Stephan Wiesand [Sun, 15 Dec 2013 22:37:43 +0000 (23:37 +0100)]
Make OpenAFS 1.6.5.2
Update configure version strings for 1.6.5.2. Note that macos kext
can be of form XXXX.YY[.ZZ[(d|a|b|fc)NNN]] where d dev, a alpha,
b beta, f final candidate so we have no way to represent 1.6.5.2.
Use 1.6.6 dev 2 for macos.
Change-Id: I4ab3fca89c95ad331db4b0a9823138e87f823c3b
Reviewed-on: http://gerrit.openafs.org/10586 Tested-by: Stephan Wiesand <stephan.wiesand@desy.de> Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Marc Dionne [Wed, 22 May 2013 13:26:57 +0000 (09:26 -0400)]
Linux: Fix tmpfs cache support
As of kernel 3.1, tmpfs no longer has a readpage() operation in its
address space operations. Some of the cache manager code relies on
this, causing an oops if tmpfs is used as backing store for the
cache.
As a minimal fix, detect that there is no readpage() and disable
the optimizations that depend on it.
Ben Kaduk [Tue, 26 Mar 2013 21:42:38 +0000 (17:42 -0400)]
Fix DARWIN build with clang
In 1d8937b86050 we added a function call to kauth_cred_unref in the
DARWIN100 case (replacing a macro), but added the inclusion of
sys/kauth.h only when using versions older than DARWIN80.
On DARWIN100 and above, clang detects that the now-implicit function
declaration is in conflict with the actual prototype, which is included
later through afs/sysincludes.h when compiling the kernel rx code.
Since including sys/kauth.h seems to have been harmless for old versions,
just include it always.
Ken Hornstein [Thu, 5 Dec 2013 18:57:36 +0000 (13:57 -0500)]
Remove extra whitespace from macro invocations
On MacOS X 10.9, the compiler has switched to LLVM and as a consequence
generates an error if there is a space between a macro invocation and
the starting left parenthesis.
Based on code originally done by Matt Haught <dmhaught@ncsu.edu>.
Ken Hornstein [Wed, 20 Nov 2013 18:37:52 +0000 (13:37 -0500)]
Support for changes to OS X Mavericks VNOP_SYMLINK() function.
Add support for an extra argument to afs_symlink() to return the
newly-created symlink vnode if requested (this is needed on OS X
Mavericks). On OS X Mavericks return the newly-created symlink vnode in
the symlink vnops functions, on all other platforms ignore it.
It turns out that technically OS X has required the symlink to be
created for a while, but code inside of symlink() would call namei() on
the symlink name if the returned vnode point was NULL. The difference
is that on Mavericks the Manditory Access Control Framework has been
enabled, and that turns on some extra code which unconditionally calls
vnode_mount() on the returned vnode pointer, which ends up causing a
panic
Andrew Deason [Wed, 31 Jul 2013 20:58:41 +0000 (15:58 -0500)]
budb: Do not use garbage cellinfo
If the -servers option is given, we never initialize cellinfo or the
clones array. So, don't give the cellinfo structure or the clones
array to ubik in that case, or we may crash or do other weird things.
This issue appears to have been introduced in commit fc4ab52e.
Russ Allbery [Sat, 5 Oct 2013 18:27:16 +0000 (11:27 -0700)]
Ignore errors when reading ThisCell
* Ignore errors when reading ThisCell in the openafs-client config
script. If the file doesn't end in a newline, read will still succeed
and set the variable, but will exit with a non-zero status. This
would abort configuration of the package without a useful error
message.
Stephan Wiesand [Wed, 2 Oct 2013 09:14:37 +0000 (11:14 +0200)]
Make OpenAFS 1.6.5.1
Update configure version strings for 1.6.5.1. Note that macos kext
can be of form XXXX.YY[.ZZ[(d|a|b|fc)NNN]] where d dev, a alpha,
b beta, f final candidate so we have no way to represent 1.6.5.1.
Switch to 1.6.6 dev 1 for macos.
