kafs-client (recent strangeness of with add_key)

Jeffrey E Altman jaltman at auristor.com
Mon Nov 21 08:15:02 PST 2022 

Hello Spencer,

The change "remove -d (debug) option and improve -v (verbose) option" 
should in my opinion be inverted in order to improve compatibility with 
the OpenAFS aklog:

Usage: aklog [-d] [[-cell | -c] cell [-k krb_realm]] [[-p | -path] pathname]
     [-zsubs] [-hosts] [-noauth] [-noprdb] [-force] [-setpag]
     [-linked] [-insecure_des] [-524]

The various pam implementations that call an external aklog assume the 
OpenAFS command line interface.  Enabling verbose output is performing 
by specifying "-d".

I agree that there is little benefit to separate "-d" and "-v" options 
but I believe "-v" should be removed or that they should be synonyms.


In the OpenAFS aklog "-k" is used to specify the Kerberos realm to use 
for the preceding cell.   Note that aklog can be called with multiple 
cells each of which can be optionally bound to a Kerberos realm.  If a 
cell is not followed by "-k realm" then the default realm logic is 
used.   Using "-k" to specify the keyring type is likely to cause 
conflict.   Again, pam modules that execute an external aklog use -k to 
specify the Kerberos realm. --keyring ?

There is benefit to being able to specify the keyring to use. Might 
there be benefit to being able to specify an explicit keyring to use by 
name instead of the keyring type?


There is no benefit to implementing -zsubs, -hosts, -noauth, -524 
-insecure_des.

The -p pathname functionality is useful for obtaining tokens for $HOME 
directories.   A token is obtained for each cell crossed during the 
evaluation of a path.

The -linked option indicates that tokens should be obtained not only for 
a cell whether explicitly specified on the command line or derived from 
a path but should also obtain the tokens for the linked cells.   
Personally I think -linked should be enabled by default.   A linked cell 
is a cell an alternate cell to search for a volume name or id if the 
primary cell's location service does not include a volume of that name 
or id.   Linked cells are useful for building test environments where 
newer versions of volumes are placed into a cell and then the remaining 
production volumes are sourced from a linked cell.   Another use case is 
cell renaming where a volumes are migrated from the old cell to the new 
cell. Cache managers implement the linked cell behavior unconditionally 
so aklog should probably do so as well.

The -noprdb option is not relevant to kafs aklog at the moment because 
kafs aklog does not attempt to automatically register the user in a 
foreign cell nor does it query the token owner's PTS ID.

In all cases it might be a good idea to accept the unimplemented command 
line options and ignore them.

Other than these comments I believe the stack looks good.

Thank you for the follow up.

Jeffrey Altman

On 11/21/2022 10:00 AM, Spencer Olson (olsonse at umich.edu) wrote:
> I've been using this patched version without any issues for a while
> now such that I forgot that there was an issue (until a recent system
> upgrade).
>
> To make my changes easier to digest, I've split my commits on my
> github repository into two branches:
>    master  branch now only has changes to the base package.
>                 This includes several fixes and adds some other command
>                  line options for verbosity
>    debian  branch now has my debian build configuration rebased on
>                  the new master branch
>
> David:  I'd like to request you to do a pull from:
>      https://github.com/olsonse/kafs-client  master
> to get the changes I've made to the base package.  Let me know if  you
> really want me to send you a patch file for these various changes.
>
> Bill:  I'd like to request that you pull these same base package
> changes in for the debian package that you are maintaining.
>
> Spencer
>
>
> On Fri, Jun 3, 2022 at 3:30 PM Spencer Olson<olsonse at umich.edu>  wrote:
>> Ok, so I took the suggestions from Chaskiel, implemented them and
>> pushed my changes to my repository on GitHub.  Using this right now
>> with no issues yet.
>>
>> On Tue, May 31, 2022 at 8:24 AM Chaskiel Grundman<cgrundman at gmail.com>  wrote:
>>> The KEY_SPEC_USER_SESSION_KEYRING exists to be the fallback
>>> KEY_SPEC_SESSION_KEYRING.
>>>
>>>  From user-session-keyring.7:
>>>> The user session keyring is created on demand when a thread requests it or when a thread asks for its session-keyring(7) and that keyring doesn't exist. In the latter case, a user session keyring will be created and, ***if the session keyring wasn't to be created, the user session keyring will be set as the process's actual session keyring***
>>> You can try it yourself, with keyctl show
>>> Compare
>>> keyctl show @s
>>> keyctl show @us
>>> and keyctl session -- keyctl show @s
>>>
>>> the strace shows (session present)
>>> keyctl(KEYCTL_GET_KEYRING_ID, KEY_SPEC_SESSION_KEYRING, 0) = 66825801
>>> keyctl(KEYCTL_DESCRIBE, 66825801, NULL, 0) = 32
>>> keyctl(KEYCTL_DESCRIBE, 66825801, "keyring;1000;1000;3f030000;_ses", 32) = 32
>>>
>>> vs (session not present)
>>> keyctl(KEYCTL_GET_KEYRING_ID, KEY_SPEC_SESSION_KEYRING, 0) = 634641843
>>> keyctl(KEYCTL_DESCRIBE, 634641843, NULL, 0) = 42
>>> keyctl(KEYCTL_DESCRIBE, 634641843,
>>> "keyring;1000;65534;1f3f0000;_uid"..., 42) = 42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4039 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.infradead.org/pipermail/linux-afs/attachments/20221121/ed99cde8/attachment.p7s>

More information about the linux-afs mailing list