From: Greg Hudson <ghudson@mit.edu>
To: "Adamson, Andy" <William.Adamson@netapp.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>,
Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
"krbdev@mit.edu" <krbdev@mit.edu>
Subject: Re: Gss context refresh failure due to clock skew
Date: Wed, 7 Oct 2015 11:08:38 -0400 [thread overview]
Message-ID: <56153576.1090209@mit.edu> (raw)
In-Reply-To: <16B417DB-F019-4654-8B4E-7C4C3AF1487D@netapp.com>
On 10/07/2015 11:00 AM, Adamson, Andy wrote:
> —— from the ticket: ——
>
> This unnecessarily strict check causes a particularly bad experience
> when (a) the client's clock is slightly ahead of the server's clock,
> and (b) the maximum service ticket lifetime is lower than the maximum
> TGT lifetime.
>
> —— ——
> I think both a) and b) are incorrect.
>
> for a) you got it backwards. this occurs when the server clock is ahead of the client clock.
Yes, I did write the wrong thing there; I will follow up on that.
> for b) the relationship between the TGT lifetime and the service ticket lifetime is irrelevant. Only the service ticket lifetime has any effect as the client will use a valid service ticket to construct an RPCSEC_GSS_INIT request irregardless of the TGT lifetime value.
I will try one more time to communicate what I mean:
* If the service ticket end time is less than the TGT end time, then
gss_init_sec_context() fails during the clock skew window, and starts
succeeding again afterwards.
* If the service ticket and TGT have both expired (according to the
server), then gss_init_sec_context() fails, and keeps failing
afterwards, unless there is some out-of-band agent refreshing expired TGTs.
Put another way: we expect authentications to start failing around the
time the TGT expires. We do not expect authentications to start failing
around the time a service ticket expires, if the TGT is still valid.
That is what I refer to as a "particularly" bad experience.
If that isn't clear, perhaps we should ignore this as a moot point; it
doesn't really affect how we plan to change the krb5 code.
next prev parent reply other threads:[~2015-10-07 15:08 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <AD03968E-7017-4D32-A90C-C74C1E9CDFAC@netapp.com>
2015-10-01 21:30 ` Fwd: Gss context refresh failure due to clock skew Adamson, Andy
2015-10-05 19:10 ` Greg Hudson
2015-10-05 19:35 ` Adamson, Andy
2015-10-05 20:02 ` Greg Hudson
2015-10-05 20:34 ` Adamson, Andy
2015-10-06 0:02 ` Benjamin Kaduk
2015-10-06 14:53 ` Adamson, Andy
2015-10-07 13:22 ` Adamson, Andy
2015-10-07 14:45 ` Greg Hudson
2015-10-07 15:00 ` Adamson, Andy
2015-10-07 15:08 ` Greg Hudson [this message]
2015-10-07 15:46 ` Olga Kornievskaia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56153576.1090209@mit.edu \
--to=ghudson@mit.edu \
--cc=William.Adamson@netapp.com \
--cc=kaduk@mit.edu \
--cc=krbdev@mit.edu \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox