- update NFS4

[packages/nfs-utils.git] / nfs-utils-1.0.8-CITI_NFS4_ALL-1.dif

The complete set of CITI nfs-utils patches rolled into one patch.

Changes since 1.0.8-rc4-CITI_NFS4_ALL-3:

 * Update to the final nfs-utils-1.0.8
 
 * Check for problems with the gssapi library in gssd and svcgssd
   early on, so we can give a good error message and bail out.

 * Add temporary patch to svcgssd to use default values when the
   mapping of the gss principal to uid/gid fails.  This may need
   to somehow coordinate with the anonuid/anongid values for the
   export.


---

 nfs-utils-1.0.8-kwc/utils/gssd/context_mit.c  |  507 ++++++++++++++++++++++++--
 nfs-utils-1.0.8-kwc/utils/gssd/gss_util.c     |   25 +
 nfs-utils-1.0.8-kwc/utils/gssd/gss_util.h     |    1 
 nfs-utils-1.0.8-kwc/utils/gssd/gssd.c         |    5 
 nfs-utils-1.0.8-kwc/utils/gssd/krb5_util.c    |  221 +++++++++--
 nfs-utils-1.0.8-kwc/utils/gssd/krb5_util.h    |    2 
 nfs-utils-1.0.8-kwc/utils/gssd/svcgssd.c      |    5 
 nfs-utils-1.0.8-kwc/utils/gssd/svcgssd_proc.c |   17 
 nfs-utils-1.0.8-kwc/utils/gssd/write_bytes.h  |   13 
 9 files changed, 714 insertions(+), 82 deletions(-)

diff -puN utils/gssd/gssd.c~CITI_NFS4_ALL utils/gssd/gssd.c
--- nfs-utils-1.0.8/utils/gssd/gssd.c~CITI_NFS4_ALL	2006-04-20 12:41:15.668400000 -0400
+++ nfs-utils-1.0.8-kwc/utils/gssd/gssd.c	2006-04-20 12:41:16.486965000 -0400
@@ -145,6 +145,9 @@ main(int argc, char *argv[])
 			    "support setting debug level\n");
 #endif
 
+	if (gssd_check_mechs() != 0)
+		errx(1, "Problem with gssapi library");
+
 	if (!fg && daemon(0, 0) < 0)
 		errx(1, "fork");
 
@@ -154,6 +157,8 @@ main(int argc, char *argv[])
 
 	/* Process keytab file and get machine credentials */
 	gssd_refresh_krb5_machine_creds();
+	/* Determine Kerberos information from the kernel */
+	gssd_obtain_kernel_krb5_info();
 
 	gssd_run();
 	printerr(0, "gssd_run returned!\n");
diff -puN utils/gssd/gss_util.c~CITI_NFS4_ALL utils/gssd/gss_util.c
--- nfs-utils-1.0.8/utils/gssd/gss_util.c~CITI_NFS4_ALL	2006-04-20 12:41:15.770298000 -0400
+++ nfs-utils-1.0.8-kwc/utils/gssd/gss_util.c	2006-04-20 12:41:16.001067000 -0400
@@ -224,3 +224,28 @@ gssd_acquire_cred(char *server_name)
 
 	return (maj_stat == GSS_S_COMPLETE);
 }
+
+int gssd_check_mechs(void)
+{
+	u_int32_t maj_stat, min_stat;
+	gss_OID_set supported_mechs = GSS_C_NO_OID_SET;
+	int retval = -1;
+
+	maj_stat = gss_indicate_mechs(&min_stat, &supported_mechs);
+	if (maj_stat != GSS_S_COMPLETE) {
+		printerr(0, "Unable to obtain list of supported mechanisms. "
+			 "Check that gss library is properly configured.\n");
+		goto out;
+	}
+	if (supported_mechs == GSS_C_NO_OID_SET ||
+	    supported_mechs->count == 0) {
+		printerr(0, "Unable to obtain list of supported mechanisms. "
+			 "Check that gss library is properly configured.\n");
+		goto out;
+	}
+	maj_stat = gss_release_oid_set(&min_stat, &supported_mechs);
+	retval = 0;
+out:
+	return retval;
+}
+
diff -puN utils/gssd/gss_util.h~CITI_NFS4_ALL utils/gssd/gss_util.h
--- nfs-utils-1.0.8/utils/gssd/gss_util.h~CITI_NFS4_ALL	2006-04-20 12:41:15.865203000 -0400
+++ nfs-utils-1.0.8-kwc/utils/gssd/gss_util.h	2006-04-20 12:41:16.011057000 -0400
@@ -40,5 +40,6 @@ extern gss_cred_id_t	gssd_creds;
 int gssd_acquire_cred(char *server_name);
 void pgsserr(char *msg, u_int32_t maj_stat, u_int32_t min_stat,
 	const gss_OID mech);
+int gssd_check_mechs(void);
 
 #endif /* _GSS_UTIL_H_ */
diff -puN utils/gssd/svcgssd.c~CITI_NFS4_ALL utils/gssd/svcgssd.c
--- nfs-utils-1.0.8/utils/gssd/svcgssd.c~CITI_NFS4_ALL	2006-04-20 12:41:15.961107000 -0400
+++ nfs-utils-1.0.8-kwc/utils/gssd/svcgssd.c	2006-04-20 12:41:16.021047000 -0400
@@ -204,6 +204,11 @@ main(int argc, char *argv[])
 			    "support setting debug level\n");
 #endif
 
