Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1054983ybl;
        Fri, 6 Dec 2019 10:30:00 -0800 (PST)
X-Google-Smtp-Source: APXvYqy7+BWZBuaAYl+60bf2NRUA/qaMTHMHvnLMyedDGR+0SDxmate2FsKo3H5oQvEkfnrL6AUn
X-Received: by 2002:a9d:66d:: with SMTP id 100mr12460377otn.179.1575657000011;
        Fri, 06 Dec 2019 10:30:00 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1575657000; cv=none;
        d=google.com; s=arc-20160816;
        b=EDCSb9d+cTIlCKK73WaJNoqjjlCXdeVfDz0C+ZQ3ydx7lJ0E7seDIn2G6m/NrIg2fl
         h6UGiqh1uaWXMJAfp0kIq+gUQhTXwKxtzomzHYxxl18RYPc2CiksY1oYC5mrEs22v3oc
         QXjImvDkOchb/11OZEX6uiz0k3pTkD7nJxZerkAu1CSFGD2Y7/eADRJR+S1prjIIJ+rx
         yd/wCSVap+Kb7+WYVHWkg/dkOLC16oV3ViXV3shW7YvO2MSqNEdS3lhutRIP+GvSolxN
         2eaLQXxpkZrliP0yi1+SbVYyN1Bjj4GTB+1g6qC9OHqJ+u8lEIS9TQhBooVX5V7L13XZ
         oWvA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :mime-version:dkim-signature;
        bh=sYT+ovaTSSagWO1yvrcdGm8CLAJh34XedQbfm1wHlWI=;
        b=qrdXXjdqlxOzAg28PTx1r0+3I2ynX3RnmqQneLtC4A7PnchGyLJUcf9Z0SQA2P2dWl
         uHpeNoHwVVhhaXkwfYVuXc775M5VS3YaME3C52PqA8hp2Fa6CD6uNfUq0wv3UIejEVUi
         r5nfrLNCVB03OE2iHBM4YQAkQ6hzRNDCcQ7egYAz0M5beMhR1lp9lPqT4e7dxNxVZnTL
         xfsdP7VhVgDlMQUYXspsSf1VNVd/0BRJN7yNW0mzpt1E3BtO2pi62J1e/cBrBAaMPbjq
         l1M84UghwBreKuHPc8c1ONhJEgPE2Cyq9rnzSKpqr80cfqoXfu2Q6+FILILcMG8aY6dQ
         kaNg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@umich.edu header.s=google-2016-06-03 header.b=gekcsW34;
       spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umich.edu
Return-Path: <linux-nfs-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f60si7668342otf.119.2019.12.06.10.29.48;
        Fri, 06 Dec 2019 10:29:59 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@umich.edu header.s=google-2016-06-03 header.b=gekcsW34;
       spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umich.edu
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726315AbfLFS3b (ORCPT <rfc822;mh12gx2825@gmail.com>
        + 99 others); Fri, 6 Dec 2019 13:29:31 -0500
Received: from mail-ua1-f43.google.com ([209.85.222.43]:44658 "EHLO
        mail-ua1-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726312AbfLFS3b (ORCPT
        <rfc822;linux-nfs@vger.kernel.org>); Fri, 6 Dec 2019 13:29:31 -0500
Received: by mail-ua1-f43.google.com with SMTP id d6so3205407uam.11
        for <linux-nfs@vger.kernel.org>; Fri, 06 Dec 2019 10:29:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=umich.edu; s=google-2016-06-03;
        h=mime-version:from:date:message-id:subject:to:cc;
        bh=sYT+ovaTSSagWO1yvrcdGm8CLAJh34XedQbfm1wHlWI=;
        b=gekcsW347N3xjQtMe/MVIaU6dFJnnUenPwVgJyUIj5+oSc0ni0dMGl0AhqOTHOsdOh
         QI92pHzWFjZvgca/RpmYgFRGkbL7BIVQQb0cq1Qg+a0SpJjDhpozFXk+E0eZmyaaQrN8
         vHJb1W5NYJTs/aWAbq4/UgqFtUPJOc2AAp71eWdE2vOtHzh3W4qY8Lozegd9GhDJYKkB
         XovAaCtZlueZ4OiykYimglUYufIgMK0+5zafdqKIYwous/zZbd0QALlALr8IMJOZSuOC
         Hh+KeQd5nhfRW0Ps59C2BlRn7XJnfhxvFXZ0issFea+ZIjqwAatGTofAZs1Zi0HgwZ4K
         j2Xw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc;
        bh=sYT+ovaTSSagWO1yvrcdGm8CLAJh34XedQbfm1wHlWI=;
        b=oMPNs4pdzS68rYQmo9s7te1WXc+mb951hlWxp4bWRdqtfdcxjs0obtx1sKBpM4ukpO
         zPlhYsCt8f96EhGo+btQ9nVHb6/jn/JeecSydFph6lFzpMK+v1bCng/WlLUDQtCx+jIE
         T4SsAkrsyHFmDb11rLyEPlIx+bCKIfvHYEy86UKW/SPwyMQbIGLJBlCdxQyCLKWQDFjM
         /onK6WHEGZC3hJ4G//Jk0fqGxOp8VHyIdgCe8tmQxHGbL1TMHUaz8teT4spRHIsslF7l
         qVuax7JATf5AiVIKLhkEY4HQBRi8pp5+ZDF+ZFCmyOG2Ay2/9U1BhL182ap+wfRWf0YN
         dnHw==
X-Gm-Message-State: APjAAAVlsFy2cA5kc9afANbCYdzZTa6qHXLoUt54Cs2m/A2D/9t2qZfH
        oP6jKHfY2lSm491B4ZxpI83c5V3s7sm2QeTY0aWFK3th
X-Received: by 2002:ab0:285a:: with SMTP id c26mr13204346uaq.81.1575656969740;
 Fri, 06 Dec 2019 10:29:29 -0800 (PST)
MIME-Version: 1.0
From:   Olga Kornievskaia <aglo@umich.edu>
Date:   Fri, 6 Dec 2019 13:29:18 -0500
Message-ID: <CAN-5tyHJg4C5j72_CrCJhZ8hyzDe71Q9zw1USgmyxePg+3juZw@mail.gmail.com>
Subject: gssd question/patch
To:     Steve Dickson <SteveD@redhat.com>
Cc:     linux-nfs <linux-nfs@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-nfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-nfs.vger.kernel.org>
X-Mailing-List: linux-nfs@vger.kernel.org

