Date: Fri, 5 Feb 2010 15:27:04 -0500 (EST) From: Rick Macklem <rmacklem@uoguelph.ca> To: George Mamalakis <mamalos@eng.auth.gr> Cc: freebsd-current@freebsd.org, freebsd-stable <freebsd-stable@freebsd.org> Subject: Re: Kerberized NFSv3 incorrect behavior (revisited) Message-ID: <Pine.GSO.4.63.1002051521230.17768@muncher.cs.uoguelph.ca> In-Reply-To: <4B6C3258.7050607@eng.auth.gr> References: <4B6C3258.7050607@eng.auth.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 5 Feb 2010, George Mamalakis wrote: > > I assume that this must have to do with kernel's KGSSAPI support, which > "forgets" to delete or renew its kerberos' cache. > Oops, missed this on the last reply. It is actually a cache of "handles" for RPCSEC_GSS credentials allocated by the server (one per uid). It is normally the server that decides to expire them (they no longer really have anything to do with Kerberos, except that they were acquired via a Kerberos ticket and it uses the session key created by Kerberos). As noted before, I believe that kdestroy should somehow invalidate these handles (it's an RPC to the NFS server + flushing the cached entry in the client). A quick and dirty hack that has kdestroy do a system call to do this could be implemented fairly easily. A key management subsystem (aka key ring) that deals with all types of authentication and not just Kerberos would be much more work. rick
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.63.1002051521230.17768>