e3c26ce5cb
It turns out that the underlying problem that caused
a Kerberized NFS mount with the "gssname" option to
fail was that the kernel upcall to the gssd(8) daemon
would time out prematurely after 25 seconds. The
gss_acquire_cred() GSSAPI library call
takes about 27 seconds for the case where a desired_name
argument is specified. A similarly long delay occurs
when the gss_init_sec_context() call is made and the
user principal's TGT has expired.
Once the upcall timed out, the kernel code assumed that
the gssd(8) daemon had died and closed the socket.
Ironically, closing the socket did cause the gssd(8)
daemon to terminate via a SIGPIPE signal.
This patch increases the timeout to 5 minutes. Since
a timeout should only occur when the gssd(8) daemon
has died, a long timeout should be ok and seems to fix this
problem.
I still think that commit
|
||
---|---|---|
.. | ||
krb5 | ||
gss_accept_sec_context.c | ||
gss_acquire_cred.c | ||
gss_add_oid_set_member.c | ||
gss_canonicalize_name.c | ||
gss_create_empty_oid_set.c | ||
gss_delete_sec_context.c | ||
gss_display_status.c | ||
gss_export_name.c | ||
gss_get_mic.c | ||
gss_impl.c | ||
gss_import_name.c | ||
gss_init_sec_context.c | ||
gss_names.c | ||
gss_pname_to_uid.c | ||
gss_release_buffer.c | ||
gss_release_cred.c | ||
gss_release_name.c | ||
gss_release_oid_set.c | ||
gss_set_cred_option.c | ||
gss_test_oid_set_member.c | ||
gss_unwrap.c | ||
gss_verify_mic.c | ||
gss_wrap_size_limit.c | ||
gss_wrap.c | ||
gssapi_impl.h | ||
gssapi.h | ||
gssd_prot.c | ||
gssd.x | ||
gsstest.c | ||
kgss_if.m |