+	if (gssd_check_mechs() != 0) {
+		printerr(0, "ERROR: Problem with gssapi library\n");
+		exit(1);
+	}
+
 	if (!fg)
 		mydaemon(0, 0);
 
diff -puN utils/gssd/krb5_util.c~CITI_NFS4_ALL utils/gssd/krb5_util.c
--- nfs-utils-1.0.8/utils/gssd/krb5_util.c~CITI_NFS4_ALL	2006-04-20 12:41:16.230965000 -0400
+++ nfs-utils-1.0.8-kwc/utils/gssd/krb5_util.c	2006-04-20 12:41:16.503965000 -0400
@@ -97,6 +97,7 @@
 #include "config.h"
 #include <sys/param.h>
 #include <rpc/rpc.h>
+#include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/socket.h>
 #include <arpa/inet.h>
@@ -105,6 +106,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <dirent.h>
+#include <fcntl.h>
 #include <errno.h>
 #include <time.h>
 #include <gssapi/gssapi.h>
@@ -123,6 +125,10 @@
 /* Global list of principals/cache file names for machine credentials */
 struct gssd_k5_kt_princ *gssd_k5_kt_princ_list = NULL;
 
+/* Encryption types supported by the kernel rpcsec_gss code */
+int num_krb5_enctypes = 0;
+krb5_enctype *krb5_enctypes = NULL;
+
 /*==========================*/
 /*===  Internal routines ===*/
 /*==========================*/
@@ -261,51 +267,6 @@ gssd_find_existing_krb5_ccache(uid_t uid
 }
 
 
-#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
-/*
- * this routine obtains a credentials handle via gss_acquire_cred()
- * then calls gss_krb5_set_allowable_enctypes() to limit the encryption
- * types negotiated.
- *
- * XXX Should call some function to determine the enctypes supported
- * by the kernel. (Only need to do that once!)
- *
- * Returns:
- *	0 => all went well
- *     -1 => there was an error
- */
-
-int
-limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid)
-{
-	u_int maj_stat, min_stat;
-	gss_cred_id_t credh;
-	krb5_enctype enctypes[] = { ENCTYPE_DES_CBC_CRC };
-	int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]);
-
-	maj_stat = gss_acquire_cred(&min_stat, NULL, 0,
-				    GSS_C_NULL_OID_SET, GSS_C_INITIATE,
-				    &credh, NULL, NULL);
-
-	if (maj_stat != GSS_S_COMPLETE) {
-		pgsserr("gss_acquire_cred",
-			maj_stat, min_stat, &krb5oid);
-		return -1;
-	}
-
-	maj_stat = gss_set_allowable_enctypes(&min_stat, credh, &krb5oid,
-					     num_enctypes, &enctypes);
-	if (maj_stat != GSS_S_COMPLETE) {
-		pgsserr("gss_set_allowable_enctypes",
-			maj_stat, min_stat, &krb5oid);
-		return -1;
-	}
-	sec->cred = credh;
-
-	return 0;
-}
-#endif	/* HAVE_SET_ALLOWABLE_ENCTYPES */
-
 /*
  * Obtain credentials via a key in the keytab given
  * a keytab handle and a gssd_k5_kt_princ structure.
@@ -603,6 +564,56 @@ gssd_set_krb5_ccache_name(char *ccname)
 #endif
 }
 
+/*
+ * Parse the supported encryption type information
+ */
+static int
+parse_enctypes(char *enctypes)
+{
+	int n = 0;
+	char *curr, *comma;
+	int i;
+
+	/* Just in case this ever gets called more than once */
+	if (krb5_enctypes != NULL) {
+		free(krb5_enctypes);
+		krb5_enctypes = NULL;
+		num_krb5_enctypes = 0;
+	}
+
+	/* count the number of commas */
+	for (curr = enctypes; curr && *curr != '\0'; curr = ++comma) {
+		comma = strchr(curr, ',');
+		if (comma != NULL)
+			n++;
+		else
+			break;
+	}
+	/* If no more commas and we're not at the end, there's one more value */
+	if (*curr != '\0')
+		n++;
+
+	/* Empty string, return an error */
+	if (n == 0)
+		return ENOENT;
+
+	/* Allocate space for enctypes array */
+	if ((krb5_enctypes = (int *) calloc(n, sizeof(int))) == NULL) {
+		return ENOMEM;
+	}
+
+	/* Now parse each value into the array */
+	for (curr = enctypes, i = 0; curr && *curr != '\0'; curr = ++comma) {
+		krb5_enctypes[i++] = atoi(curr);
+		comma = strchr(curr, ',');
+		if (comma == NULL)
+			break;
+	}
+
+	num_krb5_enctypes = n;
+	return 0;
+}
+
 /*==========================*/
 /*===  External routines ===*/
 /*==========================*/
@@ -854,3 +865,123 @@ gssd_destroy_krb5_machine_creds(void)
 	krb5_free_context(context);
 }
 