Change-Id: I44a34f5c8ac3f3518da51e179db05723d3ad754a
Reviewed-on: http://gerrit.openafs.org/10317 Reviewed-by: Andrew Deason <adeason@sinenomine.net> Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de> Tested-by: Stephan Wiesand <stephan.wiesand@desy.de>
Andrew Deason [Fri, 20 Sep 2013 20:13:43 +0000 (15:13 -0500)]
rx: Always call rxi_StartListener
Commit c10f5296 made rx_Init only call rxi_StartListener in the kernel
if we have RXK_LISTENER_ENV. But this doesn't make any sense, since
rxi_StartListener only does anything if RXK_LISTENER_ENV is _not_
defined. As a result, for any non-rxk-listener non-rx-upcall platform,
we never receives rx packets in the kernel, since we never set up our
rx packet callback. The only such platform appears to be AIX, since
while other platforms (HPUX, FBSD, IRIX) have a non-rxk-listener mode,
they also implement an rxk-listener mode that we always turn on.
So, just always call rxi_StartListener, and let the ifdef guards for
the various implementations of rxi_StartListener do the right thing.
Marc Dionne [Tue, 3 Sep 2013 11:55:14 +0000 (07:55 -0400)]
Linux 3.11: Adapt to d_count changes
In preparation for upcoming changes in the 3.12 cycle, d_lockref
was introduced late in the 3.11 cycle. The dentry's d_lock and
d_count are moved to this new structure. A new d_lock macro makes
the change transparent for locking, but direct users of d_count
must adapt. A new d_count() helper function is provided and
should now be used.
Use the new d_count() helper function if available, and move
some of the ifdef logic into a helper compatibility function.
Reviewed-on: http://gerrit.openafs.org/10219 Tested-by: Jeffrey Altman <jaltman@your-file-system.com> Reviewed-by: Simon Wilkinson <simonxwilkinson@gmail.com> Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
(cherry picked from commit 1f577e41b65e9bd213a915a296ecf5bedd17fcc1)
Reviewed-on: http://gerrit.openafs.org/10241 Reviewed-by: Mark Vitale <mvitale@sinenomine.net> Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de> Reviewed-by: Andrew Deason <adeason@sinenomine.net> Tested-by: BuildBot <buildbot@rampaginggeek.com>
(cherry picked from commit 8e14537c605b3b6867c923dfef782492191939c7)
Change-Id: Ia16740e45824971dc8016971429c7926e1378f6c
Reviewed-on: http://gerrit.openafs.org/10276 Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de> Tested-by: Stephan Wiesand <stephan.wiesand@desy.de>
Marc Dionne [Mon, 8 Jul 2013 14:53:00 +0000 (10:53 -0400)]
Linux 3.11: Convert from readdir to iterate file operation
Convert the readdir function so that it can be used as the new
"iterate" file operation. This new operation is passed a context
that contains a pointer to the filldir function and the offset.
The context is passed into the new dir_emit function that will
call the function specified by the context.
The new dir_emit function returns true on success, so we must be
careful about how we check for failure since this is different
behaviour from what filldir currently does.
* Move the documentation and kernel module build dependencies to
Build-Depends-Indep and only do those parts of the build if building
architecture-independent packages.
Andrew Deason [Wed, 10 Jul 2013 17:52:28 +0000 (12:52 -0500)]
Reload rxkad.keytab on CellServDB modification
Make the reloading of rxkad.keytab keys occur in the same way that
KeyFile keys are reloaded. That is, we only try to reload them if the
CellServDB mtime has changed. This is intended to have exactly the
same reloading behavior as KeyFile reloads.
I would have triggered this from afsconf_Check, but that approach
has annoyances. (Calling ticket5_keytab functions directly from
cellconfig pulls in libkrb5 dependencies for everything that uses
cellconfig, and we'd have to trigger an afsconf_Check call by calling
some other cellconfig function.)
Andrew Deason [Mon, 10 Jun 2013 22:49:12 +0000 (17:49 -0500)]
Avoid calling afsconf_GetLatestKey directly
Don't call afsconf_GetLatestKey to determine whether we can print our
own local tokens, since we may have keytab 'local' keys, but no DES
keys. Just try to construct them and see if it fails, using
afsconf_PickClientSecObj or afsconf_ClientAuth{,Secure} as
appropriate.
Andrew Deason [Mon, 10 Jun 2013 22:15:27 +0000 (17:15 -0500)]
auth: Do not always fallback to noauth
Make afsconf_PickClientSecObj error out if we can't construct
localauth tokens (unless the caller explicitly requested rxnull
fallback). afsconf_ClientAuth{,Secure} still falls back, as always.
