From: Greg Hudson <ghudson@mit.edu>
To: "Adamson, Andy" <William.Adamson@netapp.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>,
Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
"krbdev@mit.edu" <krbdev@mit.edu>
Subject: Re: Gss context refresh failure due to clock skew
Date: Wed, 7 Oct 2015 11:08:38 -0400 [thread overview]
Message-ID: <56153576.1090209@mit.edu> (raw)
In-Reply-To: <16B417DB-F019-4654-8B4E-7C4C3AF1487D@netapp.com>
On 10/07/2015 11:00 AM, Adamson, Andy wrote:
> —— from the ticket: ——
>
> This unnecessarily strict check causes a particularly bad experience
> when (a) the client's clock is slightly ahead of the server's clock,
> and (b) the maximum service ticket lifetime is lower than the maximum
> TGT lifetime.
>
> —— ——
> I think both a) and b) are incorrect.
>
> for a) you got it backwards. this occurs when the server clock is ahead of the client clock.
Yes, I did write the wrong thing there; I will follow up on that.
> for b) the relationship between the TGT lifetime and the service ticket lifetime is irrelevant. Only the service ticket lifetime has any effect as the client will use a valid service ticket to construct an RPCSEC_GSS_INIT request irregardless of the TGT lifetime value.
I will try one more time to communicate what I mean:
* If the service ticket end time is less than the TGT end time, then
gss_init_sec_context() fails during the clock skew window, and starts
succeeding again afterwards.
* If the service ticket and TGT have both expired (according to the
server), then gss_init_sec_context() fails, and keeps failing
afterwards, unless there is some out-of-band agent refreshing expired TGTs.
Put another way: we expect authentications to start failing around the
time the TGT expires. We do not expect authentications to start failing
around the time a service ticket expires, if the TGT is still valid.
That is what I refer to as a "particularly" bad experience.
If that isn't clear, perhaps we should ignore this as a moot point; it
doesn't really affect how we plan to change the krb5 code.
next prev parent reply other threads:[~2015-10-07 15:08 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <AD03968E-7017-4D32-A90C-C74C1E9CDFAC@netapp.com>
2015-10-01 21:30 ` Fwd: Gss context refresh failure due to clock skew Adamson, Andy
2015-10-05 19:10 ` Greg Hudson
2015-10-05 19:35 ` Adamson, Andy
2015-10-05 20:02 ` Greg Hudson
2015-10-05 20:34 ` Adamson, Andy
2015-10-06 0:02 ` Benjamin Kaduk
2015-10-06 14:53 ` Adamson, Andy
2015-10-07 13:22 ` Adamson, Andy
2015-10-07 14:45 ` Greg Hudson
2015-10-07 15:00 ` Adamson, Andy
2015-10-07 15:08 ` Greg Hudson [this message]
2015-10-07 15:46 ` Olga Kornievskaia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56153576.1090209@mit.edu \
--to=ghudson@mit.edu \
--cc=William.Adamson@netapp.com \
--cc=kaduk@mit.edu \
--cc=krbdev@mit.edu \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.