+#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
+/*
+ * this routine obtains a credentials handle via gss_acquire_cred()
+ * then calls gss_krb5_set_allowable_enctypes() to limit the encryption
+ * types negotiated.
+ *
+ * Returns:
+ *	0 => all went well
+ *     -1 => there was an error
+ */
+
+int
+limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid)
+{
+	u_int maj_stat, min_stat;
+	gss_cred_id_t credh;
+	gss_OID_set_desc  desired_mechs;
+	krb5_enctype enctypes[] = {ENCTYPE_DES_CBC_CRC};
+	int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]);
+
+	/* We only care about getting a krb5 cred */
+	desired_mechs.count = 1;
+	desired_mechs.elements = &krb5oid;
+
+	maj_stat = gss_acquire_cred(&min_stat, NULL, 0,
+				    &desired_mechs, GSS_C_INITIATE,
+				    &credh, NULL, NULL);
+
+	if (maj_stat != GSS_S_COMPLETE) {
+		pgsserr("gss_acquire_cred",
+			maj_stat, min_stat, &krb5oid);
+		return -1;
+	}
+
+	/*
+	 * If we failed for any reason to produce global
+	 * list of supported enctypes, use local default here.
+	 */
+	if (krb5_enctypes == NULL)
+		maj_stat = gss_set_allowable_enctypes(&min_stat, credh,
+					&krb5oid, num_enctypes, &enctypes);
+	else
+		maj_stat = gss_set_allowable_enctypes(&min_stat, credh,
+					&krb5oid, num_krb5_enctypes,
+					krb5_enctypes);
+	if (maj_stat != GSS_S_COMPLETE) {
+		pgsserr("gss_set_allowable_enctypes",
+			maj_stat, min_stat, &krb5oid);
+		return -1;
+	}
+	sec->cred = credh;
+
+	return 0;
+}
+#endif	/* HAVE_SET_ALLOWABLE_ENCTYPES */
+
+/*
+ * Obtain supported enctypes from kernel.
+ * Set defaults if info is not available.
+ */
+void
+gssd_obtain_kernel_krb5_info(void)
+{
+	char enctype_file_name[128];
+	char buf[1024];
+	char enctypes[128];
+	char extrainfo[1024];
+	int fd;
+	int use_default_enctypes = 0;
+	int nbytes, numfields;
+	char default_enctypes[] = "1,3,2";
+	int code;
+
+	snprintf(enctype_file_name, sizeof(enctype_file_name),
+		 "%s/%s", pipefsdir, "krb5_info");
+
+	if ((fd = open(enctype_file_name, O_RDONLY)) == -1) {
+		printerr(1, "WARNING: gssd_obtain_kernel_krb5_info: "
+			 "Unable to open '%s'. Unable to determine "
+			 "Kerberos encryption types supported by the "
+			 "kernel; using defaults (%s).\n",
+			 enctype_file_name, default_enctypes);
+		use_default_enctypes = 1;
+		goto do_the_parse;
+	}
+	if ((nbytes = read(fd, buf, sizeof(buf))) == -1) {
+		printerr(0, "WARNING: gssd_obtain_kernel_krb5_info: "
+			 "Error reading Kerberos encryption type "
+			 "information file '%s'; using defaults (%s).\n",
+			 enctype_file_name, default_enctypes);
+		use_default_enctypes = 1;
+		goto do_the_parse;
+	}
+	numfields = sscanf(buf, "enctypes: %s\n%s", enctypes, extrainfo);
+	if (numfields < 1) {
+		printerr(0, "WARNING: gssd_obtain_kernel_krb5_info: "
+			 "error parsing Kerberos encryption type "
+			 "information from file '%s'; using defaults (%s).\n",
+			 enctype_file_name, default_enctypes);
+		use_default_enctypes = 1;
+		goto do_the_parse;
+	}
+	if (numfields > 1) {
+		printerr(0, "WARNING: gssd_obtain_kernel_krb5_info: "
+			 "Extra information, '%s', from '%s' is ignored\n",
+			 enctype_file_name, extrainfo);
+		use_default_enctypes = 1;
+		goto do_the_parse;
+	}
+  do_the_parse:
+  	if (use_default_enctypes)
+		strcpy(enctypes, default_enctypes);
+
+	if ((code = parse_enctypes(enctypes)) != 0) {
+		printerr(0, "ERROR: gssd_obtain_kernel_krb5_info: "
+			 "parse_enctypes%s failed with code %d\n",
+			 use_default_enctypes ? " (with default enctypes)" : "",
+			 code);
+	}
+}
diff -puN utils/gssd/krb5_util.h~CITI_NFS4_ALL utils/gssd/krb5_util.h
--- nfs-utils-1.0.8/utils/gssd/krb5_util.h~CITI_NFS4_ALL	2006-04-20 12:41:16.461965000 -0400
+++ nfs-utils-1.0.8-kwc/utils/gssd/krb5_util.h	2006-04-20 12:41:16.513965000 -0400
@@ -22,6 +22,8 @@ int  gssd_refresh_krb5_machine_creds(voi
 void gssd_free_krb5_machine_cred_list(char **list);
 void gssd_setup_krb5_machine_gss_ccache(char *servername);
 void gssd_destroy_krb5_machine_creds(void);
+void gssd_obtain_kernel_krb5_info(void);
+
 
