On Fri, 9 Oct 2009 09:53:51 -0700 raini@xxxxxxxxxxxx wrote: > > No, gssd (the client side daemon) will search /tmp for anything that > > looks like a credcache for the right user, verify that it is a > > credcache and then pick the one with the latest TGT expiration. > > > You're correct that NFS ignores $KRB5CCNAME. It uses the above (less > > than optimal) heuristic instead. > > Thanks for explaining this Jeff - this does accord with what I see - which > of course leaves my batch job system unpredictable. > > > Probably doable, but not trivial. IIRC, the kernel tracks credentials > > by uid. You'd need to determine some way to split that up so that each > > "session" has separate credentials. Once you do that, you'll have to > > have the kernel pass enough info to the upcall for it to determine what > > credcache it should use and modify gssd to use the new info accordingly. > > Just to be clear - you mean doable to a coder who might like to improve on > gssd/kernel credential separation, rather than a non-coding sysadmin who > needs with work within the current NFS/gssd framework? > Correct, that's what I mean. It'll mean modifying kernel and rpc.gssd code. -- Jeff Layton <jlayton@xxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
