2

I am using NFS service over kerberos. The client mounting the NFS share obtains the ticket from kdc server and works perfect in terms of accessing the NFS share. My requirement is that I need to expire the ticket in between accessing the NFS share to see how application behaves in that case, I tried 2 ways, first to issue a renewable ticket lets say for 10 min lifetime and then re-request to renew the same ticket with a shorter lifetime say 5 sec and secondly doing the same with a non renewable ticket. In both the cases the access to NFS does not stop until the initial ticket of 10 min gets expired even though the ticket in cache shows expired.But I expected the access to be denied after renewal request of 5 sec lifetime.

pynix
  • 21
  • 2
  • It would help if you provided the exact steps you are performing when testing this. For example, you make a connection to the NFS share, then what are the steps you are performing after that? – Greg Askew Jan 27 '19 at 14:45
  • First I issued a ticket for 30m : $ kinit -l 30m then I did a "cd" into the NFS mount and started reading a file. Now I wanted my ticket to expire in between the read so I re-issued a ticket request for a shorter expiry lifetime of 1s as below: $ kinit -l 1s klist showed the ticket to be expired but my read to file did not interrupt, it was after 30 mins that the read was interrupted when the former ticket lifetime ended. However , I wanted the access to be denied as soon I requested the second ticket of 1 sec lifetime. – pynix Jan 28 '19 at 06:56
  • How are you performing the file read for 30 minutes? – Greg Askew Jan 28 '19 at 12:18
  • basically my client has a program running which can access the file anytime in a certain timeline, file access can be for some minute or for very short interval of time which may include read/write to the file. Expiring on demand is required as we need several iteration to capture the error & incorporate the error handing in code.Also before accessing the file on NFS share the program has to attach GDB , strace and other debugging tools to the running process and you cannot predict how much time it will take to attach the process and then go forward with accessing the file. – pynix Jan 29 '19 at 06:33
  • I know that, what I'm asking is the client application connected continuously (one connection) for 30 minutes, or does it make multiple connections? – Greg Askew Jan 29 '19 at 12:04
  • it is one time access to the file – pynix Jan 31 '19 at 09:50
  • any help on this please ! – pynix Feb 05 '19 at 12:05

1 Answers1

1

To manually expire a kerberos ticket for a session, we just need to run

kdestroy
Sérgio
  • 251
  • 2
  • 5