head	1.6;
access;
symbols
	RELENG_8_4:1.6.0.2
	RELENG_9_1_0_RELEASE:1.2.4.2.2.2
	RELENG_9_1:1.2.4.2.0.2
	RELENG_9_1_BP:1.2.4.2
	RELENG_8_3_0_RELEASE:1.2.2.2.2.1
	RELENG_8_3:1.2.2.2.0.2
	RELENG_8_3_BP:1.2.2.2
	RELENG_9_0_0_RELEASE:1.2.4.1.2.1
	RELENG_9_0:1.2.4.1.0.2
	RELENG_9_0_BP:1.2.4.1
	RELENG_9:1.2.0.4
	RELENG_9_BP:1.2
	RELENG_8_2_0_RELEASE:1.2.2.1.6.1
	RELENG_8_2:1.2.2.1.0.6
	RELENG_8_2_BP:1.2.2.1
	RELENG_8_1_0_RELEASE:1.2.2.1.4.1
	RELENG_8_1:1.2.2.1.0.4
	RELENG_8_1_BP:1.2.2.1
	RELENG_8_0_0_RELEASE:1.2.2.1.2.1
	RELENG_8_0:1.2.2.1.0.2
	RELENG_8_0_BP:1.2.2.1
	RELENG_8:1.2.0.2
	RELENG_8_BP:1.2;
locks; strict;
comment	@# @;


1.6
date	2013.01.04.00.48.30;	author svnexp;	state Exp;
branches
	1.6.2.1;
next	1.5;

1.5
date	2012.12.23.20.34.56;	author svnexp;	state Exp;
branches;
next	1.4;

1.4
date	2012.11.17.01.54.45;	author svnexp;	state Exp;
branches;
next	1.3;

1.3
date	2012.02.07.09.27.07;	author dim;	state Exp;
branches;
next	1.2;

1.2
date	2008.12.30.01.33.15;	author obrien;	state Exp;
branches
	1.2.2.1
	1.2.4.1;
next	1.1;

1.1
date	2008.11.03.10.38.00;	author dfr;	state Exp;
branches;
next	;

1.6.2.1
date	2013.01.04.00.48.30;	author svnexp;	state dead;
branches;
next	1.6.2.2;

1.6.2.2
date	2013.03.28.13.06.16;	author svnexp;	state Exp;
branches;
next	;

1.2.2.1
date	2009.08.03.08.13.06;	author kensmith;	state Exp;
branches
	1.2.2.1.2.1
	1.2.2.1.4.1
	1.2.2.1.6.1;
next	1.2.2.2;

1.2.2.2
date	2012.02.14.19.49.06;	author dim;	state Exp;
branches
	1.2.2.2.2.1;
next	1.2.2.3;

1.2.2.3
date	2012.11.17.10.37.22;	author svnexp;	state Exp;
branches;
next	;

1.2.2.1.2.1
date	2009.10.25.01.10.29;	author kensmith;	state Exp;
branches;
next	;

1.2.2.1.4.1
date	2010.06.14.02.09.06;	author kensmith;	state Exp;
branches;
next	;

1.2.2.1.6.1
date	2010.12.21.17.09.25;	author kensmith;	state Exp;
branches;
next	;

1.2.2.2.2.1
date	2012.03.03.06.15.13;	author kensmith;	state Exp;
branches;
next	1.2.2.2.2.2;

1.2.2.2.2.2
date	2012.11.17.08.25.54;	author svnexp;	state Exp;
branches;
next	;

1.2.4.1
date	2011.09.23.00.51.37;	author kensmith;	state Exp;
branches
	1.2.4.1.2.1;
next	1.2.4.2;

1.2.4.2
date	2012.02.14.19.36.35;	author dim;	state Exp;
branches
	1.2.4.2.2.1;
next	1.2.4.3;

1.2.4.3
date	2012.11.17.11.37.44;	author svnexp;	state Exp;
branches;
next	1.2.4.4;

1.2.4.4
date	2013.01.06.02.02.22;	author svnexp;	state Exp;
branches;
next	;

1.2.4.1.2.1
date	2011.11.11.04.20.22;	author kensmith;	state Exp;
branches;
next	1.2.4.1.2.2;

