public inbox for linux-nfs@vger.kernel.org
 help / color / mirror / Atom feed
From: Greg Hudson <ghudson@mit.edu>
To: "Adamson, Andy" <William.Adamson@netapp.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>,
	Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
	"krbdev@mit.edu" <krbdev@mit.edu>
Subject: Re: Gss context refresh failure due to clock skew
Date: Wed, 7 Oct 2015 11:08:38 -0400	[thread overview]
Message-ID: <56153576.1090209@mit.edu> (raw)
In-Reply-To: <16B417DB-F019-4654-8B4E-7C4C3AF1487D@netapp.com>

On 10/07/2015 11:00 AM, Adamson, Andy wrote:
> —— from the ticket: —— 
> 
> This unnecessarily strict check causes a particularly bad experience
> when (a) the client's clock is slightly ahead of the server's clock,
> and (b) the maximum service ticket lifetime is lower than the maximum
> TGT lifetime. 
> 
> —— —— 
> I think both a) and b) are incorrect.
> 
> for a) you got it backwards. this occurs when the server clock is ahead of the client clock.

Yes, I did write the wrong thing there; I will follow up on that.

> for b) the relationship between the TGT lifetime and the service ticket lifetime is irrelevant. Only the service ticket lifetime has any effect as the client will use a valid service ticket to construct an RPCSEC_GSS_INIT request irregardless of the TGT lifetime value.

I will try one more time to communicate what I mean:

* If the service ticket end time is less than the TGT end time, then
gss_init_sec_context() fails during the clock skew window, and starts
succeeding again afterwards.

* If the service ticket and TGT have both expired (according to the
server), then gss_init_sec_context() fails, and keeps failing
afterwards, unless there is some out-of-band agent refreshing expired TGTs.

Put another way: we expect authentications to start failing around the
time the TGT expires.  We do not expect authentications to start failing
around the time a service ticket expires, if the TGT is still valid.
That is what I refer to as a "particularly" bad experience.

If that isn't clear, perhaps we should ignore this as a moot point; it
doesn't really affect how we plan to change the krb5 code.

  reply	other threads:[~2015-10-07 15:08 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <AD03968E-7017-4D32-A90C-C74C1E9CDFAC@netapp.com>
2015-10-01 21:30 ` Fwd: Gss context refresh failure due to clock skew Adamson, Andy
2015-10-05 19:10   ` Greg Hudson
2015-10-05 19:35     ` Adamson, Andy
2015-10-05 20:02       ` Greg Hudson
2015-10-05 20:34         ` Adamson, Andy
2015-10-06  0:02           ` Benjamin Kaduk
2015-10-06 14:53             ` Adamson, Andy
2015-10-07 13:22               ` Adamson, Andy
2015-10-07 14:45                 ` Greg Hudson
2015-10-07 15:00                   ` Adamson, Andy
2015-10-07 15:08                     ` Greg Hudson [this message]
2015-10-07 15:46                       ` Olga Kornievskaia

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56153576.1090209@mit.edu \
    --to=ghudson@mit.edu \
    --cc=William.Adamson@netapp.com \
    --cc=kaduk@mit.edu \
    --cc=krbdev@mit.edu \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox