the fake kaserver code doesn't call VIOCUNLOG to invalidate the tokens when closing the connection. The risks for this actually making any difference increases with my patch in bug #2151 that longens the token lifetimes.
Created attachment 940 [details] adds afs_unlog() to afs.c and calls it from close_cnum()
Volker, I would like to see this patch commited, if you think its the wrong place to do it, please propose a better place. Having token hanging around it the kernel until the gc hits is not a good idea.
I'm not entirely certain this is the right place to do it. In fact, I'm not sure that the afs_login is correctly placed in the tconX call. The AFS token is a user-based credential, and this would be better placed inside the session setup that does the user authentication. Then the unlog should be in the smbunlog call, but only if this is the last user session with this user id. A client could issue several session setups for the same user, we would need to refcount those. That's the reason why I did not apply that patch yet. Comments? Volker