K 10
svn:author
V 8
rmacklem
K 8
svn:date
V 27
2019-12-20T23:08:10.125088Z
K 7
svn:log
V 749
MFC: r355157, r355161
Add a cap on credential lifetime for Kerberized NFS.

The kernel RPCSEC_GSS code sets the credential (called a client) lifetime
to the lifetime of the Kerberos ticket, which is typically several hours.
As such, when a user's credentials change such as being added to a new group,
it can take several hours for this change to be recognized by the NFS server.
This patch adds a sysctl called kern.rpc.gss.lifetime_max which can be set
by a sysadmin to put a cap on the time to expire for the credentials, so that
a sysadmin can reduce the timeout.
It also fixes a bug, where time_uptime is added twice when GSS_C_INDEFINITE
is returned for a lifetime. This has no effect in practice, since Kerberos
never does this.

PR:		242132

END