[PATCH 0/3] afs: Fix dynamic root interaction with failing DNS lookups

[PATCH 0/3] afs: Fix dynamic root interaction with failing DNS lookups

[David Howells]

Hi Markus, Marc,

Here's a set of fixes to improve the interaction of arbitrary lookups in
the AFS dynamic root that hit DNS lookup failures:

 (1) Always delete unused (particularly negative) dentries as soon as
     possible so that they don't prevent future lookups from retrying.

 (2) Fix the handling of new-style negative DNS lookups in ->lookup() to
     make them return ENOENT so that userspace doesn't get confused when
     stat succeeds but the following open on the looked up file then fails.

 (3) Fix key handling so that DNS lookup results are reclaimed as soon as
     they expire rather than sitting round either forever or for an
     additional 5 mins beyond a set expiry time returning EKEYEXPIRED.

The patches can be found here:

	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=afs-fixes

Thanks,
David

David Howells (3):
  afs: Fix the dynamic root's d_delete to always delete unused dentries
  afs: Fix dynamic root lookup DNS check
  keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on
    expiry

 fs/afs/dynroot.c           | 31 +++++++++++++++++--------------
 include/linux/key-type.h   |  1 +
 net/dns_resolver/dns_key.c | 10 +++++++++-
 security/keys/gc.c         | 31 +++++++++++++++++++++----------
 security/keys/internal.h   |  8 +++++++-
 security/keys/key.c        | 15 +++++----------
 security/keys/proc.c       |  2 +-
 7 files changed, 61 insertions(+), 37 deletions(-)

[PATCH 1/3] afs: Fix the dynamic root's d_delete to always delete unused dentries

[David Howells]

Fix the afs dynamic root's d_delete function to always delete unused
dentries rather than only deleting them if they're positive.  With things
as they stand upstream, negative dentries stemming from failed DNS lookups
stick around preventing retries.

Fixes: 66c7e1d319a5 ("afs: Split the dynroot stuff out and give it its own ops tables")
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
---
 fs/afs/dynroot.c | 13 +------------
 1 file changed, 1 insertion(+), 12 deletions(-)

diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
index 1fa8cf23bd36..34474a061654 100644
--- a/fs/afs/dynroot.c
+++ b/fs/afs/dynroot.c
@@ -252,20 +252,9 @@ static int afs_dynroot_d_revalidate(struct dentry *dentry, unsigned int flags)
 	return 1;
 }
 
-/*
- * Allow the VFS to enquire as to whether a dentry should be unhashed (mustn't
- * sleep)
- * - called from dput() when d_count is going to 0.
- * - return 1 to request dentry be unhashed, 0 otherwise
- */
-static int afs_dynroot_d_delete(const struct dentry *dentry)
-{
-	return d_really_is_positive(dentry);
-}
-
 const struct dentry_operations afs_dynroot_dentry_operations = {
 	.d_revalidate	= afs_dynroot_d_revalidate,
-	.d_delete	= afs_dynroot_d_delete,
+	.d_delete	= always_delete_dentry,
 	.d_release	= afs_d_release,
 	.d_automount	= afs_d_automount,
 };

[PATCH 2/3] afs: Fix dynamic root lookup DNS check

[David Howells]

In the afs dynamic root directory, the ->lookup() function does a DNS check
on the cell being asked for and if the DNS upcall reports an error it will
report an error back to userspace (typically ENOENT).

However, if a failed DNS upcall returns a new-style result, it will return
a valid result, with the status field set appropriately to indicate the
type of failure - and in that case, dns_query() doesn't return an error and
we let stat() complete with no error - which can cause confusion in
userspace as subsequent calls that trigger d_automount then fail with
ENOENT.

Fix this by checking the status result from a valid dns_query() and
returning an error if it indicates a failure.

