Kerberos+NFS4

[John Devitofranceschi]

On Jul 31, 2013, at 5:05 AM, Andreas Hauffe <andreas.hauffe at tu-dresden.de> wrote:

> Yes, it is a OpenSuSE 12.3 client. So this means, this is a completely normal 
> behaviour?
> 
> Andreas
> 
> Am Mittwoch, 31. Juli 2013, 10:01:20 schrieb moritz.willers at ubs.com:
>> I assume this is a Linux client? Yes, the security context established by
>> rpc.gssd is cached. - mo
>> 
>> -----Original Message-----
>> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
>> Of Andreas Hauffe Sent: 31 July 2013 10:47
>> To: kerberos at mit.edu
>> Subject: Re: Kerberos+NFS4
>> 
>> Ok, this is a behaviour I can understand. If the user was logged in and is
>> now completely logged out (even with kdestroy) there is no
>> /tmp/krb5cc_<uid>*. But the local root can still access the data with a 'su
>> $USERNAME'. Is there some kind of cache?
>> 
>> Andreas
>> 

According to the man page, the security context will last for the lifetime of the Kerberos ticket used to establish it.

It seems that kdestroy does not invalidate the context and it lives on.

This should be easy to test:  just establish a ccache that expires after a few minutes, kdestroy the ccache and observe the behaviour you've described previously. Then wait for the natural ticket expiration period that you set and check again.

jd