-
- Downloads
SUNRPC handle EKEYEXPIRED in call_refreshresult
Currently, when an RPCSEC_GSS context has expired or is non-existent and the users (Kerberos) credentials have also expired or are non-existent, the client receives the -EKEYEXPIRED error and tries to refresh the context forever. If an application is performing I/O, or other work against the share, the application hangs, and the user is not prompted to refresh/establish their credentials. This can result in a denial of service for other users. Users are expected to manage their Kerberos credential lifetimes to mitigate this issue. Move the -EKEYEXPIRED handling into the RPC layer. Try tk_cred_retry number of times to refresh the gss_context, and then return -EACCES to the application. Signed-off-by:Andy Adamson <andros@netapp.com> Signed-off-by:
Showing
- fs/nfs/nfs3proc.c 3 additions, 3 deletionsfs/nfs/nfs3proc.c
- fs/nfs/nfs4filelayout.c 0 additions, 1 deletionfs/nfs/nfs4filelayout.c
- fs/nfs/nfs4proc.c 0 additions, 18 deletionsfs/nfs/nfs4proc.c
- fs/nfs/nfs4state.c 0 additions, 23 deletionsfs/nfs/nfs4state.c
- fs/nfs/proc.c 0 additions, 43 deletionsfs/nfs/proc.c
- net/sunrpc/clnt.c 1 addition, 0 deletionsnet/sunrpc/clnt.c
Loading
Please register or sign in to comment