1.2.4.1.2.2
date	2012.11.17.08.37.40;	author svnexp;	state Exp;
branches;
next	;

1.2.4.2.2.1
date	2012.08.05.23.54.33;	author kensmith;	state Exp;
branches;
next	1.2.4.2.2.2;

1.2.4.2.2.2
date	2012.11.17.08.48.32;	author svnexp;	state Exp;
branches;
next	;


desc
@@


1.6
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/245014
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@# $FreeBSD: head/usr.sbin/gssd/Makefile 245014 2013-01-03 22:24:39Z rmacklem $

.include <bsd.own.mk>

PROG=	gssd
MAN=	gssd.8
SRCS=	gssd.c gssd.h gssd_svc.c gssd_xdr.c gssd_prot.c

CFLAGS+= -I.
WARNS?= 1

DPADD=	${LIBGSSAPI}
LDADD=	-lgssapi
.if ${MK_KERBEROS_SUPPORT} != "no"
DPADD+=	${LIBKRB5} ${LIBHX509} ${LIBASN1} ${LIBROKEN} ${LIBCOM_ERR} ${LIBCRYPT} ${LIBCRYPTO}
LDADD+=	-lkrb5 -lhx509 -lasn1 -lroken -lcom_err -lcrypt -lcrypto
.else
CFLAGS+= -DWITHOUT_KERBEROS
.endif

CLEANFILES= gssd_svc.c gssd.h

RPCSRC=	${.CURDIR}/../../sys/kgssapi/gssd.x
RPCGEN= RPCGEN_CPP=${CPP:Q} rpcgen -L -C -M

gssd_svc.c: ${RPCSRC} gssd.h
	${RPCGEN} -m -o ${.TARGET} ${RPCSRC}

gssd_xdr.c: ${RPCSRC} gssd.h
	${RPCGEN} -c -o ${.TARGET} ${RPCSRC}

gssd.h: ${RPCSRC}
	${RPCGEN} -h -o ${.TARGET} ${RPCSRC}

.PATH:	${.CURDIR}/../../sys/kgssapi

.include <bsd.prog.mk>
@


1.6.2.1
log
@file Makefile was added on branch RELENG_8_4 on 2013-03-28 13:06:16 +0000
@
text
@d1 37
@


1.6.2.2
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/248810
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@a0 29
# $FreeBSD: releng/8.4/usr.sbin/gssd/Makefile 231704 2012-02-14 19:49:06Z dim $

PROG=	gssd
MAN=	gssd.8
SRCS=	gssd.c gssd.h gssd_svc.c gssd_xdr.c gssd_prot.c

CFLAGS+= -I.
WARNS?= 1

DPADD=	${LIBGSSAPI}
LDADD=	-lgssapi

CLEANFILES= gssd_svc.c gssd.h

RPCSRC=	${.CURDIR}/../../sys/kgssapi/gssd.x
RPCGEN= RPCGEN_CPP=${CPP:Q} rpcgen -L -C -M

gssd_svc.c: ${RPCSRC} gssd.h
	${RPCGEN} -m -o ${.TARGET} ${RPCSRC}

gssd_xdr.c: ${RPCSRC} gssd.h
	${RPCGEN} -c -o ${.TARGET} ${RPCSRC}

gssd.h: ${RPCSRC}
	${RPCGEN} -h -o ${.TARGET} ${RPCSRC}

.PATH:	${.CURDIR}/../../sys/kgssapi

.include <bsd.prog.mk>
@


1.5
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/244638
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@d1 3
a3 1
# $FreeBSD: head/usr.sbin/gssd/Makefile 244638 2012-12-23 20:12:57Z rmacklem $
d12 8
a19 2
DPADD=	${LIBGSSAPI} ${LIBKRB5} ${LIBHX509} ${LIBASN1} ${LIBROKEN} ${LIBCOM_ERR} ${LIBCRYPT} ${LIBCRYPTO}
LDADD=	-lgssapi -lkrb5 -lhx509 -lasn1 -lroken -lcom_err -lcrypt -lcrypto
@


1.4
log
@Switching exporter and resync
@
text
@d1 1
a1 1
# $FreeBSD: head/usr.sbin/gssd/Makefile 231118 2012-02-07 09:27:07Z dim $
d10 2
a11 2
DPADD=	${LIBGSSAPI}
LDADD=	-lgssapi
@


1.3
log
@SVN rev 231118 on 2012-02-07 09:27:07Z by dim

Consistently set RPCGEN_CPP when running rpcgen, so the C preprocessor
set via ${CPP} is used, instead of always using hardcoded /usr/bin/cpp.

