diff --git a/aclocal/keyutils.m4 b/aclocal/keyutils.m4
index a392c0e..16b225d 100644
--- a/aclocal/keyutils.m4
+++ b/aclocal/keyutils.m4
@@ -8,4 +8,8 @@ AC_DEFUN([AC_KEYUTILS], [
AC_CHECK_HEADERS([keyutils.h])
+ AC_CHECK_LIB([keyutils], [find_key_by_type_and_desc],
+ [AC_DEFINE([HAVE_FIND_KEY_BY_TYPE_AND_DESC], [1],
+ [Define to 1 if you have the `find_key_by_type_and_desc' function.])],)
+
])dnl
diff --git a/utils/nfsidmap/nfsidmap.c b/utils/nfsidmap/nfsidmap.c
index 10f69f9..9c49d42 100644
--- a/utils/nfsidmap/nfsidmap.c
+++ b/utils/nfsidmap/nfsidmap.c
@@ -1,3 +1,4 @@
+#include "config.h"
#include <stdarg.h>
#include <stdio.h>
@@ -15,7 +16,7 @@
#include "conffile.h"
int verbose = 0;
-char *usage="Usage: %s [-v] [-c || [-u|-g|-r key] || [-t timeout] key desc]";
+char *usage = "Usage: %s [-v] [-c || [-u|-g|-r key] || -d || -l || [-t timeout] key desc]";
#define MAX_ID_LEN 11
#define IDMAP_NAMESZ 128
@@ -31,15 +32,163 @@ char *usage="Usage: %s [-v] [-c || [-u|-g|-r key] || [-t timeout] key desc]";
#define PATH_IDMAPDCONF "/etc/idmapd.conf"
#endif
-static int keyring_clear(char *keyring);
-
#define UIDKEYS 0x1
#define GIDKEYS 0x2
+#ifndef HAVE_FIND_KEY_BY_TYPE_AND_DESC
+static key_serial_t find_key_by_type_and_desc(const char *type,
+ const char *desc, key_serial_t destringid)
+{
+ char buf[BUFSIZ];
+ key_serial_t key;
+ FILE *fp;
+
+ if ((fp = fopen(PROCKEYS, "r")) == NULL) {
+ xlog_err("fopen(%s) failed: %m", PROCKEYS);
+ return -1;
+ }
+
+ key = -1;
+ while(fgets(buf, BUFSIZ, fp) != NULL) {
+ unsigned int id;
+
+ if (strstr(buf, type) == NULL)
+ continue;
+ if (strstr(buf, desc) == NULL)
+ continue;
+ if (sscanf(buf, "%x %*s", &id) != 1) {
+ xlog_err("Unparsable keyring entry in %s", PROCKEYS);
+ continue;
+ }
+
+ key = (key_serial_t)id;
+ break;
+ }
+
+ fclose(fp);
+ return key;
+}
+#endif
+
+/*
+ * Clear all the keys on the given keyring
+ */
+static int keyring_clear(const char *keyring)
+{
+ key_serial_t key;
+
+ key = find_key_by_type_and_desc("keyring", keyring, 0);
+ if (key == -1) {
+ if (verbose)
+ xlog_warn("'%s' keyring was not found.", keyring);
+ return EXIT_SUCCESS;
+ }
+
+ if (keyctl_clear(key) < 0) {
+ xlog_err("keyctl_clear(0x%x) failed: %m",
+ (unsigned int)key);
+ return EXIT_FAILURE;
+ }
+
+ if (verbose)
+ xlog_warn("'%s' cleared", keyring);
+ return EXIT_SUCCESS;
+}
+
+static int display_default_domain(void)
+{
+ char domain[NFS4_MAX_DOMAIN_LEN];
+ int rc;
+
+ rc = nfs4_get_default_domain(NULL, domain, NFS4_MAX_DOMAIN_LEN);
+ if (rc) {
+ xlog_errno(rc, "nfs4_get_default_domain failed: %m");
+ return EXIT_FAILURE;
+ }
+
+ printf("%s\n", domain);
+ return EXIT_SUCCESS;
+}
+
+static void list_key(key_serial_t key)
+{
+ char *buffer, *c;
+ int rc;
+
+ rc = keyctl_describe_alloc(key, &buffer);
+ if (rc < 0) {
+ switch (errno) {
+ case EKEYEXPIRED:
+ printf("Expired key not displayed\n");
+ break;
+ default:
+ xlog_err("Failed to describe key: %m");
+ }
+ return;
+ }
+
+ c = strrchr(buffer, ';');
+ if (!c) {
+ xlog_err("Unparsable key not displayed\n");
+ goto out_free;
+ }
+ printf(" %s\n", ++c);
+
+out_free:
+ free(buffer);
+}
+
+static void list_keys(const char *ring_name, key_serial_t ring_id)
+{
+ key_serial_t *key;
+ void *keylist;
+ int count;
+
+ count = keyctl_read_alloc(ring_id, &keylist);
+ if (count < 0) {
+ xlog_err("Failed to read keyring %s: %m", ring_name);
+ return;
+ }
+ count /= (int)sizeof(*key);
+
+ switch (count) {
+ case 0:
