Implement support for RPCSEC_GSS authentication to both the NFS client

and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager.  I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.

The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.

To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.

As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.

Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.

The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.

Sponsored by:	Isilon Systems
MFC after:	1 month

1 files changed, 34 insertions, 0 deletions

diff --git a/sys/nfsclient/nfsmount.h b/sys/nfsclient/nfsmount.h
index 6fa7f8b..75360fe 100644
--- a/sys/nfsclient/nfsmount.h
+++ b/sys/nfsclient/nfsmount.h
@@ -36,6 +36,25 @@
 #ifndef _NFSCLIENT_NFSMOUNT_H_
 #define _NFSCLIENT_NFSMOUNT_H_
 
+#ifndef NFS_LEGACYRPC
+
+#undef RPC_SUCCESS
+#undef RPC_PROGUNAVAIL
+#undef RPC_PROCUNAVAIL
+#undef AUTH_OK
+#undef AUTH_BADCRED
+#undef AUTH_BADVERF
+#undef AUTH_TOOWEAK
+
+#include <rpc/types.h>
+#include <rpc/auth.h>
+#include <rpc/clnt.h>
+#include <rpc/rpcsec_gss.h>
+
+#endif
+
+#ifdef NFS_LEGACYRPC
+
 struct nfs_tcp_mountstate {
  	int rpcresid;
 #define NFS_TCP_EXPECT_RPCMARKER 	0x0001 /* Expect to see a RPC/TCP marker next */
@@ -45,6 +64,8 @@ struct nfs_tcp_mountstate {
 	int sock_send_inprog;
 };
 
+#endif
+
 /*
  * Mount structure.
  * One allocated on every NFS mount.
@@ -59,18 +80,22 @@ struct	nfsmount {
 	u_char	nm_fh[NFSX_V4FH];	/* File handle of root dir */
 	int	nm_fhsize;		/* Size of root file handle */
 	struct	rpcclnt nm_rpcclnt;	/* rpc state */
+#ifdef NFS_LEGACYRPC
 	struct	socket *nm_so;		/* Rpc socket */
+#endif
 	int	nm_sotype;		/* Type of socket */
 	int	nm_soproto;		/* and protocol */
 	int	nm_soflags;		/* pr_flags for socket protocol */
 	struct	sockaddr *nm_nam;	/* Addr of server */
 	int	nm_timeo;		/* Init timer for NFSMNT_DUMBTIMR */
 	int	nm_retry;		/* Max retries */
+#ifdef NFS_LEGACYRPC
 	int	nm_srtt[NFS_MAX_TIMER],	/* RTT Timers for rpcs */
 		nm_sdrtt[NFS_MAX_TIMER];
 	int	nm_sent;		/* Request send count */
 	int	nm_cwnd;		/* Request send window */
 	int	nm_timeouts;		/* Request timeouts */
+#endif
 	int	nm_deadthresh;		/* Threshold of timeouts-->dead server*/
 	int	nm_rsize;		/* Max size of read rpc */
 	int	nm_wsize;		/* Max size of write rpc */
@@ -90,8 +115,17 @@ struct	nfsmount {
 	struct nfs_rpcops *nm_rpcops;
 	int	nm_tprintf_initial_delay;	/* initial delay */
 	int	nm_tprintf_delay;		/* interval for messages */
+#ifdef NFS_LEGACYRPC
 	struct nfs_tcp_mountstate nm_nfstcpstate;
+#endif
 	char	nm_hostname[MNAMELEN];	 /* server's name */
+#ifndef NFS_LEGACYRPC
+	int	nm_secflavor;		 /* auth flavor to use for rpc */
+	struct __rpc_client *nm_client;
+	struct rpc_timers nm_timers[NFS_MAX_TIMER]; /* RTT Timers for rpcs */
+	char	nm_principal[MNAMELEN];	/* GSS-API principal of server */
+	gss_OID	nm_mech_oid;		/* OID of selected GSS-API mechanism */
+#endif
 
 	/* NFSv4 */
 	uint64_t nm_clientid;