Fixes: bbb4c4323a4d ("dns: Allow the dns resolver to retrieve a server set")
Reported-by: Markus Suvanto <markus.suvanto@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=216637
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
---
 fs/afs/dynroot.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
index 34474a061654..4089d77a7a4d 100644
--- a/fs/afs/dynroot.c
+++ b/fs/afs/dynroot.c
@@ -114,6 +114,7 @@ static int afs_probe_cell_name(struct dentry *dentry)
 	struct afs_net *net = afs_d2net(dentry);
 	const char *name = dentry->d_name.name;
 	size_t len = dentry->d_name.len;
+	char *result = NULL;
 	int ret;
 
 	/* Names prefixed with a dot are R/W mounts. */
@@ -131,9 +132,22 @@ static int afs_probe_cell_name(struct dentry *dentry)
 	}
 
 	ret = dns_query(net->net, "afsdb", name, len, "srv=1",
-			NULL, NULL, false);
-	if (ret == -ENODATA || ret == -ENOKEY)
+			&result, NULL, false);
+	if (ret == -ENODATA || ret == -ENOKEY || ret == 0)
 		ret = -ENOENT;
+	if (ret >= sizeof(struct dns_server_list_v1_header)) {
+		struct dns_server_list_v1_header *v1 = (void *)result;
+
+		if (v1->hdr.zero == 0 &&
+		    v1->hdr.content == DNS_PAYLOAD_IS_SERVER_LIST &&
+		    v1->hdr.version == 1 &&
+		    (v1->status != DNS_LOOKUP_GOOD &&
+		     v1->status != DNS_LOOKUP_GOOD_WITH_BAD))
+			return -ENOENT;
+
+	}
+
+	kfree(result);
 	return ret;
 }
 

Re: [PATCH 2/3] afs: Fix dynamic root lookup DNS check

[Marc Dionne]

On Mon, Dec 11, 2023 at 12:34 PM David Howells <dhowells@redhat.com> wrote:
>
> In the afs dynamic root directory, the ->lookup() function does a DNS check
> on the cell being asked for and if the DNS upcall reports an error it will
> report an error back to userspace (typically ENOENT).
>
> However, if a failed DNS upcall returns a new-style result, it will return
> a valid result, with the status field set appropriately to indicate the
> type of failure - and in that case, dns_query() doesn't return an error and
> we let stat() complete with no error - which can cause confusion in
> userspace as subsequent calls that trigger d_automount then fail with
> ENOENT.
>
> Fix this by checking the status result from a valid dns_query() and
> returning an error if it indicates a failure.
>
> Fixes: bbb4c4323a4d ("dns: Allow the dns resolver to retrieve a server set")
> Reported-by: Markus Suvanto <markus.suvanto@gmail.com>
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=216637
> Signed-off-by: David Howells <dhowells@redhat.com>
> cc: Marc Dionne <marc.dionne@auristor.com>
> cc: linux-afs@lists.infradead.org
> ---
>  fs/afs/dynroot.c | 18 ++++++++++++++++--
>  1 file changed, 16 insertions(+), 2 deletions(-)
>
> diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
> index 34474a061654..4089d77a7a4d 100644
> --- a/fs/afs/dynroot.c
> +++ b/fs/afs/dynroot.c
> @@ -114,6 +114,7 @@ static int afs_probe_cell_name(struct dentry *dentry)
>         struct afs_net *net = afs_d2net(dentry);
>         const char *name = dentry->d_name.name;
>         size_t len = dentry->d_name.len;
> +       char *result = NULL;
>         int ret;
>
>         /* Names prefixed with a dot are R/W mounts. */
> @@ -131,9 +132,22 @@ static int afs_probe_cell_name(struct dentry *dentry)
>         }
>
>         ret = dns_query(net->net, "afsdb", name, len, "srv=1",
> -                       NULL, NULL, false);
> -       if (ret == -ENODATA || ret == -ENOKEY)
> +                       &result, NULL, false);
> +       if (ret == -ENODATA || ret == -ENOKEY || ret == 0)
>                 ret = -ENOENT;
> +       if (ret >= sizeof(struct dns_server_list_v1_header)) {

This needs an additional ret > 0 check, as the comparison may return
true with a negative ret if it gets promoted to an unsigned.