 #ifdef HAVE_SET_ALLOWABLE_ENCTYPES
 int limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid);
diff -puN utils/gssd/context_mit.c~CITI_NFS4_ALL utils/gssd/context_mit.c
--- nfs-utils-1.0.8/utils/gssd/context_mit.c~CITI_NFS4_ALL	2006-04-20 12:41:16.770847000 -0400
+++ nfs-utils-1.0.8-kwc/utils/gssd/context_mit.c	2006-04-20 12:41:16.894723000 -0400
@@ -32,6 +32,7 @@
 #include <stdio.h>
 #include <syslog.h>
 #include <string.h>
+#include <errno.h>
 #include <gssapi.h>
 #include <rpc/rpc.h>
 #include <rpc/auth_gss.h>
@@ -43,9 +44,53 @@
 #ifdef HAVE_KRB5
 #include <krb5.h>
 
+/* for 3DES */
+#define KG_USAGE_SEAL 22
+#define KG_USAGE_SIGN 23
+#define KG_USAGE_SEQ  24
+
+/* for rfc???? */
+#define KG_USAGE_ACCEPTOR_SEAL  22
+#define KG_USAGE_ACCEPTOR_SIGN  23
+#define KG_USAGE_INITIATOR_SEAL 24
+#define KG_USAGE_INITIATOR_SIGN 25
+
+/* Lifted from mit src/lib/gssapi/krb5/gssapiP_krb5.h */
+enum seal_alg {
+  SEAL_ALG_NONE            = 0xffff,
+  SEAL_ALG_DES             = 0x0000,
+  SEAL_ALG_1               = 0x0001, /* not published */
+  SEAL_ALG_MICROSOFT_RC4   = 0x0010, /* microsoft w2k;  */
+  SEAL_ALG_DES3KD          = 0x0002
+};
+
+#define KEY_USAGE_SEED_ENCRYPTION	0xAA
+#define KEY_USAGE_SEED_INTEGRITY	0x55
+#define KEY_USAGE_SEED_CHECKSUM		0x99
+#define K5CLENGTH 5
+
+/* Flags for version 2 context flags */
+#define KRB5_CTX_FLAG_INITIATOR		0x00000001
+#define KRB5_CTX_FLAG_CFX		0x00000002
+#define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY	0x00000004
+
+/*
+ * XXX Hack alert.  We don't have "legal" access to these
+ * structures located in libk5crypto
+ */
+extern void krb5int_enc_arcfour;
+extern void krb5int_enc_des3;
+extern void krb5int_enc_aes128;
+extern void krb5int_enc_aes256;
+extern int krb5_derive_key();
+
+void *get_enc_provider();
+
 /* XXX spkm3 seems to actually want it this big, yipes. */
 #define MAX_CTX_LEN 4096
 
+
+
 #ifdef HAVE_LUCID_CONTEXT_SUPPORT
 
 /* Don't use the private structure, use the exported lucid structure */
@@ -144,6 +189,96 @@ write_lucid_keyblock(char **p, char *end
 	return 0;
 }
 
+static void
+key_lucid_to_krb5(const gss_krb5_lucid_key_t *lin, krb5_keyblock *kout)
+{
+	memset(kout, '\0', sizeof(kout));
+	kout->enctype = lin->type;
+	kout->length = lin->length;
+	kout->contents = lin->data;
+}
+
+static void
+key_krb5_to_lucid(const krb5_keyblock *kin, gss_krb5_lucid_key_t *lout)
+{
+	memset(lout, '\0', sizeof(lout));
+	lout->type = kin->enctype;
+	lout->length = kin->length;
+	lout->data = kin->contents;
+}
+
+/*
+ * Function to derive a new key from a given key and given constant data.
+ */
+static krb5_error_code
+derive_key_lucid(const gss_krb5_lucid_key_t *in, gss_krb5_lucid_key_t *out,
+		 int usage, char extra)
+{
+	krb5_error_code code;
+	unsigned char constant_data[K5CLENGTH];
+	krb5_data datain;
+	int keylength;
+	void *enc;
+	krb5_keyblock kin, kout;  /* must send krb5_keyblock, not lucid! */
+
+	/*
+	 * XXX Hack alert.  We don't have "legal" access to these
+	 * values and structures located in libk5crypto
+	 */
+	switch (in->type) {
+	case ENCTYPE_DES3_CBC_RAW:
+		keylength = 24;
+		enc = &krb5int_enc_des3;
+		break;
+	case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
+		keylength = 16;
+		enc = &krb5int_enc_aes128;
+		break;
+	case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
+		keylength = 32;
+		enc = &krb5int_enc_aes256;
+		break;
+	default:
+		code = KRB5_BAD_ENCTYPE;
+		goto out;
+	}
+
+	/* allocate memory for output key */
+	if ((out->data = malloc(keylength)) == NULL) {
+		code = ENOMEM;
+		goto out;
+	}
+	out->length = keylength;
+	out->type = in->type;
+
+	/* Convert to correct format for call to krb5_derive_key */
+	key_lucid_to_krb5(in, &kin);
+	key_lucid_to_krb5(out, &kout);
+
+	datain.data = (char *) constant_data;
+	datain.length = K5CLENGTH;
+
+	datain.data[0] = (usage>>24)&0xff;
+	datain.data[1] = (usage>>16)&0xff;
+	datain.data[2] = (usage>>8)&0xff;
+	datain.data[3] = usage&0xff;
+
+	datain.data[4] = (char) extra;
+
+	if ((code = krb5_derive_key(enc, &kin, &kout, &datain))) {
+		free(out->data);
+		out->data = NULL;
+		goto out;
+	}
+	key_krb5_to_lucid(&kout, out);
+
+  out:
+  	if (code)
+		printerr(0, "ERROR: derive_key_lucid returning error %d (%s)\n",
+			 code, error_message(code));
+	return (code);
+}
+
 static int
 prepare_krb5_rfc1964_buffer(gss_krb5_lucid_context_v1_t *lctx,
 	gss_buffer_desc *buf)
@@ -183,7 +318,7 @@ prepare_krb5_rfc1964_buffer(gss_krb5_luc
 	if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err;
 	word_send_seq = lctx->send_seq;	/* XXX send_seq is 64-bit */
 	if (WRITE_BYTES(&p, end, word_send_seq)) goto out_err;
-	if (write_buffer(&p, end, (gss_buffer_desc*)&krb5oid)) goto out_err;
+	if (write_oid(&p, end, &krb5oid)) goto out_err;
 
