diff options
author | Andy Adamson <andros@netapp.com> | 2012-10-18 13:21:09 -0400 |
---|---|---|
committer | Steve Dickson <steved@redhat.com> | 2012-10-18 13:21:09 -0400 |
commit | 8213acaf93f748d7d0efe085aded3ab9b6871e9b (patch) | |
tree | 19d7afe204f282b6db7eb459cd887114e4f8f28d /linux-nfs/ChangeLog | |
parent | 985f89a8a87f2626583b240f7abad86d97a77596 (diff) | |
download | nfs-utils-8213acaf93f748d7d0efe085aded3ab9b6871e9b.tar.gz nfs-utils-8213acaf93f748d7d0efe085aded3ab9b6871e9b.tar.xz nfs-utils-8213acaf93f748d7d0efe085aded3ab9b6871e9b.zip |
GSSD: Pass GSS_context lifetime to the kernel.
From: Andy Adamson <andros@netapp.com>
The kernel gss_cl_ctx stores the context lifetime in gc_expiry, set
by gssd in do_downcall() called by process_krb5_upcall(). The lifetime
value is currently not related at all to the Kerberos TGS lifetime.
It is either set to the value of gssd -t <timeout>, or to a kernel
default of 3600 seconds.
Most of the time the gssd -t command line is not set, and a timeout
value of zero was sent to the kernel triggering the use of the 3600
second kernel default timeout.
In order for the kernel to properly know when to renew a context, or to
stop buffering writes for a context about to expire, the gc_expiry value
needs to reflect the credential lifetime used to create the context.
Note that gss_inquire_cred returns the number of seconds for which the
context remains valid in the lifetime_rec parameter.
Send the actual TGS remaining lifetime to the kernel. It can still be
overwritten by the gssd -t command line option, or set to the kernel
default if the gss_inquire_cred call fails (which sets the lifetime_rec
to zero).
Signed-off-by: Andy Adamson <andros@netapp.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
Diffstat (limited to 'linux-nfs/ChangeLog')
0 files changed, 0 insertions, 0 deletions