 }
 
diff -up nfs-utils-1.3.0/utils/gssd/gss_util.h.orig nfs-utils-1.3.0/utils/gssd/gss_util.h
--- nfs-utils-1.3.0/utils/gssd/gss_util.h.orig	2014-03-25 11:12:07.000000000 -0400
+++ nfs-utils-1.3.0/utils/gssd/gss_util.h	2016-04-15 11:42:38.368938404 -0400
@@ -52,6 +52,4 @@ int gssd_check_mechs(void);
 		gss_krb5_set_allowable_enctypes(min, cred, num, types)
 #endif
 
-extern int avoid_dns;
-
 #endif /* _GSS_UTIL_H_ */
diff -up nfs-utils-1.3.0/utils/gssd/krb5_util.c.orig nfs-utils-1.3.0/utils/gssd/krb5_util.c
--- nfs-utils-1.3.0/utils/gssd/krb5_util.c.orig	2016-04-15 11:42:13.953461341 -0400
+++ nfs-utils-1.3.0/utils/gssd/krb5_util.c	2016-04-15 11:42:38.372938482 -0400
@@ -356,7 +356,7 @@ gssd_get_single_krb5_cred(krb5_context c
 	 */
 	now += 300;
 	if (ple->ccname && ple->endtime > now && !nocache) {
-		printerr(2, "INFO: Credentials in CC '%s' are good until %d\n",
+		printerr(3, "INFO: Credentials in CC '%s' are good until %d\n",
 			 ple->ccname, ple->endtime);
 		code = 0;
 		goto out;
@@ -383,7 +383,7 @@ gssd_get_single_krb5_cred(krb5_context c
 			 "tickets.  May have problems behind a NAT.\n");
 #ifdef TEST_SHORT_LIFETIME
 	/* set a short lifetime (for debugging only!) */
-	printerr(0, "WARNING: Using (debug) short machine cred lifetime!\n");
+	printerr(1, "WARNING: Using (debug) short machine cred lifetime!\n");
 	krb5_get_init_creds_opt_set_tkt_life(init_opts, 5*60);
 #endif
 	opts = init_opts;
@@ -451,8 +451,7 @@ gssd_get_single_krb5_cred(krb5_context c
 	}
 
 	code = 0;
-	printerr(2, "Successfully obtained machine credentials for "
-		 "principal '%s' stored in ccache '%s'\n", pname, cc_name);
+	printerr(2, "%s: principal '%s' ccache:'%s'\n", __func__, pname, cc_name);
   out:
 #if HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS
 	if (init_opts)
@@ -477,7 +476,7 @@ gssd_set_krb5_ccache_name(char *ccname)
 #ifdef USE_GSS_KRB5_CCACHE_NAME
 	u_int	maj_stat, min_stat;
 
-	printerr(2, "using gss_krb5_ccache_name to select krb5 ccache %s\n",
+	printerr(3, "using gss_krb5_ccache_name to select krb5 ccache %s\n",
 		 ccname);
 	maj_stat = gss_krb5_ccache_name(&min_stat, ccname, NULL);
 	if (maj_stat != GSS_S_COMPLETE) {
@@ -492,7 +491,7 @@ gssd_set_krb5_ccache_name(char *ccname)
 	 * function above for which there is no generic gssapi
 	 * equivalent.)
 	 */
-	printerr(2, "using environment variable to select krb5 ccache %s\n",
+	printerr(3, "using environment variable to select krb5 ccache %s\n",
 		 ccname);
 	setenv("KRB5CCNAME", ccname, 1);
 #endif
@@ -1093,8 +1092,8 @@ gssd_setup_krb5_user_gss_ccache(uid_t ui
 	struct dirent		*d;
 	int			err, i, j;
 
-	printerr(2, "getting credentials for client with uid %u for "
-		    "server %s\n", uid, servername);
+	printerr(3, "looking for client creds with uid %u for "
+		    "server %s in %s\n", uid, servername, dirpattern);
 
 	for (i = 0, j = 0; dirpattern[i] != '\0'; i++) {
 		switch (dirpattern[i]) {
@@ -1410,16 +1409,21 @@ gssd_acquire_krb5_cred(gss_cred_id_t *gs
 int
 gssd_acquire_user_cred(gss_cred_id_t *gss_cred)
 {
-	OM_uint32 min_stat;
+	OM_uint32 maj_stat, min_stat;
 	int ret;
 
 	ret = gssd_acquire_krb5_cred(gss_cred);
 