+ printf("No %s keys found.\n", ring_name);
+ break;
+ case 1:
+ printf("1 %s key found:\n", ring_name);
+ break;
+ default:
+ printf("%u %s keys found:\n", count, ring_name);
+ }
+
+ for (key = keylist; count--; key++)
+ list_key(*key);
+
+ free(keylist);
+}
+
+/*
+ * List all keys on a keyring
+ */
+static int list_keyring(const char *keyring)
+{
+ key_serial_t key;
+
+ key = find_key_by_type_and_desc("keyring", keyring, 0);
+ if (key == -1) {
+ xlog_err("'%s' keyring was not found.", keyring);
+ return EXIT_FAILURE;
+ }
+
+ list_keys(keyring, key);
+ return EXIT_SUCCESS;
+}
+
/*
* Find either a user or group id based on the name@domain string
*/
-int id_lookup(char *name_at_domain, key_serial_t key, int type)
+static int id_lookup(char *name_at_domain, key_serial_t key, int type)
{
char id[MAX_ID_LEN];
uid_t uid = 0;
@@ -53,30 +202,33 @@ int id_lookup(char *name_at_domain, key_serial_t key, int type)
rc = nfs4_group_owner_to_gid(name_at_domain, &gid);
sprintf(id, "%u", gid);
}
- if (rc < 0)
+ if (rc < 0) {
xlog_errno(rc, "id_lookup: %s: failed: %m",
(type == USER ? "nfs4_owner_to_uid" : "nfs4_group_owner_to_gid"));
+ return EXIT_FAILURE;
+ }
- if (rc == 0) {
- rc = keyctl_instantiate(key, id, strlen(id) + 1, 0);
- if (rc < 0) {
- switch(rc) {
- case -EDQUOT:
- case -ENFILE:
- case -ENOMEM:
- /*
- * The keyring is full. Clear the keyring and try again
- */
- rc = keyring_clear(DEFAULT_KEYRING);
- if (rc == 0)
- rc = keyctl_instantiate(key, id, strlen(id) + 1, 0);
- break;
- default:
+ rc = EXIT_SUCCESS;
+ if (keyctl_instantiate(key, id, strlen(id) + 1, 0)) {
+ switch (errno) {
+ case EDQUOT:
+ case ENFILE:
+ case ENOMEM:
+ /*
+ * The keyring is full. Clear the keyring and try again
+ */
+ rc = keyring_clear(DEFAULT_KEYRING);
+ if (rc)
break;
+ if (keyctl_instantiate(key, id, strlen(id) + 1, 0)) {
+ rc = EXIT_FAILURE;
+ xlog_err("id_lookup: keyctl_instantiate failed: %m");
}
+ break;
+ default:
+ rc = EXIT_FAILURE;
+ break;
}
- if (rc < 0)
- xlog_err("id_lookup: keyctl_instantiate failed: %m");
}
return rc;
@@ -85,7 +237,7 @@ int id_lookup(char *name_at_domain, key_serial_t key, int type)
/*
* Find the name@domain string from either a user or group id
*/
-int name_lookup(char *id, key_serial_t key, int type)
+static int name_lookup(char *id, key_serial_t key, int type)
{
char name[IDMAP_NAMESZ];
char domain[NFS4_MAX_DOMAIN_LEN];
@@ -94,11 +246,10 @@ int name_lookup(char *id, key_serial_t key, int type)
int rc;
rc = nfs4_get_default_domain(NULL, domain, NFS4_MAX_DOMAIN_LEN);
- if (rc != 0) {
+ if (rc) {
xlog_errno(rc,
"name_lookup: nfs4_get_default_domain failed: %m");
- rc = -1;
- goto out;
+ return EXIT_FAILURE;
}
if (type == USER) {
@@ -108,61 +259,21 @@ int name_lookup(char *id, key_serial_t key, int type)
gid = atoi(id);
rc = nfs4_gid_to_name(gid, domain, name, IDMAP_NAMESZ);
}
- if (rc < 0)
+ if (rc) {
xlog_errno(rc, "name_lookup: %s: failed: %m",
(type == USER ? "nfs4_uid_to_name" : "nfs4_gid_to_name"));
-
- if (rc == 0) {
- rc = keyctl_instantiate(key, &name, strlen(name), 0);
- if (rc < 0)
- xlog_err("name_lookup: keyctl_instantiate failed: %m");
+ return EXIT_FAILURE;
}
-out:
- return rc;
-}
-/*
- * Clear all the keys on the given keyring
- */
-static int keyring_clear(char *keyring)
-{
- FILE *fp;
- char buf[BUFSIZ];
- key_serial_t key;
- if (keyring == NULL)
- keyring = DEFAULT_KEYRING;
-
- if ((fp = fopen(PROCKEYS, "r")) == NULL) {
- xlog_err("fopen(%s) failed: %m", PROCKEYS);
- return 1;
