Created attachment 209312 [details] Patch to fix the cred_lifetime bug and add a kern.rpc.gss.lifetime_max sysctl This is a bug that probably never happens in real life, or is masked by other factors, but I think it's a bug anyway... In /usr/src/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c:svc_rpc_gss_accept_sec_context() there is a check: if (cred_lifetime == GSS_C_INDEFINITE) cred_lifetime = time_uptime + 24*60*60; client->cl_expiration = time_uptime + cred_lifetime; The assignment in the if-statement should be "cred_lifetime = 24*60*60;" because the current code would set client->cl_expiration to 2*time_uptime+24*60*60 - if it ever was GSS_C_INDEFINITE. Atleast until year 2106 or so (when the unsigned 32bit cred_lifetime will wrap around)... Cache entries are invalidated when NFS shares are unmounted and most Kerberos tickets do have a lifetime (10 hours typically) so this probably almost never happens in real life but anyway... I'd also like to propose adding a sysctl() where one can cap the cred_lifetime to a lower value than the default (which is the ticket lifetime - about 10 hours on a "typical" system). With the current code a user being added to a new group will not be "visible" for NFS until after the GSS cache entry expires (if the user have something NFS-mounted from that server). It might be a good idea to be able to force a lower timeout (like 1 hour or so).
Take this PR and commit the patch to head.
A commit references this bug: Author: rmacklem Date: Thu Nov 28 02:05:31 UTC 2019 New revision: 355157 URL: https://svnweb.freebsd.org/changeset/base/355157 Log: Add a cap on credential lifetime for Kerberized NFS. The kernel RPCSEC_GSS code sets the credential (called a client) lifetime to the lifetime of the Kerberos ticket, which is typically several hours. As such, when a user's credentials change such as being added to a new group, it can take several hours for this change to be recognized by the NFS server. This patch adds a sysctl called kern.rpc.gss.lifetime_max which can be set by a sysadmin to put a cap on the time to expire for the credentials, so that a sysadmin can reduce the timeout. It also fixes a bug, where time_uptime is added twice when GSS_C_INDEFINITE is returned for a lifetime. This has no effect in practice, sine Kerberos never does this. Tested by: pen@lysator.liu.se PR: 242132 Submitted by: pen@lysator.liu.se MFC after: 2 weeks Changes: head/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
A commit references this bug: Author: rmacklem Date: Fri Dec 20 23:08:10 UTC 2019 New revision: 355967 URL: https://svnweb.freebsd.org/changeset/base/355967 Log: MFC: r355157, r355161 Add a cap on credential lifetime for Kerberized NFS. The kernel RPCSEC_GSS code sets the credential (called a client) lifetime to the lifetime of the Kerberos ticket, which is typically several hours. As such, when a user's credentials change such as being added to a new group, it can take several hours for this change to be recognized by the NFS server. This patch adds a sysctl called kern.rpc.gss.lifetime_max which can be set by a sysadmin to put a cap on the time to expire for the credentials, so that a sysadmin can reduce the timeout. It also fixes a bug, where time_uptime is added twice when GSS_C_INDEFINITE is returned for a lifetime. This has no effect in practice, since Kerberos never does this. PR: 242132 Changes: _U stable/11/ stable/11/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
Patch has been committed and MFC'd.