gssd - expired credentials problem

I noticed that there is a problem with expired credentials if NFS
client's time is even few seconds behind KDC's or NFS server's time.
Client's kernel requests new GSS context but rpc.gssd is happy with
existing krb cache as it valid according to local time.

Signed-off-by: Steve Dickson <steved@redhat.com>

diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 4befa72a5b1f6fb9c496a705602e57a0e30e1f00..8178ae7ec04e0853b1f7dac32ed2adb91e72bb1e 100644 (file)
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -350,6 +350,11 @@ gssd_get_single_krb5_cred(krb5_context context,
 
        memset(&my_creds, 0, sizeof(my_creds));
 
 
        memset(&my_creds, 0, sizeof(my_creds));
 

+       /*
+        * Workaround for clock skew among NFS server, NFS client and KDC
+        * 300 because clock skew must be within 300sec for kerberos
+        */
+       now += 300;

        if (ple->ccname && ple->endtime > now && !nocache) {
                printerr(2, "INFO: Credentials in CC '%s' are good until %d\n",
                         ple->ccname, ple->endtime);
        if (ple->ccname && ple->endtime > now && !nocache) {
                printerr(2, "INFO: Credentials in CC '%s' are good until %d\n",
                         ple->ccname, ple->endtime);