MFC after:	1 week
@
text
@d1 1
a1 1
# $FreeBSD$
@


1.2
log
@SVN rev 186582 on 2008-12-30 01:33:15Z by obrien

Add gssd.h to the list of SRCS so one can build without 'make depend' first.
@
text
@d16 1
a16 1
RPCGEN= rpcgen -L -C -M
@


1.2.4.1
log
@SVN rev 225736 on 2011-09-23 00:51:37Z by kensmith

Copy head to stable/9 as part of 9.0-RELEASE release cycle.

Approved by:	re (implicit)
@
text
@@


1.2.4.2
log
@SVN rev 231702 on 2012-02-14 19:36:35Z by dim

MFC r231118:

Consistently set RPCGEN_CPP when running rpcgen, so the C preprocessor
set via ${CPP} is used, instead of always using hardcoded /usr/bin/cpp.
@
text
@d16 1
a16 1
RPCGEN= RPCGEN_CPP=${CPP:Q} rpcgen -L -C -M
@


1.2.4.3
log
@## SVN ##
## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/ 242902
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ## r242902 | dteske | 2012-11-11 23:29:45 +0000 (Sun, 11 Nov 2012) | 10 lines
## SVN ##
## SVN ## Fix a regression introduced by SVN r211417 that saw the breakage of a feature
## SVN ## documented in usr.sbin/sysinstall/help/shortcuts.hlp (reproduced below):
## SVN ##
## SVN ## If /usr/sbin/sysinstall is linked to another filename, say
## SVN ## `/usr/local/bin/configPackages', then the basename will be used
## SVN ## as an implicit command name.
## SVN ##
## SVN ## Reviewed by:	adrian (co-mentor)
## SVN ## Approved by:	adrian (co-mentor)
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ##
@
text
@d1 1
a1 1
# $FreeBSD: stable/9/usr.sbin/gssd/Makefile 231702 2012-02-14 19:36:35Z dim $
@


1.2.4.4
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/245089
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ## r245089 | rmacklem | 2013-01-06 01:41:14 +0000 (Sun, 06 Jan 2013) | 9 lines
## SVN ##
## SVN ## MFC: r244604, r244638, r245014
## SVN ## It was reported via email that some sshds create kerberos
## SVN ## credential cache files with names other than /tmp/krb5cc_<uid>.
## SVN ## The gssd daemon does not know how to find these credential caches.
## SVN ## This patch implements a new option "-s" that does a search for
## SVN ## credential cache files, using roughly the same algorithm as the
## SVN ## gssd daemon for Linux uses. The gssd behaviour is only changed
## SVN ## if the new "-s" option is specified.
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ##
@
text
@d1 1
a1 3
# $FreeBSD: stable/9/usr.sbin/gssd/Makefile 245089 2013-01-06 01:41:14Z rmacklem $

.include <bsd.own.mk>
a11 6
.if ${MK_KERBEROS_SUPPORT} != "no"
DPADD+=	${LIBKRB5} ${LIBHX509} ${LIBASN1} ${LIBROKEN} ${LIBCOM_ERR} ${LIBCRYPT} ${LIBCRYPTO}
LDADD+=	-lkrb5 -lhx509 -lasn1 -lroken -lcom_err -lcrypt -lcrypto
.else
CFLAGS+= -DWITHOUT_KERBEROS
.endif
@


1.2.4.2.2.1
log
@SVN rev 239080 on 2012-08-05 23:54:33Z by kensmith

Copy stable/9 to releng/9.1 as part of the 9.1-RELEASE release process.

