Kevin Vasko via FreeIPA-users wrote:
Hello,
Does anyone have any tips for completely refreshing (forcing cleaning)
all kerberos tickets on a client from FreeIPA?
I assumed "$ kdestroy -A" should do it, but it certainly doesn't
completely clear all caches.
What I'm having trouble with is some NFS/NAS servers using kerberos.
I'll set up a new NFS server with Kerberos, the server will have their
appropriate keytab and services created.
I'll make sure and clear my local cache on my client with "$ kdestroy
-A", and then connect to the NFS server. If for some reason I have
something misconfigured (e.g. time is off) I'll obviously get a "stale
file handle" or "mount.nfs4: access denied by server". At that point
I'll correct the issue on the server/client. However, I'll continue
getting the error even though I destroy the cache. I _know_ its a cache
issue _somewhere_ because it will randomly start working (e.g. it will
be failing, leave for the day and next morning it will mount no problem)
OR I'll try it on a different client and it will mount successfully. It
seems so sporadic. I've even been in the situation where I've
purposefully removed keytabs, LDAP login access and reset the cache on
the client on systems the and NFS mount has still worked. It will
continue to work when it shouldn't as I've removed keytab or
authentications so obviously something is cached.
Is there a foolproof list of things I need to do to reset the cache(es)?
kdestroy, services on client and server? Is there a potential force 15
min TTL or something somewhere I'm missing?
It is probably gssproxy holding the credentials. See
https://pagure.io/gssproxy/blob/master/f/docs/NFS.md
rob