> +               struct dns_server_list_v1_header *v1 = (void *)result;
> +
> +               if (v1->hdr.zero == 0 &&
> +                   v1->hdr.content == DNS_PAYLOAD_IS_SERVER_LIST &&
> +                   v1->hdr.version == 1 &&
> +                   (v1->status != DNS_LOOKUP_GOOD &&
> +                    v1->status != DNS_LOOKUP_GOOD_WITH_BAD))
> +                       return -ENOENT;
> +
> +       }
> +
> +       kfree(result);
>         return ret;
>  }

Marc

[PATCH 3/3] keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry

[David Howells]

If a key has an expiration time, then when that time passes, the key is
left around for a certain amount of time before being collected (5 mins by
default) so that EKEYEXPIRED can be returned instead of ENOKEY.  This is a
problem for DNS keys because we want to redo the DNS lookup immediately at
that point.

Fix this by allowing key types to be marked such that keys of that type
don't have this extra period, but are reclaimed as soon as they expire and
turn this on for dns_resolver-type keys.  To make this easier to handle,
key->expiry is changed to be permanent if TIME64_MAX rather than 0.

Furthermore, give such new-style negative DNS results a 10s default expiry
if no other expiry time is set rather than allowing it to stick around
indefinitely.  This shouldn't be zero as ls will follow a failing stat call
immediately with a second with AT_SYMLINK_NOFOLLOW added.

Fixes: 1a4240f4764a ("DNS: Separate out CIFS DNS Resolver code")
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Wang Lei <wang840925@gmail.com>
cc: Jeff Layton <jlayton@redhat.com>
cc: Steve French <sfrench@us.ibm.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jarkko Sakkinen <jarkko@kernel.org>
cc: "David S. Miller" <davem@davemloft.net>
cc: Eric Dumazet <edumazet@google.com>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: linux-afs@lists.infradead.org
cc: linux-cifs@vger.kernel.org
cc: linux-nfs@vger.kernel.org
cc: ceph-devel@vger.kernel.org
cc: keyrings@vger.kernel.org
cc: netdev@vger.kernel.org
---
 include/linux/key-type.h   |  1 +
 net/dns_resolver/dns_key.c | 10 +++++++++-
 security/keys/gc.c         | 31 +++++++++++++++++++++----------
 security/keys/internal.h   |  8 +++++++-
 security/keys/key.c        | 15 +++++----------
 security/keys/proc.c       |  2 +-
 6 files changed, 44 insertions(+), 23 deletions(-)

diff --git a/include/linux/key-type.h b/include/linux/key-type.h
index 7d985a1dfe4a..5caf3ce82373 100644
--- a/include/linux/key-type.h
+++ b/include/linux/key-type.h
@@ -73,6 +73,7 @@ struct key_type {
 
 	unsigned int flags;
 #define KEY_TYPE_NET_DOMAIN	0x00000001 /* Keys of this type have a net namespace domain */
+#define KEY_TYPE_INSTANT_REAP	0x00000002 /* Keys of this type don't have a delay after expiring */
 
 	/* vet a description */
 	int (*vet_description)(const char *description);
diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c
index 01e54b46ae0b..3233f4f25fed 100644
--- a/net/dns_resolver/dns_key.c
+++ b/net/dns_resolver/dns_key.c
@@ -91,6 +91,7 @@ const struct cred *dns_resolver_cache;
 static int
 dns_resolver_preparse(struct key_preparsed_payload *prep)
 {
+	const struct dns_server_list_v1_header *v1;
 	const struct dns_payload_header *bin;
 	struct user_key_payload *upayload;
 	unsigned long derrno;
@@ -122,6 +123,13 @@ dns_resolver_preparse(struct key_preparsed_payload *prep)
 			return -EINVAL;
 		}
 
