This works! Posting a patch now.
Thanks,
-dros
On Oct 22, 2013, at 8:52 AM, Weston Andros Adamson <dros@xxxxxxxxxx> wrote:
> Thanks Simo!
>
> I'll try doing the gss_inquire_creds() first and if that fixes things.
>
> -dros
>
> On Oct 22, 2013, at 8:20 AM, Simo Sorce <simo@xxxxxxxxxx>
> wrote:
>
>> On Mon, 2013-10-21 at 23:53 +0000, Weston Andros Adamson wrote:
>>> I traced this behavior back to:
>>>
>>> commit 302de786930a2c533068f9d8909a817b40f07c32
>>> Author: Simo Sorce <simo@xxxxxxxxxx>
>>> Date: Fri Apr 19 13:02:36 2013 -0400
>>>
>>> gssd: Allow GSSAPI to try to acquire credentials first.
>>>
>>>
>>> And in particular:
>>>
>>> - for (dirname = ccachesearch; *dirname != NULL; dirname++) {
>>> + /* Try first to acquire credentials directly via GSSAPI */
>>> + err = gssd_acquire_user_cred(uid, &gss_cred);
>>> + if (!err)
>>> + create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid,
>>> + AUTHTYPE_KRB5, gss_cred);
>>> + /* if create_auth_rplc_client fails try the traditional method of
>>> + * trolling for credentials */
>>> + for (dirname = ccachesearch; create_resp != 0 && *dirname != NULL; dirname++) {
>>>
>>> A couple of things:
>>>
>>> - If I get rid of the "Try first to acquire credentials directly via
>>> GSSAPI" part, expiry works as before.
>>
>> Interesting, this call is necessary to make rpc.gssd work with gss-proxy
>> and I had not experienced an issue so far. We can try to add a
>> gss_inquire_cred() to gssd_acquire_user_cred() to force checking the
>> credentials for expiration, as that check may be deferred in some cases
>> in GSSAPI.
>>
>>> - It says "if create_auth_rplc_client fails try the traditional
>>> method of trolling for credentials" but I see nothing that checks to
>>> see if create_resp != 0 before falling back to the old method.
>>
>> It's the check condition in the for loop, that's why I have not repeated
>> it before the for loop.
>>
>>> I added this check and everything seems right (it doesn't fix the
>>> expiry issue).
>>
>> Yeah I didn't think it would.
>>
>>> I should have some time tomorrow to look further at the expiry issue…
>>
>> If you can add an explicit check with gss_inquire_creds() I think you'll
>> get the right behavior.
>>
>> Let me know if you need help.
>> Simo.
>>
>> --
>> Simo Sorce * Red Hat, Inc * New York
>>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