 	/* force validation of cred to check for expiry */
 	if (ret == 0) {
-		if (gss_inquire_cred(&min_stat, *gss_cred, NULL, NULL,
-				     NULL, NULL) != GSS_S_COMPLETE)
-			ret = -1;
+		maj_stat = gss_inquire_cred(&min_stat, *gss_cred, 
+			NULL, NULL, NULL, NULL);
+		if (maj_stat != GSS_S_COMPLETE) {
+			if (get_verbosity() > 0)
+				pgsserr("gss_inquire_cred",
+					maj_stat, min_stat, &krb5oid);
+				ret = -1;
+			}
 	}
 
 	return ret;
diff -up nfs-utils-1.3.0/utils/gssd/Makefile.am.orig nfs-utils-1.3.0/utils/gssd/Makefile.am
--- nfs-utils-1.3.0/utils/gssd/Makefile.am.orig	2016-04-15 11:42:13.942461126 -0400
+++ nfs-utils-1.3.0/utils/gssd/Makefile.am	2016-04-15 11:42:38.367938385 -0400
@@ -29,7 +29,6 @@ COMMON_SRCS = \
 gssd_SOURCES = \
 	$(COMMON_SRCS) \
 	gssd.c \
-	gssd_main_loop.c \
 	gssd_proc.c \
 	krb5_util.c \
 	\
@@ -37,12 +36,23 @@ gssd_SOURCES = \
 	krb5_util.h \
 	write_bytes.h
 
-gssd_LDADD =	../../support/nfs/libnfs.a \
-		$(RPCSECGSS_LIBS) $(KRBLIBS) $(GSSAPI_LIBS)
-gssd_LDFLAGS = $(KRBLDFLAGS) $(LIBTIRPC)
+gssd_LDADD = \
+	../../support/nfs/libnfs.a \
+	$(LIBEVENT) \
+	$(RPCSECGSS_LIBS) \
+	$(KRBLIBS) \
+	$(GSSAPI_LIBS) \
+	$(LIBTIRPC)
 
-gssd_CFLAGS = $(AM_CFLAGS) $(CFLAGS) \
-	      $(RPCSECGSS_CFLAGS) $(KRBCFLAGS) $(GSSAPI_CFLAGS)
+gssd_LDFLAGS = \
+	$(KRBLDFLAGS)
+
+gssd_CFLAGS = \
+	$(AM_CFLAGS) \
+	$(CFLAGS) \
+	$(RPCSECGSS_CFLAGS) \
+	$(KRBCFLAGS) \
+	$(GSSAPI_CFLAGS)
 
 svcgssd_SOURCES = \
 	$(COMMON_SRCS) \
diff -up nfs-utils-1.3.0/utils/gssd/svcgssd.c.orig nfs-utils-1.3.0/utils/gssd/svcgssd.c
--- nfs-utils-1.3.0/utils/gssd/svcgssd.c.orig	2014-03-25 11:12:07.000000000 -0400
+++ nfs-utils-1.3.0/utils/gssd/svcgssd.c	2016-04-15 11:42:38.372938482 -0400
@@ -62,8 +62,6 @@
 #include "gss_util.h"
 #include "err_util.h"
 
-static int pipefds[2] = { -1, -1 };
-
 void
 sig_die(int signal)
 {
@@ -137,6 +135,13 @@ main(int argc, char *argv[])
 	if (verbosity && rpc_verbosity == 0)
 		rpc_verbosity = verbosity;
 	authgss_set_debug_level(rpc_verbosity);
+#elif HAVE_LIBTIRPC_SET_DEBUG
+        /*
+	 * Only set the libtirpc debug level if explicitly requested via -r...
+	 * svcgssd is chatty enough as it is.
+	 */
+        if (rpc_verbosity > 0)
+                libtirpc_set_debug(progname, rpc_verbosity, fg);
 #else
 	if (rpc_verbosity > 0)
 		printerr(0, "Warning: rpcsec_gss library does not "
@@ -157,8 +162,7 @@ main(int argc, char *argv[])
 		exit(1);
 	}
 
-	if (!fg)
-		mydaemon(0, 0, pipefds);
+	daemon_init(fg);
 
 	signal(SIGINT, sig_die);
 	signal(SIGTERM, sig_die);
@@ -187,8 +191,7 @@ main(int argc, char *argv[])
 		}
 	}
 