+		v1 = (const struct dns_server_list_v1_header *)bin;
+		if ((v1->status != DNS_LOOKUP_GOOD &&
+		     v1->status != DNS_LOOKUP_GOOD_WITH_BAD)) {
+			if (prep->expiry == TIME64_MAX)
+				prep->expiry = ktime_get_real_seconds() + 10;
+		}
+
 		result_len = datalen;
 		goto store_result;
 	}
@@ -314,7 +322,7 @@ static long dns_resolver_read(const struct key *key,
 
 struct key_type key_type_dns_resolver = {
 	.name		= "dns_resolver",
-	.flags		= KEY_TYPE_NET_DOMAIN,
+	.flags		= KEY_TYPE_NET_DOMAIN | KEY_TYPE_INSTANT_REAP,
 	.preparse	= dns_resolver_preparse,
 	.free_preparse	= dns_resolver_free_preparse,
 	.instantiate	= generic_key_instantiate,
diff --git a/security/keys/gc.c b/security/keys/gc.c
index 3c90807476eb..eaddaceda14e 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -66,6 +66,19 @@ void key_schedule_gc(time64_t gc_at)
 	}
 }
 
+/*
+ * Set the expiration time on a key.
+ */
+void key_set_expiry(struct key *key, time64_t expiry)
+{
+	key->expiry = expiry;
+	if (expiry != TIME64_MAX) {
+		if (!(key->type->flags & KEY_TYPE_INSTANT_REAP))
+			expiry += key_gc_delay;
+		key_schedule_gc(expiry);
+	}
+}
+
 /*
  * Schedule a dead links collection run.
  */
@@ -176,7 +189,6 @@ static void key_garbage_collector(struct work_struct *work)
 	static u8 gc_state;		/* Internal persistent state */
 #define KEY_GC_REAP_AGAIN	0x01	/* - Need another cycle */
 #define KEY_GC_REAPING_LINKS	0x02	/* - We need to reap links */
-#define KEY_GC_SET_TIMER	0x04	/* - We need to restart the timer */
 #define KEY_GC_REAPING_DEAD_1	0x10	/* - We need to mark dead keys */
 #define KEY_GC_REAPING_DEAD_2	0x20	/* - We need to reap dead key links */
 #define KEY_GC_REAPING_DEAD_3	0x40	/* - We need to reap dead keys */
@@ -184,21 +196,17 @@ static void key_garbage_collector(struct work_struct *work)
 
 	struct rb_node *cursor;
 	struct key *key;
-	time64_t new_timer, limit;
+	time64_t new_timer, limit, expiry;
 
 	kenter("[%lx,%x]", key_gc_flags, gc_state);
 
 	limit = ktime_get_real_seconds();
-	if (limit > key_gc_delay)
-		limit -= key_gc_delay;
-	else
-		limit = key_gc_delay;
 
 	/* Work out what we're going to be doing in this pass */
 	gc_state &= KEY_GC_REAPING_DEAD_1 | KEY_GC_REAPING_DEAD_2;
 	gc_state <<= 1;
 	if (test_and_clear_bit(KEY_GC_KEY_EXPIRED, &key_gc_flags))
-		gc_state |= KEY_GC_REAPING_LINKS | KEY_GC_SET_TIMER;
+		gc_state |= KEY_GC_REAPING_LINKS;
 
 	if (test_and_clear_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags))
 		gc_state |= KEY_GC_REAPING_DEAD_1;
@@ -233,8 +241,11 @@ static void key_garbage_collector(struct work_struct *work)
 			}
 		}
 
-		if (gc_state & KEY_GC_SET_TIMER) {
-			if (key->expiry > limit && key->expiry < new_timer) {
+		expiry = key->expiry;
+		if (expiry != TIME64_MAX) {
+			if (!(key->type->flags & KEY_TYPE_INSTANT_REAP))
+				expiry += key_gc_delay;
+			if (expiry > limit && expiry < new_timer) {
 				kdebug("will expire %x in %lld",
 				       key_serial(key), key->expiry - limit);
 				new_timer = key->expiry;
@@ -276,7 +287,7 @@ static void key_garbage_collector(struct work_struct *work)
 	 */
 	kdebug("pass complete");
 
