summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLukas Hejtmanek <xhejtman@gmail.com>2013-03-20 13:24:02 -0400
committerSteve Dickson <steved@redhat.com>2013-03-25 10:09:09 -0400
commitda54dec3cb40095cac96fd2d838144129262ac7f (patch)
treeac8f457ec613dccc56040d465a1cfdaa244e6146
parent5b9108f73a5f15372f9be9238070cf8d62956a49 (diff)
downloadnfs-utils-da54dec3cb40095cac96fd2d838144129262ac7f.zip
nfs-utils-da54dec3cb40095cac96fd2d838144129262ac7f.tar.gz
nfs-utils-da54dec3cb40095cac96fd2d838144129262ac7f.tar.xz
gssd - expired credentials problem
I noticed that there is a problem with expired credentials if NFS client's time is even few seconds behind KDC's or NFS server's time. Client's kernel requests new GSS context but rpc.gssd is happy with existing krb cache as it valid according to local time. Signed-off-by: Steve Dickson <steved@redhat.com>
-rw-r--r--utils/gssd/krb5_util.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 4befa72..8178ae7 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -350,6 +350,11 @@ gssd_get_single_krb5_cred(krb5_context context,
memset(&my_creds, 0, sizeof(my_creds));
+ /*
+ * Workaround for clock skew among NFS server, NFS client and KDC
+ * 300 because clock skew must be within 300sec for kerberos
+ */
+ now += 300;
if (ple->ccname && ple->endtime > now && !nocache) {
printerr(2, "INFO: Credentials in CC '%s' are good until %d\n",
ple->ccname, ple->endtime);