diff options
author | Lukas Hejtmanek <xhejtman@gmail.com> | 2013-03-20 13:24:02 -0400 |
---|---|---|
committer | Steve Dickson <steved@redhat.com> | 2013-03-25 10:09:09 -0400 |
commit | da54dec3cb40095cac96fd2d838144129262ac7f (patch) | |
tree | ac8f457ec613dccc56040d465a1cfdaa244e6146 | |
parent | 5b9108f73a5f15372f9be9238070cf8d62956a49 (diff) | |
download | nfs-utils-da54dec3cb40095cac96fd2d838144129262ac7f.tar.gz nfs-utils-da54dec3cb40095cac96fd2d838144129262ac7f.tar.xz nfs-utils-da54dec3cb40095cac96fd2d838144129262ac7f.zip |
gssd - expired credentials problem
I noticed that there is a problem with expired credentials if NFS
client's time is even few seconds behind KDC's or NFS server's time.
Client's kernel requests new GSS context but rpc.gssd is happy with
existing krb cache as it valid according to local time.
Signed-off-by: Steve Dickson <steved@redhat.com>
-rw-r--r-- | utils/gssd/krb5_util.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c index 4befa72..8178ae7 100644 --- a/utils/gssd/krb5_util.c +++ b/utils/gssd/krb5_util.c @@ -350,6 +350,11 @@ gssd_get_single_krb5_cred(krb5_context context, memset(&my_creds, 0, sizeof(my_creds)); + /* + * Workaround for clock skew among NFS server, NFS client and KDC + * 300 because clock skew must be within 300sec for kerberos + */ + now += 300; if (ple->ccname && ple->endtime > now && !nocache) { printerr(2, "INFO: Credentials in CC '%s' are good until %d\n", ple->ccname, ple->endtime); |