-	if (gc_state & KEY_GC_SET_TIMER && new_timer != (time64_t)TIME64_MAX) {
+	if (new_timer != TIME64_MAX) {
 		new_timer += key_gc_delay;
 		key_schedule_gc(new_timer);
 	}
diff --git a/security/keys/internal.h b/security/keys/internal.h
index 471cf36dedc0..b63a8c41635a 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -167,6 +167,7 @@ extern unsigned key_gc_delay;
 extern void keyring_gc(struct key *keyring, time64_t limit);
 extern void keyring_restriction_gc(struct key *keyring,
 				   struct key_type *dead_type);
+void key_set_expiry(struct key *key, time64_t expiry);
 extern void key_schedule_gc(time64_t gc_at);
 extern void key_schedule_gc_links(void);
 extern void key_gc_keytype(struct key_type *ktype);
@@ -215,10 +216,15 @@ extern struct key *key_get_instantiation_authkey(key_serial_t target_id);
  */
 static inline bool key_is_dead(const struct key *key, time64_t limit)
 {
+	time64_t expiry = key->expiry;
+
+	if (!(key->type->flags & KEY_TYPE_INSTANT_REAP))
+		expiry += key_gc_delay;
+
 	return
 		key->flags & ((1 << KEY_FLAG_DEAD) |
 			      (1 << KEY_FLAG_INVALIDATED)) ||
-		(key->expiry > 0 && key->expiry <= limit) ||
+		expiry <= limit ||
 		key->domain_tag->removed;
 }
 
diff --git a/security/keys/key.c b/security/keys/key.c
index 0260a1902922..5b10641debd5 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -294,6 +294,7 @@ struct key *key_alloc(struct key_type *type, const char *desc,
 	key->uid = uid;
 	key->gid = gid;
 	key->perm = perm;
+	key->expiry = TIME64_MAX;
 	key->restrict_link = restrict_link;
 	key->last_used_at = ktime_get_real_seconds();
 
@@ -463,10 +464,7 @@ static int __key_instantiate_and_link(struct key *key,
 			if (authkey)
 				key_invalidate(authkey);
 
-			if (prep->expiry != TIME64_MAX) {
-				key->expiry = prep->expiry;
-				key_schedule_gc(prep->expiry + key_gc_delay);
-			}
+			key_set_expiry(key, prep->expiry);
 		}
 	}
 
@@ -606,8 +604,7 @@ int key_reject_and_link(struct key *key,
 		atomic_inc(&key->user->nikeys);
 		mark_key_instantiated(key, -error);
 		notify_key(key, NOTIFY_KEY_INSTANTIATED, -error);
-		key->expiry = ktime_get_real_seconds() + timeout;
-		key_schedule_gc(key->expiry + key_gc_delay);
+		key_set_expiry(key, ktime_get_real_seconds() + timeout);
 
 		if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags))
 			awaken = 1;
@@ -723,16 +720,14 @@ struct key_type *key_type_lookup(const char *type)
 
 void key_set_timeout(struct key *key, unsigned timeout)
 {
-	time64_t expiry = 0;
+	time64_t expiry = TIME64_MAX;
 
 	/* make the changes with the locks held to prevent races */
 	down_write(&key->sem);
 
 	if (timeout > 0)
 		expiry = ktime_get_real_seconds() + timeout;
-
-	key->expiry = expiry;
-	key_schedule_gc(key->expiry + key_gc_delay);
+	key_set_expiry(key, expiry);
 
 	up_write(&key->sem);
 }
diff --git a/security/keys/proc.c b/security/keys/proc.c
index d0cde6685627..4f4e2c1824f1 100644
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -198,7 +198,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
 
 	/* come up with a suitable timeout value */
 	expiry = READ_ONCE(key->expiry);
-	if (expiry == 0) {
+	if (expiry == TIME64_MAX) {
 		memcpy(xbuf, "perm", 5);
 	} else if (now >= expiry) {
 		memcpy(xbuf, "expd", 5);

Re: [PATCH 0/3] afs: Fix dynamic root interaction with failing DNS lookups

[David Howells]

This is the related bug: https://bugzilla.kernel.org/show_bug.cgi?id=216637

Re: [PATCH 0/3] afs: Fix dynamic root interaction with failing DNS lookups

[markus.suvanto]

ma, 2023-12-11 kello 16:34 +0000, David Howells kirjoitti:
> Hi Markus, Marc,
> 
> Here's a set of fixes to improve the interaction of arbitrary lookups in
> the AFS dynamic root that hit DNS lookup failures:
> 
>  (1) Always delete unused (particularly negative) dentries as soon as
>      possible so that they don't prevent future lookups from retrying.
> 
>  (2) Fix the handling of new-style negative DNS lookups in ->lookup() to
>      make them return ENOENT so that userspace doesn't get confused when
>      stat succeeds but the following open on the looked up file then fails.
> 
>  (3) Fix key handling so that DNS lookup results are reclaimed as soon as
>      they expire rather than sitting round either forever or for an
>      additional 5 mins beyond a set expiry time returning EKEYEXPIRED.
> 
> The patches can be found here:
> 
> 	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=afs-fixes
> 
I tested this patches
6.7.0-rc4-gdfbc00cb940b
It seems that not existing directory will remove my valid rxprc key.

Reproduce:
1) kinit ....
2) aklog....
3) keyctl show 
Session Keyring
 347100937 --alswrv   1001 65534  keyring: _uid_ses.1001
1062692655 --alswrv   1001 65534   \_ keyring: _uid.1001
 698363997 --als-rv   1001   100   \_ rxrpc: afs@station.com

klist 
Ticket cache: KEYRING:persistent:1001:1001
Default principal: .....
...

4) ls /afs/notfound
5) keyctl show   
Session Keyring
 709308533 --alswrv   1001 65534  keyring: _uid_ses.1001
 385820479 --alswrv   1001 65534   \_ keyring: _uid.1001

klist
klist: Credentials cache keyring 'persistent:1001:1001' not found

-Markus

Re: [PATCH 0/3] afs: Fix dynamic root interaction with failing DNS lookups

[David Howells]

markus.suvanto@gmail.com wrote:

> Reproduce:
> 1) kinit ....
> 2) aklog....
> 3) keyctl show 
> Session Keyring
>  347100937 --alswrv   1001 65534  keyring: _uid_ses.1001
> 1062692655 --alswrv   1001 65534   \_ keyring: _uid.1001
>  698363997 --als-rv   1001   100   \_ rxrpc: afs@station.com
> 
> klist 
> Ticket cache: KEYRING:persistent:1001:1001
> Default principal: .....

Can you "grep rxrpc /proc/keys" at this point?

> 4) ls /afs/notfound
> 5) keyctl show   
> Session Keyring
>  709308533 --alswrv   1001 65534  keyring: _uid_ses.1001
>  385820479 --alswrv   1001 65534   \_ keyring: _uid.1001
> 
> klist
> klist: Credentials cache keyring 'persistent:1001:1001' not found

David

Re: [PATCH 0/3] afs: Fix dynamic root interaction with failing DNS lookups

[markus.suvanto]

ti, 2023-12-12 kello 09:03 +0000, David Howells kirjoitti:
> markus.suvanto@gmail.com wrote:
> 
> > Reproduce:
> > 1) kinit ....
> > 2) aklog....
> > 3) keyctl show 
> > Session Keyring
> >  347100937 --alswrv   1001 65534  keyring: _uid_ses.1001
> > 1062692655 --alswrv   1001 65534   \_ keyring: _uid.1001
> >  698363997 --als-rv   1001   100   \_ rxrpc: afs@station.com
> > 
> > klist 
> > Ticket cache: KEYRING:persistent:1001:1001
> > Default principal: .....
> 
> Can you "grep rxrpc /proc/keys" at this point?
> 
different cell though...

