Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp855708ybl; Wed, 11 Dec 2019 08:31:16 -0800 (PST) X-Google-Smtp-Source: APXvYqyu9BgJlaHQqLd/J7R4b99+xVCGrktGZRzFcVXT1CK7H4nOf4LA4RO/tfuj5vnNFLJRiPLl X-Received: by 2002:a9d:7410:: with SMTP id n16mr2995463otk.23.1576081876590; Wed, 11 Dec 2019 08:31:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1576081876; cv=none; d=google.com; s=arc-20160816; b=ZjChcAJEVKZNvDhmFMQzS8S8clopgp5tnh3mnQh6Uip94FuAi7CwUqBZlWShO4Cdo3 YafyENvZVBkTTuvl+oCv8YU4lENDHxbxT3nFC4V8rJc5WneAJp+YgdF8fpD/381MpuAA Gl8UpR7mXvNeDZIs8Ep264f6W/lbTac8ZFP9UJigDt/H7jkSpMAX3QjZEqXWuZW1FnBT 9Dlocrujy9j4iTiRNyEYxIbhO2t1NnmGI6/Dcc1Km+V3HbYHSLLILFfrqplSfN2A8idC o53SHXZOlX+uvTQCc3YgC9qwPVudmY5OpA5QEvB2z5Jod1fDlPk1yO62eNHrvh93vzik z0Xw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=KM6Kl1I/3sXPCQw9Jvr/LcwA7RN2oH6r8pxWjmKW4bY=; b=y9twj/DUD8UCblP7KHfcwRuTe47dq/hyiIDuCBJZXVV0R4p6EQtEBdJ0Namo6kl3Kd cWLynoVTFLN9ZSNQl5PDt4OGdP1Wap7+sY+l1KCWliusJ6fifLEfsU6IhSa3wGe1VYza 6AEzQZgR1V3xLMj3w4UFtRB25jZbuIELbjVowcjicxTi6xv9d5DZ4UVHX6KBdYyYNXJ9 xYe4Mj/ZdZbUCrhurTup2l+DOpXFCv3QIDzVGrV1hJK9hc+SYOv9Wcjk2LJ7hd1UKhbp YI4Brmgkw1SWhKx0FfJtXfw1dubfjLKnK72cn8SB7FrU4JWg0IpzGTZSwU1ZXLGeTaaz O6tw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=HBjZlfsh; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g25si1364211otp.20.2019.12.11.08.30.54; Wed, 11 Dec 2019 08:31:16 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=HBjZlfsh; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730285AbfLKQaN (ORCPT + 99 others); Wed, 11 Dec 2019 11:30:13 -0500 Received: from us-smtp-delivery-1.mimecast.com ([205.139.110.120]:35387 "EHLO us-smtp-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1730220AbfLKQaM (ORCPT ); Wed, 11 Dec 2019 11:30:12 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1576081811; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KM6Kl1I/3sXPCQw9Jvr/LcwA7RN2oH6r8pxWjmKW4bY=; b=HBjZlfshdvedPwr0m8/cBd8JRVFNU2+mOZNA8TgO3CR3X/RBVT2hngo97YZ/tkXEkYVrCK 9QbBG2P+dXWl9kf7UmWR+IkrBDcHCoEzvdbZx0iTm7Lrk9qLL/GQZ3vFN3Jhtrq9ASRkDg 6zu3Fz8Dr0fW7cYLVI+I0LRWNZesruM= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-394-goMHQSttNJabAvpSjo8Bwg-1; Wed, 11 Dec 2019 11:30:09 -0500 X-MC-Unique: goMHQSttNJabAvpSjo8Bwg-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id CC351100EEFC; Wed, 11 Dec 2019 16:30:08 +0000 (UTC) Received: from madhat.boston.devel.redhat.com (ovpn-116-200.phx2.redhat.com [10.3.116.200]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6A25A605FF; Wed, 11 Dec 2019 16:30:08 +0000 (UTC) Subject: Re: gssd question/patch To: Olga Kornievskaia Cc: linux-nfs References: <8c69eee5-9dc1-2a14-1bd2-cf812bdb39a4@RedHat.com> <47f12fef-bf43-62d8-adda-303e3e551f36@RedHat.com> From: Steve Dickson Message-ID: <583a32ec-15ae-1646-fe68-246371e8e978@RedHat.com> Date: Wed, 11 Dec 2019 11:29:58 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On 12/10/19 7:44 PM, Olga Kornievskaia wrote: > On Mon, Dec 9, 2019 at 3:20 PM Olga Kornievskaia wrote: >> >> On Mon, Dec 9, 2019 at 3:06 PM Steve Dickson wrote: >>> >>> >>> >>> On 12/9/19 11:49 AM, Olga Kornievskaia wrote: >>>> Hi Steve, >>>> >>>> On Mon, Dec 9, 2019 at 11:10 AM Steve Dickson wrote: >>>>> >>>>> Hey, >>>>> >>>>> On 12/6/19 1:29 PM, Olga Kornievskaia wrote: >>>>>> Hi Steve, >>>>>> >>>>>> Question: Is this an interesting failure scenario (bug) that should be >>>>>> fixed: client did a mount which acquired gss creds and stored in the >>>>>> credential cache. Then say it umounts at some point. Then for some >>>>>> reason the Kerberos cache is deleted (rm -f /tmp/krb5cc*). Now client >>>>>> mounts again. This currently fails. Because gssd uses internal cache >>>>>> to store creds lifetimes and thinks that tgt is still valid but then >>>>>> trying to acquire a service ticket it fails (since there is no tgt). >>>>> I'm unable reproduce the scenario.... >>>>> >>>>> (as root) mount -o sec=krb5 server:/home/tmp /mnt/tmp >>>>> (as kuser) kinit kuser >>>>> (as kuser) touch /mnt/tmp/foobar >>>>> (as root) umount /mnt/tmp/ >>>>> (as root) rm -f /tmp/krb5cc* >>>>> (as root) mount -o sec=krb5 server:/home/tmp /mnt/tmp >>>>> (as kuser) touch /mnt/tmp/foobar # which succeeds >>>>> >>>>> Where am I going wrong? >>>> >>>> Not sure. Can you please post gssd verbose output? >>>> >>>> Set up. Client kernel somewhat recent though the latest, but in >>>> reality doesn't matter i think >>>> gssd from nfs-utils commit 5a004c161ff6c671f73a92d818a502264367a896 >>>> "gssd: daemonize earlier" >>>> >>>> [aglo@localhost nfs-utils]$ sudo mount -o vers=4.1,sec=krb5 >>>> 192.168.1.72:/nfsshare /mnt >>>> [aglo@localhost nfs-utils]$ touch /mnt/kerberos >>> Is there a kinit before this? >> >> yep. >> >>>> [aglo@localhost nfs-utils]$ sudo umount /mnt >>>> [aglo@localhost nfs-utils]$ sudo rm -fr /tmp/krb5cc* >>>> [aglo@localhost nfs-utils]$ sudo mount -o vers=4.1,sec=krb5 >>>> 192.168.1.72:/nfsshare /mnt >>>> mount.nfs: access denied by server while mounting 192.168.1.72:/nfsshare >>>> >>>> Here's the gssd error output: If you look at 1st "INFO: Credentials in >>>> CC .... are good until..." is a lie as there isn't even a file there. >>> Here is what I'm seeing: >>> https://paste.centos.org/view/9473f4a3 >> >> Well, can't see anything there (well I'm seeing the same double INFO >> which according to the code pass would not try to get the tgt and it >> should fail). >> >> I'm not using gss_proxy. Are you? Yes I am... I'll try turning it off.. > > Any luck reproducing? I asked Jorge to try and he sees the same problem. Not yet... but I'm still trying... steved. > >> >>> >>> steved. >>> >