On Tue, 13 Oct 2009 08:28:52 -0700 raini@xxxxxxxxxxxx wrote: > Jeff Layton <jlayton@xxxxxxxxxx> said: > >> Just to be clear - you mean doable to a coder who might like to improve > >> on > >> gssd/kernel credential separation, rather than a non-coding sysadmin who > >> needs with work within the current NFS/gssd framework? > >> > > > > Correct, that's what I mean. It'll mean modifying kernel and rpc.gssd > > code. > > Thanks for confirming. Skipping back a little: > > >> > No, gssd (the client side daemon) will search /tmp for anything that > >> > looks like a credcache for the right user, verify that it is a > >> > credcache and then pick the one with the latest TGT expiration. > > Kevin Coffman on the NFS4 list actually implied this used simple mtime > rather than actually scanning /tmp/krb5cc_uid* for ccache files with the > latest TGT expiration, which is how I originally read your statement. > This seemingly would make a difference in an environment with a batch job > with a long lifetime ticket and subsequent interactive login generating a > separate ccache file with a shorter lifetime but newer mtime. > > I'm not a coder but I scanned krb5_util.c in the gssd code, and it *seems* > to me it only looks at mtime, although what you suggest would be more > optimal. Could you confirm whether it's scanning ccache files for longest > TGT, or just using mtime? > You and Kevin are correct. rpc.gssd only looks at the mtime. When I did the work to allow the CIFS SPNGEO upcall to find alternate credcaches, I implemented the behavior I described (prefer the latest TGT expiration) -- sorry for the confusion... It probably wouldn't be too hard to change rpc.gssd to prefer credcaches with the latest TGT expiration if it was considered a desirable change. Kevin, any thoughts? -- Jeff Layton <jlayton@xxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
