Jeff Layton <jlayton@xxxxxxxxxx> said: >> Just to be clear - you mean doable to a coder who might like to improve >> on >> gssd/kernel credential separation, rather than a non-coding sysadmin who >> needs with work within the current NFS/gssd framework? >> > > Correct, that's what I mean. It'll mean modifying kernel and rpc.gssd > code. Thanks for confirming. Skipping back a little: >> > No, gssd (the client side daemon) will search /tmp for anything that >> > looks like a credcache for the right user, verify that it is a >> > credcache and then pick the one with the latest TGT expiration. Kevin Coffman on the NFS4 list actually implied this used simple mtime rather than actually scanning /tmp/krb5cc_uid* for ccache files with the latest TGT expiration, which is how I originally read your statement. This seemingly would make a difference in an environment with a batch job with a long lifetime ticket and subsequent interactive login generating a separate ccache file with a shorter lifetime but newer mtime. I'm not a coder but I scanned krb5_util.c in the gssd code, and it *seems* to me it only looks at mtime, although what you suggest would be more optimal. Could you confirm whether it's scanning ccache files for longest TGT, or just using mtime? -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html