+ rc = EXIT_SUCCESS;
+ if (keyctl_instantiate(key, &name, strlen(name), 0)) {
+ rc = EXIT_FAILURE;
+ xlog_err("name_lookup: keyctl_instantiate failed: %m");
}
- while(fgets(buf, BUFSIZ, fp) != NULL) {
- if (strstr(buf, "keyring") == NULL)
- continue;
- if (strstr(buf, keyring) == NULL)
- continue;
- if (verbose) {
- *(strchr(buf, '\n')) = '\0';
- xlog_warn("clearing '%s'", buf);
- }
- /*
- * The key is the first arugment in the string
- */
- *(strchr(buf, ' ')) = '\0';
- sscanf(buf, "%x", &key);
- if (keyctl_clear(key) < 0) {
- xlog_err("keyctl_clear(0x%x) failed: %m", key);
- fclose(fp);
- return 1;
- }
- fclose(fp);
- return 0;
- }
- xlog_err("'%s' keyring was not found.", keyring);
- fclose(fp);
- return 1;
+ return rc;
}
+
/*
* Revoke a key
*/
@@ -177,7 +288,7 @@ static int key_invalidate(char *keystr, int keymask)
if ((fp = fopen(PROCKEYS, "r")) == NULL) {
xlog_err("fopen(%s) failed: %m", PROCKEYS);
- return 1;
+ return EXIT_FAILURE;
}
while(fgets(buf, BUFSIZ, fp) != NULL) {
@@ -211,18 +322,18 @@ static int key_invalidate(char *keystr, int keymask)
if (keyctl_invalidate(key) < 0) {
xlog_err("keyctl_invalidate(0x%x) failed: %m", key);
fclose(fp);
- return 1;
+ return EXIT_FAILURE;
}
keymask &= ~mask;
if (keymask == 0) {
fclose(fp);
- return 0;
+ return EXIT_SUCCESS;
}
}
xlog_err("'%s' key was not found.", keystr);
fclose(fp);
- return 1;
+ return EXIT_FAILURE;
}
int main(int argc, char **argv)
@@ -234,7 +345,7 @@ int main(int argc, char **argv)
int timeout = 600;
key_serial_t key;
char *progname, *keystr = NULL;
- int clearing = 0, keymask = 0;
+ int clearing = 0, keymask = 0, display = 0, list = 0;
/* Set the basename */
if ((progname = strrchr(argv[0], '/')) != NULL)
@@ -244,8 +355,14 @@ int main(int argc, char **argv)
xlog_open(progname);
- while ((opt = getopt(argc, argv, "u:g:r:ct:v")) != -1) {
+ while ((opt = getopt(argc, argv, "du:g:r:ct:vl")) != -1) {
switch (opt) {
+ case 'd':
+ display++;
+ break;
+ case 'l':
+ list++;
+ break;
case 'u':
keymask = UIDKEYS;
keystr = strdup(optarg);
@@ -273,28 +390,35 @@ int main(int argc, char **argv)
}
}
+ if (geteuid() != 0) {
+ xlog_err("Must be run as root.");
+ return EXIT_FAILURE;
+ }
+
if ((rc = nfs4_init_name_mapping(PATH_IDMAPDCONF))) {
xlog_errno(rc, "Unable to create name to user id mappings.");
- return 1;
+ return EXIT_FAILURE;
}
if (!verbose)
verbose = conf_get_num("General", "Verbosity", 0);
+ if (display)
+ return display_default_domain();
+ if (list)
+ return list_keyring(DEFAULT_KEYRING);
if (keystr) {
- rc = key_invalidate(keystr, keymask);
- return rc;
+ return key_invalidate(keystr, keymask);
}
if (clearing) {
xlog_syslog(0);
- rc = keyring_clear(DEFAULT_KEYRING);
- return rc;
+ return keyring_clear(DEFAULT_KEYRING);
}
- xlog_stderr(0);
+ xlog_stderr(verbose);
if ((argc - optind) != 2) {
- xlog_err("Bad arg count. Check /etc/request-key.conf");
+ xlog_warn("Bad arg count. Check /etc/request-key.conf");
xlog_warn(usage, progname);
- return 1;
+ return EXIT_FAILURE;
}
if (verbose)
@@ -305,11 +429,15 @@ int main(int argc, char **argv)
arg = strdup(argv[optind]);
if (arg == NULL) {
xlog_err("strdup failed: %m");
- return 1;
+ return EXIT_FAILURE;
}
type = strtok(arg, ":");
value = strtok(NULL, ":");
-
+ if (value == NULL) {
+ free(arg);
+ xlog_err("Error: Null uid/gid value.");
+ return EXIT_FAILURE;
+ }
if (verbose) {
xlog_warn("key: 0x%lx type: %s value: %s timeout %ld",
key, type, value, timeout);
