J. Bruce Fields wrote: On Tue, Jan 17, 2012 at 11:31:33AM -0500, Jim Rees wrote: > Sachin Prabhu wrote: > > On Tue, 2012-01-17 at 08:49 -0500, Jim Rees wrote: > > Sachin Prabhu wrote: > > > > We had a user report that for an export shared with sec=krb5*, any > > changes in user credentials(ex: add user to a secondary group) take some > > time before they take effect over the NFS share. > > > > Re-authenticating, either by removing the service ticket or by re-running > > kinit at the client, should also flush the old credentials. Can you confirm > > that works? > > We have tried it but it doesn't work unless you actually clean up the > cache on the NFS server with the command > echo `date +'%s'` > /proc/net/rpc/auth.rpcsec.context/flush > > Bruce, shouldn't this work? Is this a bug or a feature? kdestroy, kinit, etc. on the client only affect userspace; the NFS client in the kernel continues to use the same gss context. I would find it surprising if kdestroy didn't actually discard my credentials. In fact I might even view this as a security risk. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
