http://bugzilla.suse.com/show_bug.cgi?id=931308 Bug ID: 931308 Summary: Gssd fails to renew credentials Classification: openSUSE Product: openSUSE 12.3 Version: Final Hardware: Other OS: SLES 11 Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: bnc-team-screening@forge.provo.novell.com Reporter: Anna.Schumaker@Netapp.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- This bug is seen when running SLES11 SP3 and SLES11 SP4, but I can't find where to file SLES bugs anywhere in this bugzilla. Please let me know if this is in the wrong place! Description of problem: Gssd fails to renew credentials when running with uid=0 and client and server clocks are just a few seconds off. Version-Release number of selected component (if applicable): nfs-client-1.2.3-18.40.15 (SLES11 SP3) How reproducible: Just to make the issue easier to reproduce, change the lifetime of the issued service ticket to something short, say 2m, by modifying /etc/krb5.conf ticket_lifetime=2m Steps to Reproduce: 1. sudo mount -t nfs4 -o sec=krb5 nfs.server.com:/ /mnt 2. sudo dd if=/dev/zero of=/mnt/testfile bs=1 count=10000000 Basically, mount your kerberized NFS server and start job that lasts longer than chosen ticket lifetime (i.e., dd that would take longer than 2min to complete). Actual results: "dd" will fail with "permission denied" when credentials expire. See failure logged in var log messages, ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_CREDENTIALS_EXPIRED (The referenced credential has expired) - Unknown error WARNING: Failed while limiting krb5 encryption types for user with uid 0 WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_GATEWAY.2WIRE.NET for server ipa120.gateway.2wire.net WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server ipa120.gateway.2wire.net Expected results: "dd" should finish to completion Additional info: This problem has been address in the upstream nfs-utils and is fixed by: commit da54dec3cb40095cac96fd2d838144129262ac7f Author: Lukas Hejtmanek <xhejtman@gmail.com> Date: Wed Mar 20 13:24:02 2013 -0400 gssd - expired credentials problem I noticed that there is a problem with expired credentials if NFS client's time is even few seconds behind KDC's or NFS server's time. Client's kernel requests new GSS context but rpc.gssd is happy with existing krb cache as it valid according to local time. Signed-off-by: Steve Dickson <steved@redhat.com> -- You are receiving this mail because: You are on the CC list for the bug.