 	printerr(2, "prepare_krb5_rfc1964_buffer: serializing keys with "
 		 "enctype %d and length %d\n",
@@ -212,17 +347,180 @@ prepare_krb5_rfc1964_buffer(gss_krb5_luc
 	return 0;
 out_err:
 	printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
-	if (buf->value) free(buf->value);
+	if (buf->value) {
+		free(buf->value);
+		buf->value = NULL;
+	}
 	buf->length = 0;
-	if (enc_key.data) free(enc_key.data);
+	if (enc_key.data) {
+		free(enc_key.data);
+		enc_key.data = NULL;
+	}
 	return -1;
 }
 
+/*
+ * Prepare a new-style buffer to send to the kernel for newer encryption
+ * types -- or for DES3.
+ *
+ * The new format is:
+ *
+ *	u32 version;          This is two (2)
+ *	s32 endtime;
+ *	u32 flags;
+ *	#define KRB5_CTX_FLAG_INITIATOR		0x00000001
+ *	#define KRB5_CTX_FLAG_CFX		0x00000002
+ *	#define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY	0x00000004
+ *	u64 seq_send;
+ *	u32  enctype;			( encrption type of keys )
+ *	u32  size_of_each_key;		( size of each key in bytes )
+ *	u32  number_of_keys;		( N -- should always be 3 for now )
+ *	keydata-1;                      ( Ke )
+ *	keydata-2;                      ( Ki )
+ *	keydata-3;                      ( Kc )
+ *
+ */
 static int
-prepare_krb5_rfc_cfx_buffer(gss_krb5_lucid_context_v1_t *lctx,
+prepare_krb5_ctx_v2_buffer(gss_krb5_lucid_context_v1_t *lctx,
 	gss_buffer_desc *buf)
 {
-	printerr(0, "ERROR: prepare_krb5_rfc_cfx_buffer: not implemented\n");
+	char *p, *end;
+	static uint32_t version = 2;
+	uint32_t v2_flags = 0;
+	gss_krb5_lucid_key_t enc_key;
+	gss_krb5_lucid_key_t derived_key;
+	gss_buffer_desc fakeoid;
+	uint32_t enctype;
+	uint32_t keysize;
+	uint32_t numkeys;
+
+	memset(&enc_key, 0, sizeof(enc_key));
+	memset(&fakeoid, 0, sizeof(fakeoid));
+
+	if (!(buf->value = calloc(1, MAX_CTX_LEN)))
+		goto out_err;
+	p = buf->value;
+	end = buf->value + MAX_CTX_LEN;
+
+	/* Version 2 */
+	if (WRITE_BYTES(&p, end , version)) goto out_err;
+	if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err;
+
+	if (lctx->initiate)
+		v2_flags |= KRB5_CTX_FLAG_INITIATOR;
+	if (lctx->protocol != 0)
+		v2_flags |= KRB5_CTX_FLAG_CFX;
+	if (lctx->protocol != 0 && lctx->cfx_kd.have_acceptor_subkey == 1)
+		v2_flags |= KRB5_CTX_FLAG_ACCEPTOR_SUBKEY;
+
+	if (WRITE_BYTES(&p, end, v2_flags)) goto out_err;
+
+	if (WRITE_BYTES(&p, end, lctx->send_seq)) goto out_err;
+
+	/* Protocol 0 here implies DES3 or RC4 */
+	if (lctx->protocol == 0) {
+		enctype = lctx->rfc1964_kd.ctx_key.type;
+		keysize = lctx->rfc1964_kd.ctx_key.length;
+		numkeys = 3;	/* XXX is always gonna be three? */
+	} else {
+		if (lctx->cfx_kd.have_acceptor_subkey) {
+			enctype = lctx->cfx_kd.acceptor_subkey.type;
+			keysize = lctx->cfx_kd.acceptor_subkey.length;
+		} else {
+			enctype = lctx->cfx_kd.ctx_key.type;
+			keysize = lctx->cfx_kd.ctx_key.length;
+		}
+		numkeys = 3;
+	}
+	printerr(2, "prepare_krb5_ctx_v2_buffer: serializing %d keys with "
+		 "enctype %d and size %d\n", numkeys, enctype, keysize);
+	if (WRITE_BYTES(&p, end, enctype)) goto out_err;
+	if (WRITE_BYTES(&p, end, keysize)) goto out_err;
+	if (WRITE_BYTES(&p, end, numkeys)) goto out_err;
+
+	if (lctx->protocol == 0) {
