Re: Strange cred expiry behavior

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 2013-10-21 at 23:53 +0000, Weston Andros Adamson wrote:
> I traced this behavior back to:
> 
> commit 302de786930a2c533068f9d8909a817b40f07c32
> Author: Simo Sorce <simo@xxxxxxxxxx>
> Date:   Fri Apr 19 13:02:36 2013 -0400
> 
>     gssd: Allow GSSAPI to try to acquire credentials first.
> 
> 
> And in particular:
> 
> -               for (dirname = ccachesearch; *dirname != NULL; dirname++) {
> +               /* Try first to acquire credentials directly via GSSAPI */
> +               err = gssd_acquire_user_cred(uid, &gss_cred);
> +               if (!err)
> +                       create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid,
> +                                                            AUTHTYPE_KRB5, gss_cred);
> +               /* if create_auth_rplc_client fails try the traditional method of
> +                * trolling for credentials */
> +               for (dirname = ccachesearch; create_resp != 0 && *dirname != NULL; dirname++) {
> 
> A couple of things:
> 
>   - If I get rid of the "Try first to acquire credentials directly via
> GSSAPI" part, expiry works as before.

Interesting, this call is necessary to make rpc.gssd work with gss-proxy
and I had not experienced an issue so far. We can try to add a
gss_inquire_cred() to gssd_acquire_user_cred() to force checking the
credentials for expiration, as that check may be deferred in some cases
in GSSAPI.

>   - It says "if create_auth_rplc_client fails try the traditional
> method of trolling for credentials" but I see nothing that checks to
> see if create_resp != 0 before falling back to the old method.

It's the check condition in the for loop, that's why I have not repeated
it before the for loop.

>   I added this check and everything seems right (it doesn't fix the
> expiry issue).

Yeah I didn't think it would.

> I should have some time tomorrow to look further at the expiry issue…

If you can add an explicit check with gss_inquire_creds() I think you'll
get the right behavior.

Let me know if you need help.
Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux