What were you trying to do that didn't work?

Together with libtirpc patch the nfs-utils patch series provides
support for handling KRB5_AP_ERR_BAD_INTEGRITY.

Such error can be returned by the server when it has changed
its key material and the client is still using the service
ticket that was issues prior to the change.

Upon calling authgss_create_default() and receiving a NULL
context, we can inspect the returned structure to see
if gss major/minor error code was set. If the client
determines that it received KRB5_AP_ERR_BAD_INTEGRITY error,
it will proceed to handle it based on what type of credentials
were used for context establishement. If machine credentials
were used, the client can call into a routine and force
credential renewal. If user credentials were used, the client
needs to remove the existing service ticket and then retry
the request.

Please provide the package NVR for which bug is seen:

How reproducible:

create a Kerberos mount to the ONTAP server. that will generate a service ticket value for a certain period of time. Unmount. On the KDC update ONTAP server's key. Disable kerberos on the server's lif. Then pull down the new key for the ONTAP server and enable kerberos back on. Prior to expiration of the previous service ticket (please confirm that the nfs ticket is present (via klist) and valid and do a new mount from the client again.

Without this patch series, the mount would fail. As GSSD can't handle getting KRB5_AP_ERR_BAD_INTEGRITY error.

With the patch series (for libtirpc and nfs-utils), the mount would succeed.

Steps to reproduce

Expected results

Actual results