Hi Steve,

Question: Is this an interesting failure scenario (bug) that should be
fixed: client did a mount which acquired gss creds and stored in the
credential cache. Then say it umounts at some point. Then for some
reason the Kerberos cache is deleted (rm -f /tmp/krb5cc*). Now client
mounts again. This currently fails. Because gssd uses internal cache
to store creds lifetimes and thinks that tgt is still valid but then
trying to acquire a service ticket it fails (since there is no tgt).

Here's my proposed fix (I can send as a patch if this agreed upon).

diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 0474783..3678524 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -121,6 +121,9 @@
 #include <krb5.h>
 #include <rpc/auth_gss.h>

+#include <sys/types.h>
+#include <fcntl.h>
+
 #include "nfslib.h"
 #include "gssd.h"
 #include "err_util.h"
@@ -314,6 +317,25 @@ gssd_find_existing_krb5_ccache(uid_t uid, char *dirname,
        return err;
 }

+/* check if the ticket cache exists, if not set nocache=1 so that new
+ * tgt is gotten
+ */
+static int
+gssd_check_if_cc_exists(struct gssd_k5_kt_princ *ple)
+{
+       int fd;
+       char cc_name[BUFSIZ];
+
+       snprintf(cc_name, sizeof(cc_name), "%s/%s%s_%s",
+               ccachesearch[0], GSSD_DEFAULT_CRED_PREFIX,
+               GSSD_DEFAULT_MACHINE_CRED_SUFFIX, ple->realm);
+       fd = open(cc_name, O_RDONLY);
+       if (fd < 0)
+               return 1;
+       close(fd);
+       return 0;
+}
+
 /*
  * Obtain credentials via a key in the keytab given
  * a keytab handle and a gssd_k5_kt_princ structure.
@@ -348,6 +370,8 @@ gssd_get_single_krb5_cred(krb5_context context,

        memset(&my_creds, 0, sizeof(my_creds));

+       if (!nocache && !use_memcache)
+               nocache = gssd_check_if_cc_exists(ple);
        /*
         * Workaround for clock skew among NFS server, NFS client and KDC
         * 300 because clock skew must be within 300sec for kerberos