# This patch fixes a small bug in the handling of credentials lifetime in case a
# Kerberos ticket would have an indefinite lifetime and secondly adds a sysctl so
# we can force a lower lifetime for the GSS credentials cache entries (defaults to
# the same as the Kerberos ticket - typically 10 hours) so group changes for users
# will propagate faster (if set to a lower value. 0 = no cap).
#
# Author: Peter Eriksson <pen@lysator.liu.se>, 2019-11-21

--- sys/rpc/rpcsec_gss/svc_rpcsec_gss.c.ORIG	2019-11-20 16:30:21.723539000 +0100
+++ sys/rpc/rpcsec_gss/svc_rpcsec_gss.c	2019-11-21 08:18:39.656478000 +0100
@@ -172,10 +172,15 @@
 #define CLIENT_HASH_SIZE	256
 #define CLIENT_MAX		128
 u_int svc_rpc_gss_client_max = CLIENT_MAX;
+u_int svc_rpc_gss_lifetime_max = 0;
 
 SYSCTL_NODE(_kern, OID_AUTO, rpc, CTLFLAG_RW, 0, "RPC");
 SYSCTL_NODE(_kern_rpc, OID_AUTO, gss, CTLFLAG_RW, 0, "GSS");
 
+SYSCTL_UINT(_kern_rpc_gss, OID_AUTO, lifetime_max, CTLFLAG_RW,
+    &svc_rpc_gss_lifetime_max, 0,
+    "Max lifetime (seconds) of rpc-gss clients");
+
 SYSCTL_UINT(_kern_rpc_gss, OID_AUTO, client_max, CTLFLAG_RW,
     &svc_rpc_gss_client_max, 0,
     "Max number of rpc-gss clients");
@@ -950,8 +955,14 @@
 		 * that out).
 		 */
 		if (cred_lifetime == GSS_C_INDEFINITE)
-			cred_lifetime = time_uptime + 24*60*60;
+			cred_lifetime = 24*60*60;
 
+		/*
+		 * Cap cred_lifetime if sysctl kern.rpc.gss.lifetime_max is set
+		 */
+		if (svc_rpc_gss_lifetime_max && cred_lifetime > svc_rpc_gss_lifetime_max)
+			cred_lifetime = svc_rpc_gss_lifetime_max;
+		
 		client->cl_expiration = time_uptime + cred_lifetime;
 
 		/*