Return-Path: linux-nfs-owner@vger.kernel.org Received: from smtp.mail.umich.edu ([141.211.14.81]:38386 "EHLO hackers.mr.itd.umich.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752027Ab2AQRYq (ORCPT ); Tue, 17 Jan 2012 12:24:46 -0500 Date: Tue, 17 Jan 2012 12:24:44 -0500 From: Jim Rees To: "J. Bruce Fields" Cc: Sachin Prabhu , linux-nfs , Steve Dickson Subject: Re: svcgssd: Allow administrators to specify timeout for the cached context Message-ID: <20120117172444.GA3787@umich.edu> References: <1326800668.2747.55.camel@sprabhu.fab.redhat.com> <20120117134951.GA15479@umich.edu> <1326814728.2747.59.camel@sprabhu.fab.redhat.com> <20120117163133.GB3387@umich.edu> <20120117163426.GB13977@fieldses.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii In-Reply-To: <20120117163426.GB13977@fieldses.org> Sender: linux-nfs-owner@vger.kernel.org List-ID: J. Bruce Fields wrote: On Tue, Jan 17, 2012 at 11:31:33AM -0500, Jim Rees wrote: > Sachin Prabhu wrote: > > On Tue, 2012-01-17 at 08:49 -0500, Jim Rees wrote: > > Sachin Prabhu wrote: > > > > We had a user report that for an export shared with sec=krb5*, any > > changes in user credentials(ex: add user to a secondary group) take some > > time before they take effect over the NFS share. > > > > Re-authenticating, either by removing the service ticket or by re-running > > kinit at the client, should also flush the old credentials. Can you confirm > > that works? > > We have tried it but it doesn't work unless you actually clean up the > cache on the NFS server with the command > echo `date +'%s'` > /proc/net/rpc/auth.rpcsec.context/flush > > Bruce, shouldn't this work? Is this a bug or a feature? kdestroy, kinit, etc. on the client only affect userspace; the NFS client in the kernel continues to use the same gss context. I would find it surprising if kdestroy didn't actually discard my credentials. In fact I might even view this as a security risk.