-	if (!fg)
-		release_parent(pipefds);
+	daemon_ready();
 
 	nfs4_init_name_mapping(NULL); /* XXX: should only do this once */
 	gssd_run();
diff -up nfs-utils-1.3.0/utils/idmapd/idmapd.c.orig nfs-utils-1.3.0/utils/idmapd/idmapd.c
--- nfs-utils-1.3.0/utils/idmapd/idmapd.c.orig	2014-03-25 11:12:07.000000000 -0400
+++ nfs-utils-1.3.0/utils/idmapd/idmapd.c	2016-04-15 11:42:38.373938502 -0400
@@ -164,7 +164,6 @@ static char pipefsdir[PATH_MAX];
 static char *nobodyuser, *nobodygroup;
 static uid_t nobodyuid;
 static gid_t nobodygid;
-static int pipefds[2] = { -1, -1 };
 
 /* Used by conffile.c in libnfs.a */
 char *conf_path;
@@ -302,8 +301,7 @@ main(int argc, char **argv)
 	if (nfs4_init_name_mapping(conf_path))
 		errx(1, "Unable to create name to user id mappings.");
 
-	if (!fg)
-		mydaemon(0, 0, pipefds);
+	daemon_init(fg);
 
 	event_init();
 
@@ -380,7 +378,7 @@ main(int argc, char **argv)
 	if (nfsdret != 0 && fd == 0)
 		xlog_err("main: Neither NFS client nor NFSd found");
 
-	release_parent(pipefds);
+	daemon_ready();
 
 	if (event_dispatch() < 0)
 		xlog_err("main: event_dispatch returns errno %d (%s)",
diff -up nfs-utils-1.3.0/utils/statd/statd.c.orig nfs-utils-1.3.0/utils/statd/statd.c
--- nfs-utils-1.3.0/utils/statd/statd.c.orig	2014-03-25 11:12:07.000000000 -0400
+++ nfs-utils-1.3.0/utils/statd/statd.c	2016-04-15 11:42:38.373938502 -0400
@@ -248,13 +248,12 @@ int main (int argc, char **argv)
 	int nlm_udp = 0, nlm_tcp = 0;
 	struct rlimit rlim;
 
-	int pipefds[2] = { -1, -1};
-	char status;
-
 	/* Default: daemon mode, no other options */
 	run_mode = 0;
-	xlog_stderr(0);
-	xlog_syslog(1);
+
+	/* Log to stderr if there's an error during startup */
+	xlog_stderr(1);
+	xlog_syslog(0);
 
 	/* Set the basename */
 	if ((name_p = strrchr(argv[0],'/')) != NULL) {
@@ -394,52 +393,17 @@ int main (int argc, char **argv)
 		simulator (--argc, ++argv);	/* simulator() does exit() */
 #endif
 
-	if (!(run_mode & MODE_NODAEMON)) {
-		int tempfd;
-
-		if (pipe(pipefds)<0) {
-			perror("statd: unable to create pipe");
-			exit(1);
-		}
-		if ((pid = fork ()) < 0) {
-			perror ("statd: Could not fork");
-			exit (1);
-		} else if (pid != 0) {
-			/* Parent.
-			 * Wait for status from child.
-			 */
-			close(pipefds[1]);
-			if (read(pipefds[0], &status, 1) != 1)
-				exit(1);
-			exit (0);
-		}
-		/* Child.	*/
-		close(pipefds[0]);
-		setsid ();
-
-		while (pipefds[1] <= 2) {
-			pipefds[1] = dup(pipefds[1]);
-			if (pipefds[1]<0) {
-				perror("statd: dup");
-				exit(1);
-			}
-		}
-		tempfd = open("/dev/null", O_RDWR);
-		dup2(tempfd, 0);
-		dup2(tempfd, 1);
-		dup2(tempfd, 2);
-		dup2(pipefds[1], 3);
-		pipefds[1] = 3;
-		closeall(4);
-	}
-
-	/* Child. */
+	daemon_init((run_mode & MODE_NODAEMON));
 
 	if (run_mode & MODE_LOG_STDERR) {
 		xlog_syslog(0);
 		xlog_stderr(1);
 		xlog_config(D_ALL, 1);
+	} else {
+		xlog_syslog(1);
+		xlog_stderr(0);
 	}
+
 	xlog_open(name_p);
 	xlog(L_NOTICE, "Version " VERSION " starting");
 
@@ -512,16 +476,8 @@ int main (int argc, char **argv)
 	}
 	atexit(statd_unregister);
 
-	/* If we got this far, we have successfully started, so notify parent */
-	if (pipefds[1] > 0) {
-		status = 0;
-		if (write(pipefds[1], &status, 1) != 1) {
-			xlog_warn("writing to parent pipe failed: errno %d (%s)\n",
-				errno, strerror(errno));
-		}
-		close(pipefds[1]);
-		pipefds[1] = -1;
-	}
+	/* If we got this far, we have successfully started */
+	daemon_ready();
 
 	for (;;) {
 		/*