On 12/6/19 1:29 PM, Olga Kornievskaia wrote: > Hi Steve, > > Question: Is this an interesting failure scenario (bug) that should be > fixed: client did a mount which acquired gss creds and stored in the > credential cache. Then say it umounts at some point. Then for some > reason the Kerberos cache is deleted (rm -f /tmp/krb5cc*). Now client > mounts again. This currently fails. Because gssd uses internal cache > to store creds lifetimes and thinks that tgt is still valid but then > trying to acquire a service ticket it fails (since there is no tgt). OK... turning off gssproxy... I know see the failure... > > Here's my proposed fix (I can send as a patch if this agreed upon). > > diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c > index 0474783..3678524 100644 > --- a/utils/gssd/krb5_util.c > +++ b/utils/gssd/krb5_util.c > @@ -121,6 +121,9 @@ > #include <krb5.h> > #include <rpc/auth_gss.h> > > +#include <sys/types.h> > +#include <fcntl.h> > + > #include "nfslib.h" > #include "gssd.h" > #include "err_util.h" > @@ -314,6 +317,25 @@ gssd_find_existing_krb5_ccache(uid_t uid, char *dirname, > return err; > } > > +/* check if the ticket cache exists, if not set nocache=1 so that new > + * tgt is gotten > + */ > +static int > +gssd_check_if_cc_exists(struct gssd_k5_kt_princ *ple) > +{ > + int fd; > + char cc_name[BUFSIZ]; > + > + snprintf(cc_name, sizeof(cc_name), "%s/%s%s_%s", > + ccachesearch[0], GSSD_DEFAULT_CRED_PREFIX, > + GSSD_DEFAULT_MACHINE_CRED_SUFFIX, ple->realm); > + fd = open(cc_name, O_RDONLY); > + if (fd < 0) > + return 1; > + close(fd); > + return 0; > +} > + > /* > * Obtain credentials via a key in the keytab given > * a keytab handle and a gssd_k5_kt_princ structure. > @@ -348,6 +370,8 @@ gssd_get_single_krb5_cred(krb5_context context, > > memset(&my_creds, 0, sizeof(my_creds)); > > + if (!nocache && !use_memcache) > + nocache = gssd_check_if_cc_exists(ple); > /* > * Workaround for clock skew among NFS server, NFS client and KDC > * 300 because clock skew must be within 300sec for kerberos > I guess this seem reasonable... but it does apply on the latest upstream version... So please do the official patch and we'll go from there.. thanks! steved.