Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 5 Feb 2010 15:27:04 -0500 (EST)
From:      Rick Macklem <rmacklem@uoguelph.ca>
To:        George Mamalakis <mamalos@eng.auth.gr>
Cc:        freebsd-current@freebsd.org, freebsd-stable <freebsd-stable@freebsd.org>
Subject:   Re: Kerberized NFSv3 incorrect behavior (revisited)
Message-ID:  <Pine.GSO.4.63.1002051521230.17768@muncher.cs.uoguelph.ca>
In-Reply-To: <4B6C3258.7050607@eng.auth.gr>
References:  <4B6C3258.7050607@eng.auth.gr>

next in thread | previous in thread | raw e-mail | index | archive | help


On Fri, 5 Feb 2010, George Mamalakis wrote:

>
> I assume that this must have to do with kernel's KGSSAPI support, which 
> "forgets" to delete or renew its kerberos' cache.
>
Oops, missed this on the last reply. It is actually a cache of "handles"
for RPCSEC_GSS credentials allocated by the server (one per uid). It is
normally the server that decides to expire them (they no longer really
have anything to do with Kerberos, except that they were acquired via
a Kerberos ticket and it uses the session key created by Kerberos).

As noted before, I believe that kdestroy should somehow invalidate
these handles (it's an RPC to the NFS server + flushing the cached
entry in the client). A quick and dirty hack that has kdestroy do
a system call to do this could be implemented fairly easily. A key
management subsystem (aka key ring) that deals with all types of
authentication and not just Kerberos would be much more work.

rick




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.63.1002051521230.17768>