From 74de1431adebb7780a2c4b9c122050e2fb7608b8 Mon Sep 17 00:00:00 2001 From: Weston Andros Adamson Date: Mon, 28 Oct 2013 08:26:37 -0400 Subject: gssd: validate cred in gssd_acquire_user_cred Call gss_inquire_cred after gssd_acquire_krb5_cred check for expired credentials. This fixes a recent regression (since 302de786930a2c533068f9d8909a) that causes the user's ticket cache to grow unbounded with expired service tickets when the user's credentials expire. To reproduce this issue: - mount kerberos nfs export - kinit for a short lifetime (ie "kinit -l 1m") - run a job that opens a file and writes for more than the lifetime - run klist a few times after expiry and see the list grow, ie: Ticket cache: DIR::/run/user/1749600001/krb5cc/tktYmpGlX Default principal: dros@APIKIA.FAKE Valid starting Expires Service principal 10/21/2013 15:39:38 10/21/2013 15:40:35 krbtgt/APIKIA.FAKE@APIKIA.FAKE 10/21/2013 15:39:40 10/21/2013 15:40:35 nfs/zero.apikia.fake@APIKIA.FAKE Signed-off-by: Weston Andros Adamson Reviewed-by: Simo Sorce Signed-off-by: Steve Dickson --- utils/gssd/krb5_util.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c index c6e52fd..697d1d2 100644 --- a/utils/gssd/krb5_util.c +++ b/utils/gssd/krb5_util.c @@ -1405,6 +1405,13 @@ gssd_acquire_user_cred(uid_t uid, gss_cred_id_t *gss_cred) ret = gssd_acquire_krb5_cred(name, gss_cred); + /* force validation of cred to check for expiry */ + if (ret == 0) { + if (gss_inquire_cred(&min_stat, *gss_cred, NULL, NULL, + NULL, NULL) != GSS_S_COMPLETE) + ret = -1; + } + maj_stat = gss_release_name(&min_stat, &name); return ret; } -- cgit