Description of problem:
[nfs-ganesha+kerberos]: user continues to perform IO's after ticket destroy, until volume is remounted.
Version-Release number of selected component (if applicable):
nfs-ganesha-2.3.1-8
How reproducible:
Always
Steps to Reproduce:
>> Mount the volume using krb5 on a client and perform some IO's:
[root@dhcp42-130 ~]# df
dhcp42-142.lab.eng.blr.redhat.com:/testvolume 187676672 509952 187166720 1% /mnt3
>> Login as guest user and try to acess mount point and observe that it gives permission denied message:
[root@dhcp42-130 ~]# su - guest
Last login: Fri Jun 10 19:09:26 IST 2016 on pts/0
[guest@dhcp42-130 ~]$ cd /mnt3
-bash: cd: /mnt3: Permission denied
>> Generate a kerberos ticket for the user
[guest@dhcp42-130 ~]$ klist
klist: Credentials cache keyring 'persistent:1000:1000' not found
[guest@dhcp42-130 ~]$ kinit
Password for guest.BLR.REDHAT.COM:
[guest@dhcp42-130 mnt3]$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: guest.BLR.REDHAT.COM
Valid starting Expires Service principal
06/10/2016 19:42:48 06/11/2016 19:42:41 nfs/dhcp42-142.lab.eng.blr.redhat.com.BLR.REDHAT.COM
06/10/2016 19:42:41 06/11/2016 19:42:41 krbtgt/LAB.ENG.BLR.REDHAT.COM.BLR.REDHAT.COM
>> Do some IO's on the mountpoint:
[guest@dhcp42-130 ~]$ cd /mnt3
[guest@dhcp42-130 mnt3]$ ls
fil6 file1 file10 file11 file2 file3 file4 file5 file7 file8 file9 raj
[guest@dhcp42-130 mnt3]$ touch file100
[guest@dhcp42-130 mnt3]$ ls
fil6 file1 file10 file100 file11 file2 file3 file4 file5 file7 file8 file9 raj
>> Destroy the ticket for the user:
[guest@dhcp42-130 ~]$ kdestroy
[guest@dhcp42-130 ~]$ klist
klist: Credentials cache keyring 'persistent:1000:1000' not found
>> Observe that even after destroying the ticket, user is able to perform IO's:
[guest@dhcp42-130 ~]$ cd /mnt3
[guest@dhcp42-130 mnt3]$ ls
fil6 file1 file10 file100 file11 file2 file3 file4 file5 file7 file8 file9 raj
[guest@dhcp42-130 mnt3]$ date
Fri Jun 10 19:17:58 IST 2016
[guest@dhcp42-130 mnt3]$ ls
fil6 file1 file10 file100 file11 file2 file3 file4 file5 file7 file8 file9 raj
[guest@dhcp42-130 mnt3]$ touch file123
[guest@dhcp42-130 mnt3]$ ls
fil6 file1 file10 file100 file11 file123 file2 file3 file4 file5 file7 file8 file9 raj
[guest@dhcp42-130 mnt3]$ date
Fri Jun 10 19:28:37 IST 2016
[guest@dhcp42-130 mnt3]$ klist
klist: Credentials cache keyring 'persistent:1000:1000' not found
>> Umount the volume from root and again mount it
[guest@dhcp42-130 mnt3]$ exit
logout
[root@dhcp42-130 ~]# df
dhcp42-142.lab.eng.blr.redhat.com:/testvolume 187676672 509952 187166720 1% /mnt3
[root@dhcp42-130 ~]# umount /mnt3
[root@dhcp42-130 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/rhel_dhcp42--130-root 27740944 1341788 26399156 5% /
devtmpfs 3995072 0 3995072 0% /dev
tmpfs 4005468 0 4005468 0% /dev/shm
tmpfs 4005468 8588 3996880 1% /run
tmpfs 4005468 0 4005468 0% /sys/fs/cgroup
/dev/vda1 508588 126924 381664 25% /boot
tmpfs 801096 0 801096 0% /run/user/0
[root@dhcp42-130 ~]# mount -t nfs -o sec=krb5 dhcp42-142.lab.eng.blr.redhat.com:/testvolume /mnt3
>> Again login as guest user and try to perform IO's and observe that it gives permission denied error now:
[root@dhcp42-130 ~]# su - guest
Last login: Fri Jun 10 19:16:52 IST 2016 on pts/0
[guest@dhcp42-130 ~]$ cd /mnt3
-bash: cd: /mnt3: Permission denied
[guest@dhcp42-130 ~]$
Actual results:
user continues to perform IO's after ticket destroy, until volume is remounted.
Expected results:
IO should not happen when the ticket for a user is destroyed.
Additional info:
kdestroy is not really a good way to test this. I assume the ticket is still in the kernels keyring for the users session.
Instead of doing kdestroy, it is better to pass a lifetime to the kinit command. For example, to have a ticket that is valid for two minutes:
$ kinit -l 2m
Please re-test with this.