Switching identity using kinit/kdestroy for NFSv4 mounts doesn't work
Simo Sorce
simo at redhat.com
Fri Mar 13 12:24:56 EDT 2015
On Fri, 2015-03-13 at 14:05 +0000, Brandon Allbery wrote:
> On Fri, 2015-03-13 at 14:55 +0100, Robert Wehn wrote:
> > There is a bug report/suggested patch which seems to make it possible
> > but never seemed to get into the kernel:
> > http://www.spinics.net/lists/linux-nfs/msg34236.html
> >
> > What is your opinion to this behavior?
> > Do you think this is reasonable from kerberos point of view, or do you
> > also think this needs to be changed?
>
> This isn't Kerberos's fault, but NFS's; it's how it avoids having token
> management like AFS uses (extra aklog step to register ticket with
> filesystem and unlog to deregister it). Personally, I prefer AFS's way
> of dealing with it; the whole business about snooping ticket caches and
> caching its own private copy is concerning security-wise and seems like
> it would easily become confused.
>
Note that NFS does not cache a ticket, it simply does not destroy the
GSS Session after it has been created.
If the session is invalidate though the kernel will not be able to
negotiate a new one if the ccache has been destroyed.
An interface to allow to destroy the NFS's user session on kdestroy has
been discussed with NFS upstream before but it hasn't gone anywhere yet.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list