Bug 93891 - NFS access not revoked on kdestroy
Summary: NFS access not revoked on kdestroy
Status: NEW
Alias: None
Product: File System
Classification: Unclassified
Component: NFS (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Trond Myklebust
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-02-26 15:30 UTC by Bryan Quigley
Modified: 2020-06-18 04:10 UTC (History)
3 users (show)

See Also:
Kernel Version: 4.0-rc1
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Bryan Quigley 2015-02-26 15:30:41 UTC 
The NFS client caches credentials and doesn't expose a way for kdestroy (or any other tool AFAIK to clear them).  

How to reproduce:
Start as unpriviledged (in a kerberos sense) user with access to a kerberos protected NFS share (in this case it contains home directories)
kinit user1
ls ~user1 #Test user1 permissions, this should always succeed (and does)

kdestroy #should destroy user1 permissions

kinit user2
ls ~user2# this should succeed, but it fails
ls ~user1# this should fail, but it still works!

This appears to be known upstream:
http://www.citi.umich.edu/projects/nfsv4/linux/faq/#krb5_006

Bits and pieces of an earlier attempt at a fix:
http://www.spinics.net/lists/linux-nfs/msg34236.html
nfslogin/logout prototype http://www.citi.umich.edu/projects/asci/icsi-alpha/nfs-utils-patches/1.0.10-asci-2/nfs-utils-1.0.10-asci-017-add_nfslogin.dif

Another bug request: https://fedorahosted.org/gss-proxy/ticket/1 (and linked discussion)
Launchpad bug: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1424727

Workarounds:
Unmount/Mount NFS share
Comment 1 Bryan Quigley 2015-03-30 16:27:01 UTC 
If spinics is down use http://linux-nfs.vger.kernel.narkive.com/JHXBEH6t/patch-0-2-rfc-enable-the-use-of-the-keyring-credential-cache

[PATCH 0/2] RFC: enable the use of the KEYRING credential cache
Note You need to log in before you can comment on or make changes to this bug.