Approved by:	re (implicit)
@
text
@@


1.2.4.2.2.2
log
@Switch importer
@
text
@d1 1
a1 1
# $FreeBSD: releng/9.1/usr.sbin/gssd/Makefile 231702 2012-02-14 19:36:35Z dim $
@


1.2.4.1.2.1
log
@SVN rev 227445 on 2011-11-11 04:20:22Z by kensmith

Copy stable/9 to releng/9.0 as part of the FreeBSD 9.0-RELEASE release
cycle.

Approved by:	re (implicit)
@
text
@@


1.2.4.1.2.2
log
@Switch importer
@
text
@d1 1
a1 1
# $FreeBSD: releng/9.0/usr.sbin/gssd/Makefile 186582 2008-12-30 01:33:15Z obrien $
@


1.2.2.1
log
@SVN rev 196045 on 2009-08-03 08:13:06Z by kensmith

Copy head to stable/8 as part of 8.0 Release cycle.

Approved by:	re (Implicit)
@
text
@@


1.2.2.2
log
@SVN rev 231704 on 2012-02-14 19:49:06Z by dim

MFC r231118:

Consistently set RPCGEN_CPP when running rpcgen, so the C preprocessor
set via ${CPP} is used, instead of always using hardcoded /usr/bin/cpp.
@
text
@d16 1
a16 1
RPCGEN= RPCGEN_CPP=${CPP:Q} rpcgen -L -C -M
@


1.2.2.3
log
@## SVN ##
## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/ 242909
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ## r242909 | dim | 2012-11-12 07:47:19 +0000 (Mon, 12 Nov 2012) | 20 lines
## SVN ##
## SVN ## MFC r242625:
## SVN ##
## SVN ## Remove duplicate const specifiers in many drivers (I hope I got all of
## SVN ## them, please let me know if not).  Most of these are of the form:
## SVN ##
## SVN ## static const struct bzzt_type {
## SVN ##       [...list of members...]
## SVN ## } const bzzt_devs[] = {
## SVN ##       [...list of initializers...]
## SVN ## };
## SVN ##
## SVN ## The second const is unnecessary, as arrays cannot be modified anyway,
## SVN ## and if the elements are const, the whole thing is const automatically
## SVN ## (e.g. it is placed in .rodata).
## SVN ##
## SVN ## I have verified this does not change the binary output of a full kernel
## SVN ## build (except for build timestamps embedded in the object files).
## SVN ##
## SVN ## Reviewed by:	yongari, marius
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ##
@
text
@d1 1
a1 1
# $FreeBSD: stable/8/usr.sbin/gssd/Makefile 231704 2012-02-14 19:49:06Z dim $
@


1.2.2.2.2.1
log
@SVN rev 232438 on 2012-03-03 06:15:13Z by kensmith

Copy stable/8 to releng/8.3 as part of 8.3-RELEASE release cycle.

Approved by:	re (implicit)
@
text
@@


1.2.2.2.2.2
log
@Switch importer
@
text
@d1 1
a1 1
# $FreeBSD: releng/8.3/usr.sbin/gssd/Makefile 231704 2012-02-14 19:49:06Z dim $
@


1.2.2.1.6.1
log
@SVN rev 216617 on 2010-12-21 17:09:25Z by kensmith

Copy stable/8 to releng/8.2 in preparation for FreeBSD-8.2 release.

Approved by:	re (implicit)
@
text
@@


1.2.2.1.4.1
log
@SVN rev 209145 on 2010-06-14 02:09:06Z by kensmith

Copy stable/8 to releng/8.1 in preparation for 8.1-RC1.

Approved by:	re (implicit)
@
text
@@


1.2.2.1.2.1
log
@SVN rev 198460 on 2009-10-25 01:10:29Z by kensmith

Copy stable/8 to releng/8.0 as part of 8.0-RELEASE release procedure.

Approved by:	re (implicit)
@
text
@@


1.1
log
@SVN rev 184588 on 2008-11-03 10:38:00Z by dfr

Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager.  I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.

The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.

To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.

As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.

Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.

The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.

Sponsored by:	Isilon Systems
MFC after:	1 month
@
text
@d5 1
a5 1
SRCS=	gssd.c gssd_svc.c gssd_xdr.c gssd_prot.c
@

