• NeilBrown's avatar
    NFSv4.1: don't use machine credentials for CLOSE when using 'sec=sys' · b79e87e0
    NeilBrown authored
    An NFSv4.1 client might close a file after the user who opened it has
    logged off.  In this case the user's credentials may no longer be
    valid, if they are e.g. kerberos credentials that have expired.
    
    NFSv4.1 has a mechanism to allow the client to use machine credentials
    to close a file.  However due to a short-coming in the RFC, a CLOSE
    with those credentials may not be possible if the file in question
    isn't exported to the same security flavor - the required PUTFH must
    be rejected when this is the case.
    
    Specifically if a server and client support kerberos in general and
    have used it to form a machine credential, but the file is only
    exported to "sec=sys", a PUTFH with the machine credentials will fail,
    so CLOSE is not possible.
    
    As RPC_AUTH_UNIX (used by sec=sys) credentials can never expire, there
    is no value in using the machine credential in place of them.
    So in that case, just use the users credentials for CLOSE etc, as you would
    in NFSv4.0
    Signed-off-by: default avatarNeil Brown <neilb@suse.com>
    Signed-off-by: default avatarNeilBrown <neilb@suse.com>
    Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
    b79e87e0
nfs4_fs.h 19 KB