masu@t470 ~ % grep rxrpc /proc/keys
23e16cda I--Q---     1   3d 3b010000  1001   100 rxrpc     afs@movesole.com: ka

Re: [PATCH 0/3] afs: Fix dynamic root interaction with failing DNS lookups

[David Howells]

markus.suvanto@gmail.com wrote:

> > Can you "grep rxrpc /proc/keys" at this point?
> > 
> different cell though...
> 
> masu@t470 ~ % grep rxrpc /proc/keys
> 23e16cda I--Q---     1   3d 3b010000  1001   100 rxrpc     afs@movesole.com: ka

Okay, I see the persistent keyring disappear, but I don't see a key linked
into my session keyring vanish.

David

Re: [PATCH 0/3] afs: Fix dynamic root interaction with failing DNS lookups

[markus.suvanto]

> > masu@t470 ~ % grep rxrpc /proc/keys
> > 23e16cda I--Q---     1   3d 3b010000  1001   100 rxrpc     afs@movesole.com: ka
> 
> Okay, I see the persistent keyring disappear, but I don't see a key linked
> into my session keyring vanish.

Full log of my commands...

masu@t470 ~ % klist 
klist: Credentials cache keyring 'persistent:1001:1001' not found
masu@t470 ~ % keyctl show   
Session Keyring
 388545754 --alswrv   1001 65534  keyring: _uid_ses.1001
 946177719 --alswrv   1001 65534   \_ keyring: _uid.1001
masu@t470 ~ % grep rxrpc /proc/keys
masu@t470 ~ % 
masu@t470 ~ % 
masu@t470 ~ % 
masu@t470 ~ % kinit masu@MOVESOLE.COM
Password for masu@MOVESOLE.COM: 
masu@t470 ~ % aklog-kafs-kdf movesole.com MOVESOLE.COM
masu@t470 ~ % 
masu@t470 ~ % 
masu@t470 ~ % grep rxrpc /proc/keys

2600d2d5 I--Q---     1   3d 3b010000  1001   100 rxrpc     afs@movesole.com: ka
masu@t470 ~ % klist 
Ticket cache: KEYRING:persistent:1001:1001
Default principal: masu@MOVESOLE.COM

Valid starting       Expires              Service principal
12.12.2023 11.52.47  16.12.2023 11.52.40  afs/movesole.com@MOVESOLE.COM
	renew until 26.12.2023 11.52.40
12.12.2023 11.52.43  16.12.2023 11.52.40  krbtgt/MOVESOLE.COM@MOVESOLE.COM
	renew until 26.12.2023 11.52.40
masu@t470 ~ % keyctl show            
Session Keyring
 388545754 --alswrv   1001 65534  keyring: _uid_ses.1001
 946177719 --alswrv   1001 65534   \_ keyring: _uid.1001
 637588181 --als-rv   1001   100   \_ rxrpc: afs@movesole.com
masu@t470 ~ % 
masu@t470 ~ % 
masu@t470 ~ % 
masu@t470 ~ % 
masu@t470 ~ % ls /afs/notfound
ls: tiedostoa '/afs/notfound' ei voi käsitellä: Tiedostoa tai hakemistoa ei ole
masu@t470 ~ % 
masu@t470 ~ % 
masu@t470 ~ % 
masu@t470 ~ % klist
klist: Credentials cache keyring 'persistent:1001:1001' not found
masu@t470 ~ % grep rxrpc /proc/keys

masu@t470 ~ % keyctl show   
Session Keyring
1025218481 --alswrv   1001 65534  keyring: _uid_ses.1001
 322736164 --alswrv   1001 65534   \_ keyring: _uid.1001