From: Steve Dickson <SteveD@redhat.com>
To: Lukas Hejtmanek <xhejtman@ics.muni.cz>
Cc: linux-nfs@vger.kernel.org
Subject: Re: [PATCH] gssd - expired credentials problem
Date: Mon, 25 Mar 2013 10:16:22 -0400 [thread overview]
Message-ID: <51505C36.5000508@RedHat.com> (raw)
In-Reply-To: <20130309112531.GA13250@ics.muni.cz>
On 09/03/13 06:25, Lukas Hejtmanek wrote:
> Hi,
>
> I noticed that there is a problem with expired credentials if NFS client's
> time is even few seconds behind KDC's or NFS server's time. Client's kernel
> requests new GSS context but rpc.gssd is happy with existing krb cache as it
> valid according to local time.
>
> Is there any reason for gssd to check validity of existing cache when kernel
> requests a new context?
>
> However, it seems that this trivial patch solves this issue.
>
> 300 is because I believe that clock skew must be within 300sec for kerberos.
>
> Signed-off-by: Lukas Hejtmanek <xhejtman@gmail.com>
Committed...
steved.
>
> diff -rNu nfs-utils-1.2.7.orig/utils/gssd/krb5_util.c nfs-utils-1.2.7/utils/gssd/krb5_util.c
> --- nfs-utils-1.2.7.orig/utils/gssd/krb5_util.c 2012-11-12 00:01:23.000000000 +0100
> +++ nfs-utils-1.2.7/utils/gssd/krb5_util.c 2013-02-15 16:35:35.652482164 +0100
> @@ -343,7 +343,7 @@
> char kt_name[BUFSIZ];
> char cc_name[BUFSIZ];
> int code;
> - time_t now = time(0);
> + time_t now = time(0)+300; // workaround for clock skew among NFS server, NFS client and KDC
> char *cache_type;
> char *pname = NULL;
> char *k5err = NULL;
>
>
prev parent reply other threads:[~2013-03-25 14:16 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-09 11:25 [PATCH] gssd - expired credentials problem Lukas Hejtmanek
2013-03-25 14:16 ` Steve Dickson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51505C36.5000508@RedHat.com \
--to=steved@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--cc=xhejtman@ics.muni.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.