Ben Kaduk [Tue, 14 May 2013 23:37:59 +0000 (19:37 -0400)]
Clean up akimpersonate and use for server-to-server
Since a6d7cacfd, aklog has been able to print a krb5 ticket to
itself for an arbitrary client principal, allowing a user with
access to the cell's krb5 key to get tokens as an arbitrary user.
Now that it is possible to use native krb5 tickets with non-DES
enctypes for authentication, and akimpersonate is available from libauth,
use printed native krb5 tickets for server-to-server communication (as well
as the -localauth versions of the client utilities).
Remove the early call to afsconf_GetLatestKey() in
afsconf_PickClientSecObj() so that we do not end up picking an old DES
key before we try to find a better key to use.
Before doing so, refactor the akimpersonate code to be more usable
and readable, and eliminate some dead code. For example, we always printed
addressless tickets, so that code could be removed. Other code had excessive
stack usage for a library routine, which is eliminated. Use a start time
of 0 instead of 300 so that the printed ticket will always be
detected as infinite-lifetime.
In order to ensure usability on all platforms (in particular Solaris),
provide a couple more compat shims to implement routines which are not
always available from the krb5 library, in particular encode_krb5_ticket
and encode_krb5_enc_tkt_part. Thanks to Andrew Deason for implementing
these compatability routines.
Give it its own source file and header, install the header at
depinstall time, and have aklog get the akimpersonate functionality
from libauth.
Keep the linux box copyright from aklog_main.c (but strip the trailing
whitespace), as that block was added with the akimpersonate code.
Remove all calls to afs_com_err() as is fitting for library code,
to let it build. Do not bother removing curly braces which are
no longer needed; a future cleanup commit will catch that.
Derive DES/fcrypt session key from other key types
If a kerberos 5 ticket has a session key with a non-DES enctype,
use the NIST SP800-108 KDF in counter mode with HMAC_MD5 as the PRF to
construct a DES key to be used by rxkad.
To satisfy the requirements of the KDF, DES3 keys are first compressed into a
168 bit form by reversing the RFC3961 random-to-key algorithm
New optional rxkad functionality for decypting krb5 tokens
An additional, optional mechanism for decrypting krb5-format tokens
is provided that uses the krb5 api with a key from a keytab
instead of using libdes and the AFS KeyFile.
The AIX compat stub for krb5_c_decrypt is contributed by Andrew Deason.
Add rxkad server hook function to decrypt more types of tokens
Allow tokens to be encrypted with algorithms other than DES.
The security object owner must provide an implementation
by calling rxkad_SetAltDecryptProc.
Make sure plainsiz is initialized before calling the alternate decrypt
proc.
Russ Allbery [Mon, 17 Jun 2013 20:16:54 +0000 (13:16 -0700)]
Cleanup of openafs-client postinst script
* Cleanup of the openafs-client postinst script.
- Perform all work unconditionally to handle various rare error
recovery cases properly.
- Only force creation of CellServDB on initial installation or if
AFSDB/SRV records are not being used.
Russ Allbery [Mon, 17 Jun 2013 19:53:22 +0000 (12:53 -0700)]
Make shell scripts executable
May as well ship all of the shell scripts in the debian directory
executable, now that the source package format supports preserving
the executable bit.
Russ Allbery [Mon, 17 Jun 2013 19:51:44 +0000 (12:51 -0700)]
Give openafs-dbserver its own doc directory
* Give openafs-dbserver its own documentation directory rather than
linking it to openafs-client, allowing relaxation of the versioned
dependency on openafs-client to Recommends. (However, openafs-client
will still have to be installed for the openafs-fileserver init
script, which uses the bos binary, so will still be pulled in by
dependencies.)
OpenBSD 5.3: Replace use of copyinstr for setting mount point name.
As a result of a realignment of kernel memory in OpenBSD 5.3,
the copyinstr() routine no longer works for copying the mount
point name into the internal mount table structure. It also
fails silently, so it's not noticed until someone looks at
the mount table and discovers that the mount point name for
AFS is missing.
