Hi, I noticed that there is a problem with expired credentials if NFS client's time is even few seconds behind KDC's or NFS server's time. Client's kernel requests new GSS context but rpc.gssd is happy with existing krb cache as it valid according to local time. Is there any reason for gssd to check validity of existing cache when kernel requests a new context? However, it seems that this trivial patch solves this issue: diff -rNu nfs-utils-1.2.7.orig/utils/gssd/krb5_util.c nfs-utils-1.2.7/utils/gssd/krb5_util.c --- nfs-utils-1.2.7.orig/utils/gssd/krb5_util.c 2012-11-12 00:01:23.000000000 +0100 +++ nfs-utils-1.2.7/utils/gssd/krb5_util.c 2013-02-15 16:35:35.652482164 +0100 @@ -343,7 +343,7 @@ char kt_name[BUFSIZ]; char cc_name[BUFSIZ]; int code; - time_t now = time(0); + time_t now = time(0)+300; // workaround for clock skew among NFS server, NFS client and KDC char *cache_type; char *pname = NULL; char *k5err = NULL; 300 is because I believe that clock skew must be within 300sec for kerberos. -- Lukáš Hejtmánek -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html