Change the log levels to be more appropriate to the messages being
logged. Error messages should be LOG_ERR and not LOG_WARNING, for
instance.
Add some LOG_DEBUG messages that we can use to diagnose problems with
krb5 upcalls. With these, someone can set up syslog to log daemon.debug
and should be able to get more info when things aren't working.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
buf[4095] = '\0';
snprintf(buf, 4095, "/proc/%d/environ", pid);
fd = open(buf, O_RDONLY);
buf[4095] = '\0';
snprintf(buf, 4095, "/proc/%d/environ", pid);
fd = open(buf, O_RDONLY);
+ if (fd < 0) {
+ syslog(LOG_DEBUG, "%s: unable to open %s: %d", __func__, buf,
+ errno);
/* FIXME: don't assume that we get it all in the first read? */
len = read(fd, buf, 4096);
close(fd);
/* FIXME: don't assume that we get it all in the first read? */
len = read(fd, buf, 4096);
close(fd);
+ if (len < 0) {
+ syslog(LOG_DEBUG, "%s: unable to read from /proc/%d/environ: "
+ "%d", __func__, pid, errno);
value = SMB_STRNDUP(p, left);
break;
}
value = SMB_STRNDUP(p, left);
break;
}
+ syslog(LOG_DEBUG, "%s: KRB5CCNAME=%s", __func__,
+ value ? value : "(null)");
int retval;
DATA_BLOB tkt, tkt_wrapped;
int retval;
DATA_BLOB tkt, tkt_wrapped;
+ syslog(LOG_DEBUG, "%s: getting service ticket for %s", __func__,
+ principal);
+
/* get a kerberos ticket for the service and extract the session key */
retval = cli_krb5_get_ticket(principal, 0, &tkt, sess_key, 0, ccname,
NULL);
/* get a kerberos ticket for the service and extract the session key */
retval = cli_krb5_get_ticket(principal, 0, &tkt, sess_key, 0, ccname,
NULL);
+ if (retval) {
+ syslog(LOG_DEBUG, "%s: failed to obtain service ticket (%d)",
+ __func__, retval);
+ }
+
+ syslog(LOG_DEBUG, "%s: obtained service ticket", __func__);
/* wrap that up in a nice GSS-API wrapping */
tkt_wrapped = spnego_gen_krb5_wrap(tkt, TOK_ID_KRB_AP_REQ);
/* wrap that up in a nice GSS-API wrapping */
tkt_wrapped = spnego_gen_krb5_wrap(tkt, TOK_ID_KRB_AP_REQ);
-#define DKD_HAVE_HOSTNAME 1
-#define DKD_HAVE_VERSION 2
-#define DKD_HAVE_SEC 4
-#define DKD_HAVE_IPV4 8
-#define DKD_HAVE_IPV6 16
-#define DKD_HAVE_UID 32
-#define DKD_HAVE_PID 64
+#define DKD_HAVE_HOSTNAME 0x1
+#define DKD_HAVE_VERSION 0x2
+#define DKD_HAVE_SEC 0x4
+#define DKD_HAVE_IPV4 0x8
+#define DKD_HAVE_IPV6 0x10
+#define DKD_HAVE_UID 0x20
+#define DKD_HAVE_PID 0x40
#define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME|DKD_HAVE_VERSION|DKD_HAVE_SEC)
static int
#define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME|DKD_HAVE_VERSION|DKD_HAVE_SEC)
static int
errno = 0;
*pid = strtol(tkn + 4, NULL, 0);
if (errno != 0) {
errno = 0;
*pid = strtol(tkn + 4, NULL, 0);
if (errno != 0) {
- syslog(LOG_WARNING, "Invalid pid format: %s",
+ syslog(LOG_ERR, "Invalid pid format: %s",
strerror(errno));
return 1;
} else {
strerror(errno));
return 1;
} else {
errno = 0;
*uid = strtol(tkn + 4, NULL, 16);
if (errno != 0) {
errno = 0;
*uid = strtol(tkn + 4, NULL, 16);
if (errno != 0) {
- syslog(LOG_WARNING, "Invalid uid format: %s",
+ syslog(LOG_ERR, "Invalid uid format: %s",
strerror(errno));
return 1;
} else {
strerror(errno));
return 1;
} else {
errno = 0;
*ver = strtol(tkn + 4, NULL, 16);
if (errno != 0) {
errno = 0;
*ver = strtol(tkn + 4, NULL, 16);
if (errno != 0) {
- syslog(LOG_WARNING,
- "Invalid version format: %s",
+ syslog(LOG_ERR, "Invalid version format: %s",
strerror(errno));
return 1;
} else {
strerror(errno));
return 1;
} else {
for (c = 1; c <= 4; c++) {
keyend = index(keyend+1, ';');
if (!keyend) {
for (c = 1; c <= 4; c++) {
keyend = index(keyend+1, ';');
if (!keyend) {
- syslog(LOG_WARNING, "invalid key description: %s",
+ syslog(LOG_ERR, "invalid key description: %s",
/* resolve name to ip */
c = getaddrinfo(keyend, NULL, NULL, &addr);
if (c) {
/* resolve name to ip */
c = getaddrinfo(keyend, NULL, NULL, &addr);
