CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	Rick Macklem <rmacklem@FreeBSD.org>
	Fri, 20 Dec 2019 22:53:23 +0000 (22:53 +0000)
committer	Rick Macklem <rmacklem@FreeBSD.org>
	Fri, 20 Dec 2019 22:53:23 +0000 (22:53 +0000)
commit	6c54d4122c208d36a59f15bec33bed4fab43b57b
tree	02426377ea3ca40fb11ad4d76bf93de6f1877e80	tree \| snapshot
parent	6b496ecf32fedfc0b88c3b8b230dc21a4e91e1ff	commit \| diff

MFC: r355157, r355161
Add a cap on credential lifetime for Kerberized NFS.

The kernel RPCSEC_GSS code sets the credential (called a client) lifetime
to the lifetime of the Kerberos ticket, which is typically several hours.
As such, when a user's credentials change such as being added to a new group,
it can take several hours for this change to be recognized by the NFS server.
This patch adds a sysctl called kern.rpc.gss.lifetime_max which can be set
by a sysadmin to put a cap on the time to expire for the credentials, so that
a sysadmin can reduce the timeout.
It also fixes a bug, where time_uptime is added twice when GSS_C_INDEFINITE
is returned for a lifetime. This has no effect in practice, since Kerberos
never does this.