This patch replaces the use of copyinstr() with strlcpy() for
copying the mount point name in OpenBSD 5.3.
Note that this is consistent with how other similar device
support has addressed the same issue in OpenBSD 5.3.
Anders Kaseorg [Tue, 7 May 2013 04:27:33 +0000 (00:27 -0400)]
Linux: osi_TryEvictVCache: Don’t skip the first dentry if D_ALIAS_IS_HLIST
An hlist doesn’t begin with a sentinel like a list does, so the old
code would skip the first dentry or crash with a NULL dereference if
there wasn’t one. Use the kernel’s list_for_each_entry or
hlist_for_each_entry macros instead of trying to do it manually.
Should fix a crash observed by Alex Chernyakhovsky on kernel 3.6 and
newer.
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
Reviewed-on: http://gerrit.openafs.org/9857 Reviewed-by: Alex Chernyakhovsky <achernya@mit.edu> Tested-by: Alex Chernyakhovsky <achernya@mit.edu> Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Marc Dionne <marc.c.dionne@gmail.com> Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
(cherry picked from commit ad6e31d5fea221bf5eefcd35a416667bc7c1f9be)
Change-Id: Id8b31246067b5a718af91c8c206d5abd5210c558
Reviewed-on: http://gerrit.openafs.org/9898 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Marc Dionne <marc.c.dionne@gmail.com> Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Andrew Deason [Thu, 28 Mar 2013 18:03:40 +0000 (13:03 -0500)]
afsio: Pass KRB5_LDFLAGS along with KRB5_LIBS
We need this in case e.g. the krb5 library we're using is in an
alternate location, so we can pass -L. aklog already does this, so do
it for afsio, too.
This is a 1.6-only change. On master, this problem went away when the
krb5 ldflags/cflags/etc were standardized in commit 6f9443e702745d1e371eb72ad7fcba5cac47f3db.
Thanks to Måns Nilsson for reporting this.
Change-Id: I79aeb1f4de123b7550b64c1890a2773a44ff8d1e
Reviewed-on: http://gerrit.openafs.org/9692 Reviewed-by: Simon Wilkinson <simonxwilkinson@gmail.com> Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Derrick Brashear <shadow@your-file-system.com> Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Andrew Deason <adeason@sinenomine.net> Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Ken Dreyer [Wed, 1 May 2013 03:59:32 +0000 (21:59 -0600)]
doc: quote list items in POD
Recent versions of Pod::Simple complain if we use integers or other
special characters in an =item list. We have a couple bulleted lists
that happen to have integers or other special characters as the list
values. Quote the items with C<> so that Pod::Simple can correctly parse
them again.
Andrew Deason [Tue, 30 Apr 2013 19:37:54 +0000 (14:37 -0500)]
afs: Do not invalidate all dcaches on startup
Commit 20b0c65a289e2b55fb6922c8f60e873f1f4c6f97 changed
afs_UFSGetDSlot to always treat a dslot entry as invalid if
'datavalid' was 0. This was to force the invalidation of the given
dslot if we were reading in a dslot from the free or discard list,
since the data in that dslot is not valid.
However, 'datavalid' is also 0 when we read in dcache entries from
disk on startup. So, this means that we invalidated all cache entries
when the client started up, effectively making our persistent cache
worthless.
Fix this by only forcing this invalidation when we are reading from a
free or discarded dcache, and not during the initial cache scan. That
is, when 'indexvalid' is 1, and 'datavalid' is 0.
The parameters for these Get*DSlot variants should maybe be changed to
be a little more clear, but for now, this is a targeted fix for this
specific issue.
FIXES 131655
Reviewed-on: http://gerrit.openafs.org/9833 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil> Reviewed-by: Marc Dionne <marc.c.dionne@gmail.com> Reviewed-by: Derrick Brashear <shadow@your-file-system.com>
(cherry picked from commit 479c34614f33859131258e330e7a3f8494e0bc80)
Change-Id: I72b7ad41658c51b81aa9844327372724a0f3151e
Reviewed-on: http://gerrit.openafs.org/9837 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Andrew Deason <adeason@sinenomine.net> Reviewed-by: Marc Dionne <marc.c.dionne@gmail.com> Tested-by: Stephan Wiesand <stephan.wiesand@desy.de> Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
projects / packages / o / openafs.git / log