[36845] in Kerberos
Re: Switching identity using kinit/kdestroy for NFSv4 mounts
daemon@ATHENA.MIT.EDU (Simo Sorce)
Fri Mar 13 12:25:23 2015
Message-ID: <1426263896.2981.45.camel@willson.usersys.redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Brandon Allbery <ballbery@sinenomine.net>
Date: Fri, 13 Mar 2015 12:24:56 -0400
In-Reply-To: <1426255515.11130.3.camel@vikktakkht>
Mime-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, 2015-03-13 at 14:05 +0000, Brandon Allbery wrote:
> On Fri, 2015-03-13 at 14:55 +0100, Robert Wehn wrote:
> > There is a bug report/suggested patch which seems to make it possible
> > but never seemed to get into the kernel:
> > http://www.spinics.net/lists/linux-nfs/msg34236.html
> >
> > What is your opinion to this behavior?
> > Do you think this is reasonable from kerberos point of view, or do you
> > also think this needs to be changed?
>
> This isn't Kerberos's fault, but NFS's; it's how it avoids having token
> management like AFS uses (extra aklog step to register ticket with
> filesystem and unlog to deregister it). Personally, I prefer AFS's way
> of dealing with it; the whole business about snooping ticket caches and
> caching its own private copy is concerning security-wise and seems like
> it would easily become confused.
>
Note that NFS does not cache a ticket, it simply does not destroy the
GSS Session after it has been created.
If the session is invalidate though the kernel will not be able to
negotiate a new one if the ccache has been destroyed.
An interface to allow to destroy the NFS's user session on kdestroy has
been discussed with NFS upstream before but it hasn't gone anywhere yet.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