+		/* derive and send down: Ke, Ki, and Kc */
+		/* Ke */
+		if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data,
+				lctx->rfc1964_kd.ctx_key.length))
+			goto out_err;
+
+		/* Ki */
+		if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data,
+				lctx->rfc1964_kd.ctx_key.length))
+			goto out_err;
+
+		/* Kc */
+		if (derive_key_lucid(&lctx->rfc1964_kd.ctx_key,
+				&derived_key,
+				KG_USAGE_SIGN, KEY_USAGE_SEED_CHECKSUM))
+			goto out_err;
+		if (write_bytes(&p, end, derived_key.data,
+				derived_key.length))
+			goto out_err;
+		free(derived_key.data);
+	} else {
+		gss_krb5_lucid_key_t *keyptr;
+		uint32_t sign_usage, seal_usage;
+
+		if (lctx->cfx_kd.have_acceptor_subkey)
+			keyptr = &lctx->cfx_kd.acceptor_subkey;
+		else
+			keyptr = &lctx->cfx_kd.ctx_key;
+
+		if (lctx->initiate == 1) {
+			sign_usage = KG_USAGE_INITIATOR_SIGN;
+			seal_usage = KG_USAGE_INITIATOR_SEAL;
+		} else {
+			sign_usage = KG_USAGE_ACCEPTOR_SIGN;
+			seal_usage = KG_USAGE_ACCEPTOR_SEAL;
+		}
+
+		/* derive and send down: Ke, Ki, and Kc */
+
+		/* Ke */
+		if (derive_key_lucid(keyptr, &derived_key,
+			       seal_usage, KEY_USAGE_SEED_ENCRYPTION))
+			goto out_err;
+		if (write_bytes(&p, end, derived_key.data,
+				derived_key.length))
+			goto out_err;
+		free(derived_key.data);
+
+		/* Ki */
+		if (derive_key_lucid(keyptr, &derived_key,
+			       seal_usage, KEY_USAGE_SEED_INTEGRITY))
+			goto out_err;
+		if (write_bytes(&p, end, derived_key.data,
+				derived_key.length))
+			goto out_err;
+		free(derived_key.data);
+
+		/* Kc */
+		if (derive_key_lucid(keyptr, &derived_key,
+			       sign_usage, KEY_USAGE_SEED_CHECKSUM))
+			goto out_err;
+		if (write_bytes(&p, end, derived_key.data,
+				derived_key.length))
+			goto out_err;
+		free(derived_key.data);
+	}
+
+	buf->length = p - (char *)buf->value;
+	return 0;
+
+out_err:
+	printerr(0, "ERROR: prepare_krb5_ctx_v2_buffer: "
+		 "failed serializing krb5 context for kernel\n");
+	if (buf->value) {
+		free(buf->value);
+		buf->value = NULL;
+	}
+	buf->length = 0;
+	if (enc_key.data) {
+		free(enc_key.data);
+		enc_key.data = NULL;
+	}
 	return -1;
 }
 
@@ -258,11 +556,21 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss
 		break;
 	}
 
-	/* Now lctx points to a lucid context that we can send down to kernel */
-	if (lctx->protocol == 0)
+	/*
+	 * Now lctx points to a lucid context that we can send down to kernel
+	 *
+	 * Note: we send down different information to the kernel depending
+	 * on the protocol version and the enctyption type.
+	 * For protocol version 0 with all enctypes besides DES3, we use
+	 * the original format.  For protocol version != 0 or DES3, we
+	 * send down the new style information.
+	 */
+
+	if (lctx->protocol == 0 &&
+		lctx->rfc1964_kd.ctx_key.type == ENCTYPE_DES_CBC_RAW)
 		retcode = prepare_krb5_rfc1964_buffer(lctx, buf);
 	else
-		retcode = prepare_krb5_rfc_cfx_buffer(lctx, buf);
+		retcode = prepare_krb5_ctx_v2_buffer(lctx, buf);
 
 	maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx);
 	if (maj_stat != GSS_S_COMPLETE) {
@@ -300,6 +608,66 @@ write_keyblock(char **p, char *end, stru
 }
 
