Project

General

Profile

Actions

Bug #4513

open

NFS client does not notice kerberos ticket change

Added by Marcel Telka over 8 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
nfs - NFS server and client
Start date:
2014-01-21
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

When there is a credential change, the NFS client should notice such change and use the new credentials in the future communication. This works when the credential change is done using kdestroy.

Here is an example of the mounted filesystem:

# nfsstat -m
/mnt from ns.in.telka.sk:/tmp
 Flags:        vers=4,proto=tcp,sec=krb5,hard,intr,link,symlink,acl,rsize=1048576,wsize=1048576,retrans=5,timeo=600
 Attr cache:    acregmin=3,acregmax=60,acdirmin=30,acdirmax=60

#

Here, we obtain the TGT (credentials) initially as user "marcel" and a file is created. Then the credentials are switched to user "admin" and another file is created. As we could see the credential change is properly reflected over NFS (because kdestroy was used):

# klist 
klist: No credentials cache file found (ticket cache FILE:/tmp/krb5cc_0)
# kinit marcel
Password for marcel@TELKA.SK: 
# touch /mnt/marcel
# kdestroy 
# kinit admin
Password for admin@TELKA.SK: 
# touch /mnt/admin
# kdestroy 
# ls -al /mnt
total 6
drwxrwxrwt+  2 root   sys   458 jan 21 23:59 .
drwxr-xr-x  24 root   root   25 jan 21 22:10 ..
-rw-r--r--   1 admin  staff   0 jan 21 23:59 admin
srwxrwxrwx   1 root   root    0 jan 21 22:13 dbus-B3C7hvNNHS
srwxrwxrwx   1 root   root    0 jan 21 22:13 dbus-lgmqxljj0D
srwxrwxrwx   1 root   root    0 jan 21 22:13 dbus-ZvGhz6mapw
-rw-r--r--   1 marcel staff   0 jan 21 23:59 marcel
#

In a case the credential change is not accompanied with kdestroy the NFS client won't use the new kerberos ticket, but the old one:

# klist
klist: No credentials cache file found (ticket cache FILE:/tmp/krb5cc_0)
# kinit marcel
Password for marcel@TELKA.SK: 
# touch /mnt/marcel
# kinit admin
Password for admin@TELKA.SK: 
# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TELKA.SK

Valid starting                  Expires                  Service principal
22.01.2014 00:12:25  22.01.2014 08:12:25  krbtgt/TELKA.SK@TELKA.SK
    renew until 29.01.2014 00:12:25
# touch /mnt/admin
# ls -al /mnt
total 6
drwxrwxrwt+  2 root   sys   458 jan 22 00:12 .
drwxr-xr-x  24 root   root   25 jan 21 22:10 ..
-rw-r--r--   1 marcel staff   0 jan 22 00:12 admin
srwxrwxrwx   1 root   root    0 jan 21 22:13 dbus-B3C7hvNNHS
srwxrwxrwx   1 root   root    0 jan 21 22:13 dbus-lgmqxljj0D
srwxrwxrwx   1 root   root    0 jan 21 22:13 dbus-ZvGhz6mapw
-rw-r--r--   1 marcel staff   0 jan 22 00:12 marcel
#

As a result, we see both files created (marcel and admin) with the same owner (marcel), which is wrong.

No data to display

Actions

Also available in: Atom PDF