Kerberized NFSv3 incorrect behavior (revisited)
Rick Macklem
rmacklem at uoguelph.ca
Fri Feb 5 20:16:00 UTC 2010
On Fri, 5 Feb 2010, George Mamalakis wrote:
>
> I assume that this must have to do with kernel's KGSSAPI support, which
> "forgets" to delete or renew its kerberos' cache.
>
Oops, missed this on the last reply. It is actually a cache of "handles"
for RPCSEC_GSS credentials allocated by the server (one per uid). It is
normally the server that decides to expire them (they no longer really
have anything to do with Kerberos, except that they were acquired via
a Kerberos ticket and it uses the session key created by Kerberos).
As noted before, I believe that kdestroy should somehow invalidate
these handles (it's an RPC to the NFS server + flushing the cached
entry in the client). A quick and dirty hack that has kdestroy do
a system call to do this could be implemented fairly easily. A key
management subsystem (aka key ring) that deals with all types of
authentication and not just Kerberos would be much more work.
rick
More information about the freebsd-current
mailing list