Hi Olga This is great info ! Can you make sure that the host principal is not granted any read or write access ( via ACL entry, owner, group or Everyone access) to the actual directory and file being opened. If, by spec or well established convention, the client host principal just needs to submit the "close request" to the NFS server ; but, needs no access to the actual directory tree or files, then my NAS vendor will need to take action. If I need to grant directory / file access to all host principals on-site I will probably get serious computer-security opposition. Thanks ! Andy > > What you describe --- having different views of state on the client > and server -- is not a known common behaviour. > > I have tried it on my Kerberos setup. > Gotten a 5min ticket. > As a user opened a file in a process that went to sleep. > My user credentials have expired (after 5mins). I verified that by > doing an "ls" on a mounted filesystem which resulted in permission > denied error. > Then I killed the application that had an opened file. This resulted > in a NFS CLOSE being sent to the server using the machine's gss > context (which is a default behaviour of the linux client regardless > of whether or not user's credentials are valid). > > Basically as far as I can tell, a linux client can handle cleaning up > state when user's credentials have expired. > > > > > > > > Andy > > > > > > > > > >