if (c) {
- syslog(LOG_WARNING, "unable to resolve hostname: %s [%s]",
+ syslog(LOG_ERR, "unable to resolve hostname: %s [%s]",
keyend, gai_strerror(c));
return 1;
}
keyend, gai_strerror(c));
return 1;
}
p = &(((struct sockaddr_in6 *)addr->ai_addr)->sin6_addr);
}
if (!inet_ntop(addr->ai_family, p, ip, sizeof(ip))) {
p = &(((struct sockaddr_in6 *)addr->ai_addr)->sin6_addr);
}
if (!inet_ntop(addr->ai_family, p, ip, sizeof(ip))) {
- syslog(LOG_WARNING, "%s: inet_ntop: %s",
- __FUNCTION__, strerror(errno));
+ syslog(LOG_ERR, "%s: inet_ntop: %s", __func__, strerror(errno));
freeaddrinfo(addr);
return 1;
}
freeaddrinfo(addr);
return 1;
}
/* setup key */
c = keyctl_instantiate(key, ip, strlen(ip)+1, 0);
if (c == -1) {
/* setup key */
c = keyctl_instantiate(key, ip, strlen(ip)+1, 0);
if (c == -1) {
- syslog(LOG_WARNING, "%s: keyctl_instantiate: %s",
- __FUNCTION__, strerror(errno));
+ syslog(LOG_ERR, "%s: keyctl_instantiate: %s", __func__,
+ strerror(errno));
freeaddrinfo(addr);
return 1;
}
freeaddrinfo(addr);
return 1;
}
static void
usage(void)
{
static void
usage(void)
{
- syslog(LOG_WARNING, "Usage: %s [-c] [-v] key_serial", prog);
+ syslog(LOG_INFO, "Usage: %s [-c] [-v] key_serial", prog);
fprintf(stderr, "Usage: %s [-c] [-v] key_serial\n", prog);
}
fprintf(stderr, "Usage: %s [-c] [-v] key_serial\n", prog);
}
- syslog(LOG_WARNING, "unknown option: %c", c);
+ syslog(LOG_ERR, "unknown option: %c", c);
key = strtol(argv[optind], NULL, 10);
if (errno != 0) {
key = 0;
key = strtol(argv[optind], NULL, 10);
if (errno != 0) {
key = 0;
- syslog(LOG_WARNING, "Invalid key format: %s", strerror(errno));
+ syslog(LOG_ERR, "Invalid key format: %s", strerror(errno));
goto out;
}
rc = keyctl_describe_alloc(key, &buf);
if (rc == -1) {
goto out;
}
rc = keyctl_describe_alloc(key, &buf);
if (rc == -1) {
- syslog(LOG_WARNING, "keyctl_describe_alloc failed: %s",
+ syslog(LOG_ERR, "keyctl_describe_alloc failed: %s",
strerror(errno));
rc = 1;
goto out;
}
strerror(errno));
rc = 1;
goto out;
}
+ syslog(LOG_DEBUG, "key description: %s", buf);
+
if ((strncmp(buf, "cifs.resolver", sizeof("cifs.resolver")-1) == 0) ||
(strncmp(buf, "dns_resolver", sizeof("dns_resolver")-1) == 0)) {
rc = cifs_resolver(key, buf);
if ((strncmp(buf, "cifs.resolver", sizeof("cifs.resolver")-1) == 0) ||
(strncmp(buf, "dns_resolver", sizeof("dns_resolver")-1) == 0)) {
rc = cifs_resolver(key, buf);
rc = decode_key_description(buf, &kernel_upcall_version, §ype,
&hostname, &uid, &pid);
if ((rc & DKD_MUSTHAVE_SET) != DKD_MUSTHAVE_SET) {
rc = decode_key_description(buf, &kernel_upcall_version, §ype,
&hostname, &uid, &pid);
if ((rc & DKD_MUSTHAVE_SET) != DKD_MUSTHAVE_SET) {
- syslog(LOG_WARNING,
- "unable to get from description necessary params");
+ syslog(LOG_ERR, "unable to get necessary params from key "
+ "description (0x%x)", rc);
rc = 1;
SAFE_FREE(buf);
goto out;
rc = 1;
SAFE_FREE(buf);
goto out;
SAFE_FREE(buf);
if (kernel_upcall_version > CIFS_SPNEGO_UPCALL_VERSION) {
SAFE_FREE(buf);
if (kernel_upcall_version > CIFS_SPNEGO_UPCALL_VERSION) {
- syslog(LOG_WARNING,
- "incompatible kernel upcall version: 0x%x",
- kernel_upcall_version);
+ syslog(LOG_ERR, "incompatible kernel upcall version: 0x%x",
+ kernel_upcall_version);
if (rc & DKD_HAVE_UID) {
rc = setuid(uid);
if (rc == -1) {
if (rc & DKD_HAVE_UID) {
rc = setuid(uid);
if (rc == -1) {
- syslog(LOG_WARNING, "setuid: %s", strerror(errno));
+ syslog(LOG_ERR, "setuid: %s", strerror(errno));
- syslog(LOG_WARNING, "sectype: %d is not implemented",
+ syslog(LOG_ERR, "sectype: %d is not implemented",
/* setup key */
rc = keyctl_instantiate(key, keydata, datalen, 0);
if (rc == -1) {
/* setup key */
rc = keyctl_instantiate(key, keydata, datalen, 0);
if (rc == -1) {
- syslog(LOG_WARNING, "keyctl_instantiate: %s", strerror(errno));
+ syslog(LOG_ERR, "keyctl_instantiate: %s", strerror(errno));