 /*
+ * Function to derive a new key from a given key and given constant data.
+ */
+static krb5_error_code
+derive_key(const krb5_keyblock *in, krb5_keyblock *out, int usage, char extra)
+{
+	krb5_error_code code;
+	unsigned char constant_data[K5CLENGTH];
+	krb5_data datain;
+	int keylength;
+	void *enc;
+
+	/*
+	 * XXX Hack alert.  We don't have "legal" access to these
+	 * values and structures located in libk5crypto
+	 */
+	switch (in->enctype) {
+	case ENCTYPE_DES3_CBC_RAW:
+		keylength = 24;
+		enc = &krb5int_enc_des3;
+		break;
+	case ENCTYPE_ARCFOUR_HMAC:
+		keylength = 16;
+		enc = &krb5int_enc_arcfour;
+		break;
+	default:
+		code = KRB5_BAD_ENCTYPE;
+		goto out;
+	}
+
+	/* allocate memory for output key */
+	if ((out->contents = malloc(keylength)) == NULL) {
+		code = ENOMEM;
+		goto out;
+	}
+	out->length = keylength;
+	out->enctype = in->enctype;
+
+	datain.data = (char *) constant_data;
+	datain.length = K5CLENGTH;
+
+	datain.data[0] = (usage>>24)&0xff;
+	datain.data[1] = (usage>>16)&0xff;
+	datain.data[2] = (usage>>8)&0xff;
+	datain.data[3] = usage&0xff;
+
+	datain.data[4] = (char) extra;
+
+	if ((code = krb5_derive_key(enc, in, out, &datain))) {
+		free(out->contents);
+		out->contents = NULL;
+	}
+
+  out:
+  	if (code)
+		printerr(0, "ERROR: derive_key returning error %d (%s)\n",
+			 code, error_message(code));
+	return (code);
+}
+
+/*
  * We really shouldn't know about glue-layer context structure, but
  * we need to get at the real krb5 context pointer.  This should be
  * removed as soon as we say there is no support for MIT Kerberos
@@ -315,45 +683,114 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss
 {
 	krb5_gss_ctx_id_t kctx = ((gss_union_ctx_id_t)ctx)->internal_ctx_id;
 	char *p, *end;
-	static int constant_one = 1;
 	static int constant_zero = 0;
+	static int constant_one = 1;
+	static int constant_two = 2;
 	uint32_t word_seq_send;
+	u_int64_t seq_send_64bit;
+	uint32_t v2_flags = 0;
+	krb5_keyblock derived_key;
+	uint32_t numkeys;
 
 	if (!(buf->value = calloc(1, MAX_CTX_LEN)))
 		goto out_err;
 	p = buf->value;
 	end = buf->value + MAX_CTX_LEN;
 
-	if (kctx->initiate) {
-		if (WRITE_BYTES(&p, end, constant_one)) goto out_err;
-	}
-	else {
-		if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
-	}
-	if (kctx->seed_init) {
-		if (WRITE_BYTES(&p, end, constant_one)) goto out_err;
-	}
-	else {
-		if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
-	}
-	if (write_bytes(&p, end, &kctx->seed, sizeof(kctx->seed)))
-		goto out_err;
-	if (WRITE_BYTES(&p, end, kctx->signalg)) goto out_err;
-	if (WRITE_BYTES(&p, end, kctx->sealalg)) goto out_err;
-	if (WRITE_BYTES(&p, end, kctx->endtime)) goto out_err;
-	word_seq_send = kctx->seq_send;
-	if (WRITE_BYTES(&p, end, word_seq_send)) goto out_err;
-	if (write_buffer(&p, end, kctx->mech_used)) goto out_err;
-
-	printerr(2, "serialize_krb5_ctx: serializing keys with "
-		 "enctype %d and length %d\n",
-		 kctx->enc->enctype, kctx->enc->length);
+	switch (kctx->sealalg) {
+	case SEAL_ALG_DES:
+		/* Versions 0 and 1 */
+		if (kctx->initiate) {
+			if (WRITE_BYTES(&p, end, constant_one)) goto out_err;
+		}
+		else {
+			if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
+		}
+		if (kctx->seed_init) {
+			if (WRITE_BYTES(&p, end, constant_one)) goto out_err;
+		}
+		else {
+			if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
+		}
+		if (write_bytes(&p, end, &kctx->seed, sizeof(kctx->seed)))
+			goto out_err;
+		if (WRITE_BYTES(&p, end, kctx->signalg)) goto out_err;
+		if (WRITE_BYTES(&p, end, kctx->sealalg)) goto out_err;
+		if (WRITE_BYTES(&p, end, kctx->endtime)) goto out_err;
+		word_seq_send = kctx->seq_send;
+		if (WRITE_BYTES(&p, end, word_seq_send)) goto out_err;
+		if (write_buffer(&p, end, kctx->mech_used)) goto out_err;
+
+		printerr(2, "serialize_krb5_ctx: serializing keys with "
+			 "enctype %d and length %d\n",
+			 kctx->enc->enctype, kctx->enc->length);
 