@@ -328,7 +456,7 @@ int main(int argc, char **argv)
rc = name_lookup(value, key, GROUP);
/* Set timeout to 10 (600 seconds) minutes */
- if (rc == 0)
+ if (rc == EXIT_SUCCESS)
keyctl_set_timeout(key, timeout);
free(arg);
diff --git a/utils/nfsidmap/nfsidmap.man b/utils/nfsidmap/nfsidmap.man
index 3a3a523..0275bdf 100644
--- a/utils/nfsidmap/nfsidmap.man
+++ b/utils/nfsidmap/nfsidmap.man
@@ -11,30 +11,72 @@ nfsidmap \- The NFS idmapper upcall program
.B "nfsidmap [-v] [-c]"
.br
.B "nfsidmap [-v] [-u|-g|-r user]"
+.br
+.B "nfsidmap -d"
+.br
+.B "nfsidmap -l"
.SH DESCRIPTION
-The file
+The NFSv4 protocol represents the local system's UID and GID values
+on the wire as strings of the form
+.IR user@domain .
+The process of translating from UID to string and string to UID is
+referred to as "ID mapping."
+.PP
+The system derives the
+.I user
+part of the string by performing a password or group lookup.
+The lookup mechanism is configured in
+.IR /etc/idmapd.conf .
+.PP
+By default, the
+.I domain
+part of the string is the system's DNS domain name.
+It can also be specified in
+.I /etc/idmapd.conf
+if the system is multi-homed,
+or if the system's DNS domain name does
+not match the name of the system's Kerberos realm.
+.PP
+The
.I /usr/sbin/nfsidmap
-is used by the NFS idmapper to translate user and group ids into names, and to
-translate user and group names into ids. Idmapper uses request-key to perform
-the upcall and cache the result.
+program performs translations on behalf of the kernel.
+The kernel uses the request-key mechanism to perform
+an upcall.
.I /usr/sbin/nfsidmap
-is called by /sbin/request-key, and will perform the translation and
-initialize a key with the resulting information.
+is invoked by /sbin/request-key, performs the translation,
+and initializes a key with the resulting information.
+The kernel then caches the translation results in the key.
.PP
.I nfsidmap
-can also used to clear the keyring of all the keys or
-revoke one particular key.
-This is useful when the id mappings have failed to due
-to a lookup error resulting in all the cached uids/gids to be set
-to the user id nobody.
+can also clear cached ID map results in the kernel,
+or revoke one particular key.
+An incorrect cached key can result in file and directory ownership
+reverting to "nobody" on NFSv4 mount points.
+.PP
+In addition, the
+.B -d
+and
+.B -l
+options are available to help diagnose misconfigurations.
+They have no effect on the keyring containing ID mapping results.
.SH OPTIONS
.TP
.B -c
Clear the keyring of all the keys.
.TP
+.B -d
+Display the system's effective NFSv4 domain name on
+.IR stdout .
+.TP
.B -g user
Revoke the gid key of the given user.
.TP
+.B -l
+Display on
+.I stdout
+all keys currently in the keyring used to cache ID mapping results.
+These keys are visible only to the superuser.
+.TP
.B -r user
Revoke both the uid and gid key of the given user.
.TP
@@ -89,5 +131,15 @@ Notice that the new line was added above the line for the generic program.
request-key will find the first matching line and run the corresponding program.
In this case, /some/other/program will handle all uid lookups, and
/usr/sbin/nfsidmap will handle gid, user, and group lookups.
+.SH FILES
+.TP
+.I /etc/idmapd.conf
+ID mapping configuration file
+.TP
+.I /etc/request-key.conf
+Request key configuration file
+.SH "SEE ALSO"
+.BR idmapd.conf (5),
+.BR request-key (8)
.SH AUTHOR
Bryan Schumaker, <bjschuma@netapp.com>