Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp18953ybl; Tue, 10 Dec 2019 16:45:50 -0800 (PST) X-Google-Smtp-Source: APXvYqw5/OHPeax/XA83bg7H45hfm5lahTDfZCsKIWnxwkTgHrqib8WtjQ2hCHOnz6k+eBX30CxF X-Received: by 2002:aca:f495:: with SMTP id s143mr696080oih.118.1576025150031; Tue, 10 Dec 2019 16:45:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1576025150; cv=none; d=google.com; s=arc-20160816; b=Z0t38aGO5LX3FpADS3/FhkdymXwcq/uCDlLRhcyFlANIWP+xevANtKMxxCWvfcG0vD C+5CVBKHcGgI4IN1oNiuTi5XPax75pP558jXBD+qusKWLxqrvgzX03xt6Prs1TfKOb97 A1i7qC4VNhhU84SwP/n4xTheELNrh5HqrWPb5x8Fj5AsThUS73Q1QHX/PyXiZbNRj5iM wS6t/VPOfoijmK8Yylt8YJjiLP+wQWdQbjFLZ1XkHoFMPyHFRYQ4xs86Tok53Qf9r3tF TVheOjlRT6In3GDVptk61wY0NQTt2BZdsNeM3qwLi/WC2ByAim00oL5fNLvJnbjyWQDB dmVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=eM/5Met6YAukF6BJqzk+MWuWB5U2uk0hiLg2CMskQz4=; b=V87dN8zUUgxQKC5yMtJHBUjtPs/ohSssjfOxnYg2jMp948arBpWJGAyoVdEFfGvSTY ao7C4yDxkAH6EvsapSbWW/+zFyTjdTNh/wK9+IAQydKjXegLwIbdrL1m56H4N8lwbFe4 RQ1/sxShYlCtli9xcd2dvNzrKkDWdwTJ/UJimwT6KvPwzOnUXXNV3SCVTwMiKDQZc5u0 dVVTYZN+1faueLzwXcoZcQD0BB0jxTd7QvsmtM4nCWzD9cdi2z5elvtSzL8/DaHs+NeS FU4Ku+vQPv50Vsc4f3Nl20pTrFFs0PyPJEEpfHiu4Owp/T4ou7+UNRaGvqG6nDTUyfD7 aeWw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umich.edu header.s=google-2016-06-03 header.b=D6MrBrso; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umich.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t20si62724otr.64.2019.12.10.16.45.21; Tue, 10 Dec 2019 16:45:50 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umich.edu header.s=google-2016-06-03 header.b=D6MrBrso; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umich.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726362AbfLKApF (ORCPT + 99 others); Tue, 10 Dec 2019 19:45:05 -0500 Received: from mail-vs1-f67.google.com ([209.85.217.67]:42694 "EHLO mail-vs1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725999AbfLKApF (ORCPT ); Tue, 10 Dec 2019 19:45:05 -0500 Received: by mail-vs1-f67.google.com with SMTP id b79so9480543vsd.9 for ; Tue, 10 Dec 2019 16:45:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eM/5Met6YAukF6BJqzk+MWuWB5U2uk0hiLg2CMskQz4=; b=D6MrBrsoU5Tnho4ONHpewzFvPJT/G3EjUchmenIMKLZ3pBrQLCIrCSruWqiZVrD8PL 3ARSP/fLIE+9u8jM0L9/ICv7zuO8rk1ztPFL0YIZCczIc3nE8cJdduvpmfxZJdx+g9cG A+eBDG11O8Rbzi60AW4MBi3WkRljMFY1g8PpL1eWysSPfFUTb9FpcICQjwHwRMR0eg9c 2BT3vnyc3w4WI+GOguWumGMOZmjz42pXCul5w4D/cdU9opU2OUjCf8TtJ4GtQdrKQwy5 HtwZtBRh+Eu1V4H/Wcagr0hav6fvkhvT3IVSiZNFLNN/98qcR8jd/Xigdi/go5k2S/1d c+BQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eM/5Met6YAukF6BJqzk+MWuWB5U2uk0hiLg2CMskQz4=; b=WCPYUsF2a9OV4g4XPMq8KmC4MFSKBfKupQ7vZHCnF6BMSOkL6Uc5Ya1Ok1OPJwFEfc XLMUi9UmQK/RuFLrOKk9+kVL8jF3i6hBeygc5Ku7I5T828A1lj768SfKImiRz8CFbzlH b5xrWYPT7HINbUoUVu6mUbSeX2KkK8pXs+k7lhttwIxu9Hr3W4qVccKI24C8LwTeDuPu 1OlVxSOrMiaaesGrN81WLc88pBs6ZcnLdAifR6Lc78a9Rfb2Pof1rCxnsn0cUpHR/u3u mnTX9X6U+9EyhjPIga1QuSrPk4mRpJAhuZsNhBhCEZVukmDeY+ow+R4yqTfZzhN9EflA pRZw== X-Gm-Message-State: APjAAAXHtlhPz3Px4k/lqUYxr5aUiyTxOQ+6rFqZr3FzMOWXIS2OWUza wyc8dtz1NL5YafzXuAIgIvJt14yVxh6QqYBo5/s= X-Received: by 2002:a67:d592:: with SMTP id m18mr399774vsj.85.1576025104550; Tue, 10 Dec 2019 16:45:04 -0800 (PST) MIME-Version: 1.0 References: <8c69eee5-9dc1-2a14-1bd2-cf812bdb39a4@RedHat.com> <47f12fef-bf43-62d8-adda-303e3e551f36@RedHat.com> In-Reply-To: From: Olga Kornievskaia Date: Tue, 10 Dec 2019 19:44:53 -0500 Message-ID: Subject: Re: gssd question/patch To: Steve Dickson Cc: linux-nfs Content-Type: text/plain; charset="UTF-8" Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Mon, Dec 9, 2019 at 3:20 PM Olga Kornievskaia wrote: > > On Mon, Dec 9, 2019 at 3:06 PM Steve Dickson wrote: > > > > > > > > On 12/9/19 11:49 AM, Olga Kornievskaia wrote: > > > Hi Steve, > > > > > > On Mon, Dec 9, 2019 at 11:10 AM Steve Dickson wrote: > > >> > > >> Hey, > > >> > > >> On 12/6/19 1:29 PM, Olga Kornievskaia wrote: > > >>> Hi Steve, > > >>> > > >>> Question: Is this an interesting failure scenario (bug) that should be > > >>> fixed: client did a mount which acquired gss creds and stored in the > > >>> credential cache. Then say it umounts at some point. Then for some > > >>> reason the Kerberos cache is deleted (rm -f /tmp/krb5cc*). Now client > > >>> mounts again. This currently fails. Because gssd uses internal cache > > >>> to store creds lifetimes and thinks that tgt is still valid but then > > >>> trying to acquire a service ticket it fails (since there is no tgt). > > >> I'm unable reproduce the scenario.... > > >> > > >> (as root) mount -o sec=krb5 server:/home/tmp /mnt/tmp > > >> (as kuser) kinit kuser > > >> (as kuser) touch /mnt/tmp/foobar > > >> (as root) umount /mnt/tmp/ > > >> (as root) rm -f /tmp/krb5cc* > > >> (as root) mount -o sec=krb5 server:/home/tmp /mnt/tmp > > >> (as kuser) touch /mnt/tmp/foobar # which succeeds > > >> > > >> Where am I going wrong? > > > > > > Not sure. Can you please post gssd verbose output? > > > > > > Set up. Client kernel somewhat recent though the latest, but in > > > reality doesn't matter i think > > > gssd from nfs-utils commit 5a004c161ff6c671f73a92d818a502264367a896 > > > "gssd: daemonize earlier" > > > > > > [aglo@localhost nfs-utils]$ sudo mount -o vers=4.1,sec=krb5 > > > 192.168.1.72:/nfsshare /mnt > > > [aglo@localhost nfs-utils]$ touch /mnt/kerberos > > Is there a kinit before this? > > yep. > > > > [aglo@localhost nfs-utils]$ sudo umount /mnt > > > [aglo@localhost nfs-utils]$ sudo rm -fr /tmp/krb5cc* > > > [aglo@localhost nfs-utils]$ sudo mount -o vers=4.1,sec=krb5 > > > 192.168.1.72:/nfsshare /mnt > > > mount.nfs: access denied by server while mounting 192.168.1.72:/nfsshare > > > > > > Here's the gssd error output: If you look at 1st "INFO: Credentials in > > > CC .... are good until..." is a lie as there isn't even a file there. > > Here is what I'm seeing: > > https://paste.centos.org/view/9473f4a3 > > Well, can't see anything there (well I'm seeing the same double INFO > which according to the code pass would not try to get the tgt and it > should fail). > > I'm not using gss_proxy. Are you? Any luck reproducing? I asked Jorge to try and he sees the same problem. > > > > > steved. > >