On Tue, 2009-10-13 at 11:51 -0400, Kevin Coffman wrote: > On Tue, Oct 13, 2009 at 11:44 AM, Jeff Layton <jlayton@xxxxxxxxxx> wrote: > > On Tue, 13 Oct 2009 08:28:52 -0700 > > raini@xxxxxxxxxxxx wrote: > > > >> Jeff Layton <jlayton@xxxxxxxxxx> said: > >> >> Just to be clear - you mean doable to a coder who might like to improve > >> >> on > >> >> gssd/kernel credential separation, rather than a non-coding sysadmin who > >> >> needs with work within the current NFS/gssd framework? > >> >> > >> > > >> > Correct, that's what I mean. It'll mean modifying kernel and rpc.gssd > >> > code. > >> > >> Thanks for confirming. Skipping back a little: > >> > >> >> > No, gssd (the client side daemon) will search /tmp for anything that > >> >> > looks like a credcache for the right user, verify that it is a > >> >> > credcache and then pick the one with the latest TGT expiration. > >> > >> Kevin Coffman on the NFS4 list actually implied this used simple mtime > >> rather than actually scanning /tmp/krb5cc_uid* for ccache files with the > >> latest TGT expiration, which is how I originally read your statement. > >> This seemingly would make a difference in an environment with a batch job > >> with a long lifetime ticket and subsequent interactive login generating a > >> separate ccache file with a shorter lifetime but newer mtime. > >> > >> I'm not a coder but I scanned krb5_util.c in the gssd code, and it *seems* > >> to me it only looks at mtime, although what you suggest would be more > >> optimal. Could you confirm whether it's scanning ccache files for longest > >> TGT, or just using mtime? > >> > > > > You and Kevin are correct. rpc.gssd only looks at the mtime. When I did > > the work to allow the CIFS SPNGEO upcall to find alternate credcaches, > > I implemented the behavior I described (prefer the latest TGT > > expiration) -- sorry for the confusion... > > > > It probably wouldn't be too hard to change rpc.gssd to prefer > > credcaches with the latest TGT expiration if it was considered a > > desirable change. > > > > Kevin, any thoughts? > > I agree it shouldn't be too hard to change if that behavior is desirable/useful. Shouldn't rpc.gssd in any case be looking for all _valid_ credcaches, rather than just any old credcache-like file? If you stick to that principle, then if there is one file that contains a still-unexpired TGT, and one with a TGT that has expired, then the first file should always be preferred, irrespective of the value of the mtimes... Cheers Trond -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
