On Fri, 13 Mar 2015, Robert Wehn wrote: > - - klist > -> TGT for jane@REALM > BUT! > -> localuser can still access alice's files > -> localuser can never access jane's files > -> no new NFS service ticket fetched or needed till the end > of the ticket lifetime > > What doesn't help: > - - logout and login as localuser > - - restart gssd > > What helps: > - - Unmount NFS, remount. > > The NFS client part of the linux-kernel seems to cache the NFS service > tickets used for every combination local UID and mounted filesystem.
I don't actually run any NFSv4 myself, but my understanding from IRC/mailing lists is that the caching has a TTL of roughly a couple hours. See Brandon's response as well, but from a security perspective, the kernel NFS implementation is wrong to cache things for so long, especially without providing a way to invalidate a cached entry. -Ben Kaduk ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
