[PATCH] gssd - expired credentials problem

linux-nfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] gssd - expired credentials problem
@ 2013-03-09 11:25 Lukas Hejtmanek
  2013-03-25 14:16 ` Steve Dickson
  0 siblings, 1 reply; 2+ messages in thread
From: Lukas Hejtmanek @ 2013-03-09 11:25 UTC (permalink / raw)
  To: linux-nfs

Hi,

I noticed that there is a problem with expired credentials if NFS client's
time is even few seconds behind KDC's or NFS server's time. Client's kernel
requests new GSS context but rpc.gssd is happy with existing krb cache as it
valid according to local time.

Is there any reason for gssd to check validity of existing cache when kernel
requests a new context?

However, it seems that this trivial patch solves this issue.

300 is because I believe that clock skew must be within 300sec for kerberos.

Signed-off-by: Lukas Hejtmanek <xhejtman@gmail.com>

diff -rNu nfs-utils-1.2.7.orig/utils/gssd/krb5_util.c nfs-utils-1.2.7/utils/gssd/krb5_util.c
--- nfs-utils-1.2.7.orig/utils/gssd/krb5_util.c 2012-11-12 00:01:23.000000000 +0100
+++ nfs-utils-1.2.7/utils/gssd/krb5_util.c      2013-02-15 16:35:35.652482164 +0100
@@ -343,7 +343,7 @@
        char kt_name[BUFSIZ];
        char cc_name[BUFSIZ];
        int code;
-       time_t now = time(0);
+       time_t now = time(0)+300; // workaround for clock skew among NFS server, NFS client and KDC
        char *cache_type;
        char *pname = NULL;
        char *k5err = NULL;

-- 
Lukáš Hejtmánek

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] gssd - expired credentials problem
  2013-03-09 11:25 [PATCH] gssd - expired credentials problem Lukas Hejtmanek
@ 2013-03-25 14:16 ` Steve Dickson
  0 siblings, 0 replies; 2+ messages in thread
From: Steve Dickson @ 2013-03-25 14:16 UTC (permalink / raw)
  To: Lukas Hejtmanek; +Cc: linux-nfs



On 09/03/13 06:25, Lukas Hejtmanek wrote:
> Hi,
> 
> I noticed that there is a problem with expired credentials if NFS client's
> time is even few seconds behind KDC's or NFS server's time. Client's kernel
> requests new GSS context but rpc.gssd is happy with existing krb cache as it
> valid according to local time.
> 
> Is there any reason for gssd to check validity of existing cache when kernel
> requests a new context?
> 
> However, it seems that this trivial patch solves this issue.
> 
> 300 is because I believe that clock skew must be within 300sec for kerberos.
> 
> Signed-off-by: Lukas Hejtmanek <xhejtman@gmail.com>
Committed...

steved.

> 
> diff -rNu nfs-utils-1.2.7.orig/utils/gssd/krb5_util.c nfs-utils-1.2.7/utils/gssd/krb5_util.c
> --- nfs-utils-1.2.7.orig/utils/gssd/krb5_util.c 2012-11-12 00:01:23.000000000 +0100
> +++ nfs-utils-1.2.7/utils/gssd/krb5_util.c      2013-02-15 16:35:35.652482164 +0100
> @@ -343,7 +343,7 @@
>         char kt_name[BUFSIZ];
>         char cc_name[BUFSIZ];
>         int code;
> -       time_t now = time(0);
> +       time_t now = time(0)+300; // workaround for clock skew among NFS server, NFS client and KDC
>         char *cache_type;
>         char *pname = NULL;
>         char *k5err = NULL;
> 
> 

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2013-03-25 14:16 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-03-09 11:25 [PATCH] gssd - expired credentials problem Lukas Hejtmanek
2013-03-25 14:16 ` Steve Dickson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).