Bug 1081208

Summary: RHEL GSSD: Pass GSS_context lifetime to the kernel
Product: Red Hat Enterprise Linux 6 Reporter: Andy Adamson <andros>
Component: nfs-utilsAssignee: Steve Dickson <steved>
Status: CLOSED ERRATA QA Contact: JianHong Yin <jiyin>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.5CC: andros, csieh, eguan, ricardo.labiaga, rvdwees, smayhew
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: nfs-utils-1.2.3-42. Doc Type: Bug Fix
Doc Text:
Cause: started rpc.gssd. Consequence: A zero lifetime is sent to the kernel which then guesses and uses a default lifetime. Fix: The lifetime is passed to the kernel Result: The kernel uses the timeout to time out GSS contexts
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 04:33:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andy Adamson 2014-03-26 18:37:09 UTC 
Description of problem: rpc.gssd does not pass down the newly created gss context lifetime to the kernel.


Version-Release number of selected component (if applicable): RHEL 6.5 (nfs-utils-1.2.3)


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results: A zero lifetime is sent to the kernel which then guesses and uses a default lifetime. 


Expected results: The lifetime is passed to the kernel and the kernel GSS context uses it.


Additional info:

This patch addresses the issue:

From 8213acaf93f748d7d0efe085aded3ab9b6871e9b Mon Sep 17 00:00:00 2001
From: Andy Adamson <andros>
Date: Thu, 18 Oct 2012 13:21:09 -0400
Subject: [PATCH 1/1] GSSD: Pass GSS_context lifetime to the kernel.

From: Andy Adamson <andros>

The kernel gss_cl_ctx stores the context lifetime in gc_expiry, set
by gssd in do_downcall() called by process_krb5_upcall(). The lifetime
value is currently not related at all to the Kerberos TGS lifetime.
It is either set to the value of gssd -t <timeout>, or to a kernel
default of 3600 seconds.

Most of the time the gssd -t command line is not set, and a timeout
value of zero was sent to the kernel triggering the use of the 3600
second kernel default timeout.

In order for the kernel to properly know when to renew a context, or to
stop buffering writes for a context about to expire, the gc_expiry value
needs to reflect the credential lifetime used to create the context.

Note that gss_inquire_cred returns the number of seconds for which the
context remains valid in the lifetime_rec parameter.

Send the actual TGS remaining lifetime to the kernel. It can still be
overwritten by the gssd -t command line option, or set to the kernel
default if the gss_inquire_cred call fails (which sets the lifetime_rec
to zero).

Signed-off-by: Andy Adamson <andros>
Signed-off-by: Steve Dickson <steved>
Comment 5 errata-xmlrpc 2014-10-14 04:33:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1407.html