-	if (write_keyblock(&p, end, kctx->enc)) goto out_err;
-	if (write_keyblock(&p, end, kctx->seq)) goto out_err;
+		if (write_keyblock(&p, end, kctx->enc)) goto out_err;
+		if (write_keyblock(&p, end, kctx->seq)) goto out_err;
+		break;
+	case SEAL_ALG_MICROSOFT_RC4:
+	case SEAL_ALG_DES3KD:
+		/* u32 version;   ( 2 )
+		 * s32 endtime;
+		 * u32 flags;
+		 * #define KRB5_CTX_FLAG_INITIATOR        0x00000001
+		 * #define KRB5_CTX_FLAG_CFX              0x00000002
+		 * #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY  0x00000004
+		 * u64 seq_send;
+		 * u32  enctype;
+		 * u32  size_of_each_key;    (  size in bytes )
+		 * u32  number_of_keys;      (  N (assumed to be 3 for now) )
+		 * keydata-1;                (  Ke  (Kenc for DES3) )
+		 * keydata-2;                (  Ki  (Kseq for DES3) )
+		 * keydata-3;                (  Kc (derived checksum key) )
+		 */
+		 /* Version 2 */
+		if (WRITE_BYTES(&p, end , constant_two)) goto out_err;
+		if (WRITE_BYTES(&p, end, kctx->endtime)) goto out_err;
+
+		/* Only applicable flag for is initiator */
+		if (kctx->initiate) v2_flags |= KRB5_CTX_FLAG_INITIATOR;
+		if (WRITE_BYTES(&p, end, v2_flags)) goto out_err;
+
+		seq_send_64bit = kctx->seq_send;
+		if (WRITE_BYTES(&p, end, seq_send_64bit)) goto out_err;
+
+		if (WRITE_BYTES(&p, end, kctx->enc->enctype)) goto out_err;
+		if (WRITE_BYTES(&p, end, kctx->enc->length)) goto out_err;
+		numkeys = 3;
+		if (WRITE_BYTES(&p, end, numkeys)) goto out_err;
+		printerr(2, "serialize_krb5_ctx: serializing %d keys with "
+			 "enctype %d and size %d\n",
+			 numkeys, kctx->enc->enctype, kctx->enc->length);
+
+		/* Ke */
+		if (write_bytes(&p, end, kctx->enc->contents,
+				kctx->enc->length))
+			goto out_err;
+
+		/* Ki */
+		if (write_bytes(&p, end, kctx->enc->contents,
+				kctx->enc->length))
+			goto out_err;
+
+		/* Kc */
+		if (derive_key(kctx->seq, &derived_key,
+			       KG_USAGE_SIGN, KEY_USAGE_SEED_CHECKSUM))
+			goto out_err;
+		if (write_bytes(&p, end, derived_key.contents,
+				derived_key.length))
+			goto out_err;
+		free(derived_key.contents);
+		break;
+	default:
+		printerr(0, "ERROR: serialize_krb5_ctx: unsupported seal "
+			 "algorithm %d\n", kctx->sealalg);
+		goto out_err;
+	}
 
 	buf->length = p - (char *)buf->value;
 	return 0;
+
 out_err:
 	printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
 	if (buf->value) free(buf->value);
diff -puN utils/gssd/write_bytes.h~CITI_NFS4_ALL utils/gssd/write_bytes.h
--- nfs-utils-1.0.8/utils/gssd/write_bytes.h~CITI_NFS4_ALL	2006-04-20 12:41:16.867750000 -0400
+++ nfs-utils-1.0.8-kwc/utils/gssd/write_bytes.h	2006-04-20 12:41:16.905712000 -0400
@@ -63,6 +63,19 @@ write_buffer(char **p, char *end, gss_bu
 	return 0;
 }
 
+inline static int
+write_oid(char **p, char *end, gss_OID_desc *arg)
+{
+	int len = (int)arg->length;		/* make an int out of size_t */
+	if (WRITE_BYTES(p, end, len))
+		return -1;
+	if (*p + arg->length > end)
+		return -1;
+	memcpy(*p, arg->elements, len);
+	*p += len;
+	return 0;
+}
+
 static inline int
 get_bytes(char **ptr, const char *end, void *res, int len)
 {
diff -puN utils/gssd/svcgssd_proc.c~CITI_NFS4_ALL utils/gssd/svcgssd_proc.c
--- nfs-utils-1.0.8/utils/gssd/svcgssd_proc.c~CITI_NFS4_ALL	2006-04-20 12:41:17.109514000 -0400
+++ nfs-utils-1.0.8-kwc/utils/gssd/svcgssd_proc.c	2006-04-20 12:41:17.133514000 -0400
@@ -220,8 +220,21 @@ get_ids(gss_name_t client_name, gss_OID 
 	nfs4_init_name_mapping(NULL); /* XXX: should only do this once */
 	res = nfs4_gss_princ_to_ids(secname, sname, &uid, &gid);
 	if (res < 0) {
-		printerr(0, "WARNING: get_ids: unable to map "
-			"name '%s' to a uid\n", sname);
+		/*
+		 * -ENOENT means there was no mapping, any other error
+		 * value means there was an error trying to do the
+		 * mapping.
+		 */
+		if (res == -ENOENT) {
+			cred->cr_uid = -2;	/* XXX */
+			cred->cr_gid = -2;	/* XXX */
+			cred->cr_groups[0] = -2;/* XXX */
+			cred->cr_ngroups = 1;
+			res = 0;
+			goto out_free;
+		}
+		printerr(0, "WARNING: get_ids: failed to map name '%s' "
+			"to uid/gid: %s\n", sname, strerror(-res));
 		goto out_free;
 	}
 	cred->cr_uid = uid;

_