| Message ID | 20130309112531.GA13250@ics.muni.cz (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 09/03/13 06:25, Lukas Hejtmanek wrote: > Hi, > > I noticed that there is a problem with expired credentials if NFS client's > time is even few seconds behind KDC's or NFS server's time. Client's kernel > requests new GSS context but rpc.gssd is happy with existing krb cache as it > valid according to local time. > > Is there any reason for gssd to check validity of existing cache when kernel > requests a new context? > > However, it seems that this trivial patch solves this issue. > > 300 is because I believe that clock skew must be within 300sec for kerberos. > > Signed-off-by: Lukas Hejtmanek <xhejtman@gmail.com> Committed... steved. > > diff -rNu nfs-utils-1.2.7.orig/utils/gssd/krb5_util.c nfs-utils-1.2.7/utils/gssd/krb5_util.c > --- nfs-utils-1.2.7.orig/utils/gssd/krb5_util.c 2012-11-12 00:01:23.000000000 +0100 > +++ nfs-utils-1.2.7/utils/gssd/krb5_util.c 2013-02-15 16:35:35.652482164 +0100 > @@ -343,7 +343,7 @@ > char kt_name[BUFSIZ]; > char cc_name[BUFSIZ]; > int code; > - time_t now = time(0); > + time_t now = time(0)+300; // workaround for clock skew among NFS server, NFS client and KDC > char *cache_type; > char *pname = NULL; > char *k5err = NULL; > > -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff -rNu nfs-utils-1.2.7.orig/utils/gssd/krb5_util.c nfs-utils-1.2.7/utils/gssd/krb5_util.c --- nfs-utils-1.2.7.orig/utils/gssd/krb5_util.c 2012-11-12 00:01:23.000000000 +0100 +++ nfs-utils-1.2.7/utils/gssd/krb5_util.c 2013-02-15 16:35:35.652482164 +0100 @@ -343,7 +343,7 @@ char kt_name[BUFSIZ]; char cc_name[BUFSIZ]; int code; - time_t now = time(0); + time_t now = time(0)+300; // workaround for clock skew among NFS server, NFS client and KDC char *cache_type; char *pname = NULL; char *k5err = NULL;
Hi, I noticed that there is a problem with expired credentials if NFS client's time is even few seconds behind KDC's or NFS server's time. Client's kernel requests new GSS context but rpc.gssd is happy with existing krb cache as it valid according to local time. Is there any reason for gssd to check validity of existing cache when kernel requests a new context? However, it seems that this trivial patch solves this issue. 300 is because I believe that clock skew must be within 300sec for kerberos. Signed-off-by: Lukas Hejtmanek <xhejtman@gmail.com>