Description of problem: [nfs-ganesha+kerberos]: user continues to perform IO's after ticket destroy, until volume is remounted. Version-Release number of selected component (if applicable): nfs-ganesha-2.3.1-8 How reproducible: Always Steps to Reproduce: >> Mount the volume using krb5 on a client and perform some IO's: [root@dhcp42-130 ~]# df dhcp42-142.lab.eng.blr.redhat.com:/testvolume 187676672 509952 187166720 1% /mnt3 >> Login as guest user and try to acess mount point and observe that it gives permission denied message: [root@dhcp42-130 ~]# su - guest Last login: Fri Jun 10 19:09:26 IST 2016 on pts/0 [guest@dhcp42-130 ~]$ cd /mnt3 -bash: cd: /mnt3: Permission denied >> Generate a kerberos ticket for the user [guest@dhcp42-130 ~]$ klist klist: Credentials cache keyring 'persistent:1000:1000' not found [guest@dhcp42-130 ~]$ kinit Password for guest.BLR.REDHAT.COM: [guest@dhcp42-130 mnt3]$ klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: guest.BLR.REDHAT.COM Valid starting Expires Service principal 06/10/2016 19:42:48 06/11/2016 19:42:41 nfs/dhcp42-142.lab.eng.blr.redhat.com.BLR.REDHAT.COM 06/10/2016 19:42:41 06/11/2016 19:42:41 krbtgt/LAB.ENG.BLR.REDHAT.COM.BLR.REDHAT.COM >> Do some IO's on the mountpoint: [guest@dhcp42-130 ~]$ cd /mnt3 [guest@dhcp42-130 mnt3]$ ls fil6 file1 file10 file11 file2 file3 file4 file5 file7 file8 file9 raj [guest@dhcp42-130 mnt3]$ touch file100 [guest@dhcp42-130 mnt3]$ ls fil6 file1 file10 file100 file11 file2 file3 file4 file5 file7 file8 file9 raj >> Destroy the ticket for the user: [guest@dhcp42-130 ~]$ kdestroy [guest@dhcp42-130 ~]$ klist klist: Credentials cache keyring 'persistent:1000:1000' not found >> Observe that even after destroying the ticket, user is able to perform IO's: [guest@dhcp42-130 ~]$ cd /mnt3 [guest@dhcp42-130 mnt3]$ ls fil6 file1 file10 file100 file11 file2 file3 file4 file5 file7 file8 file9 raj [guest@dhcp42-130 mnt3]$ date Fri Jun 10 19:17:58 IST 2016 [guest@dhcp42-130 mnt3]$ ls fil6 file1 file10 file100 file11 file2 file3 file4 file5 file7 file8 file9 raj [guest@dhcp42-130 mnt3]$ touch file123 [guest@dhcp42-130 mnt3]$ ls fil6 file1 file10 file100 file11 file123 file2 file3 file4 file5 file7 file8 file9 raj [guest@dhcp42-130 mnt3]$ date Fri Jun 10 19:28:37 IST 2016 [guest@dhcp42-130 mnt3]$ klist klist: Credentials cache keyring 'persistent:1000:1000' not found >> Umount the volume from root and again mount it [guest@dhcp42-130 mnt3]$ exit logout [root@dhcp42-130 ~]# df dhcp42-142.lab.eng.blr.redhat.com:/testvolume 187676672 509952 187166720 1% /mnt3 [root@dhcp42-130 ~]# umount /mnt3 [root@dhcp42-130 ~]# df Filesystem 1K-blocks Used Available Use% Mounted on /dev/mapper/rhel_dhcp42--130-root 27740944 1341788 26399156 5% / devtmpfs 3995072 0 3995072 0% /dev tmpfs 4005468 0 4005468 0% /dev/shm tmpfs 4005468 8588 3996880 1% /run tmpfs 4005468 0 4005468 0% /sys/fs/cgroup /dev/vda1 508588 126924 381664 25% /boot tmpfs 801096 0 801096 0% /run/user/0 [root@dhcp42-130 ~]# mount -t nfs -o sec=krb5 dhcp42-142.lab.eng.blr.redhat.com:/testvolume /mnt3 >> Again login as guest user and try to perform IO's and observe that it gives permission denied error now: [root@dhcp42-130 ~]# su - guest Last login: Fri Jun 10 19:16:52 IST 2016 on pts/0 [guest@dhcp42-130 ~]$ cd /mnt3 -bash: cd: /mnt3: Permission denied [guest@dhcp42-130 ~]$ Actual results: user continues to perform IO's after ticket destroy, until volume is remounted. Expected results: IO should not happen when the ticket for a user is destroyed. Additional info:
kdestroy is not really a good way to test this. I assume the ticket is still in the kernels keyring for the users session. Instead of doing kdestroy, it is better to pass a lifetime to the kinit command. For example, to have a ticket that is valid for two minutes: $ kinit -l 2m Please re-test with this.
QE will reopen this issue if again observed in testing.Clearing needinfo.