Skip to content

Commit

Permalink
SUNRPC: do not retry on EKEYEXPIRED when user TGT ticket expired
Browse files Browse the repository at this point in the history
When a user TGT ticket expired, gssd returns EKEYEXPIRED to the RPC
layer for the upcall to create the security context. The RPC layer
then retries the upcall twice before returning the EKEYEXPIRED to
the NFS layer.

This results in three separate TCP connections to the NFS server being
created by gssd for each RPC request. These connections are not used
and left in TIME_WAIT state.

Note that for RPC call that uses machine credential, gssd automatically
renews the ticket. But for a regular user the ticket needs to be
renewed by the user before access to the krb5 share is allowed.

This patch removes the retries by RPC on EKEYEXPIRED so that these
unused TCP connections are not created.

Reproducer:

$ kinit -l 1m
$ sleep 65
$ cd /mnt/krb5share
$ netstat -na |grep TIME_WAIT

Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
  • Loading branch information
Dai Ngo authored and Anna Schumaker committed Jan 22, 2025
1 parent 918b8e3 commit 6f56971
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions net/sunrpc/clnt.c
Original file line number Diff line number Diff line change
Expand Up @@ -1862,13 +1862,13 @@ call_refreshresult(struct rpc_task *task)
fallthrough;
case -EAGAIN:
status = -EACCES;
fallthrough;
case -EKEYEXPIRED:
if (!task->tk_cred_retry)
break;
task->tk_cred_retry--;
trace_rpc_retry_refresh_status(task);
return;
case -EKEYEXPIRED:
break;
case -ENOMEM:
rpc_delay(task, HZ >> 4);
return;
Expand Down

0 comments on commit 6f56971

Please sign in to comment.