Partially incorrect uid mapping with nfs4/idmapd/ldap-auth

Status changed to 'Confirmed' because the bug affects multiple users.

Have a look into /proc/key-users to see if user root reaches its quotas:

    0: 1029 1028/1028 10/100 2345/20000

means that root uses 1022 from 10000 possible an uses 2345 bytes from maximum 20000.

You may have to encrease both. For each user and group you should increase it by one. So if you 1000 users and 1000 groups you should root allow more than 2000 keys (and enough memory for that).

Try

echo 400000 > /proc/sys/kernel/keys/root_maxbytes
echo 10000 > /proc/sys/kernel/keys/root_maxkeys

and see if this fixes the problem for you.

No, it doesn't fixes the problem for me :-(

Have you tried with an older kernel ? I face the same bug when using 3.10.x while there is no problem when using 3.2.x.

Using `git bisect`, It appears that this bug has been introduced between v3.3 and v3.4 by this commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=57e62324e469e092ecc6c94a7a86fe4bd6ac5172

I am experiencing exactly the same problem. has there been progress on this issue? is there an update available that fixes it?

@denys.duchier As I understood by reading the code, this is not a bug but a feature. In Linux 3.4 they dropped their own B-tree uid/username caching in favor of the "key" infrastructure which, by design, includes quota. While this is a pain in this case, it mitigates the risk of DOS attack by filling up kernel's memory.

I saw 2 options:
 1/ increase root's quota as explained by @wolfgang-walter
 2/ fallback to (poorly documented) nfs3 like behavior

I personally did the later. In this scheme, uids are sent over the wire as equivalent strings ie username="123" for uid=123 instead of mapping it to "<email address hidden>". The other end *should* detect it is a stringified uid and convert it back. This is all the magic. I said "should" as it actually depends on the exact implementation since this is fallback behavior instead of standard. It works with Linux and, with reasonable effort, with Solaris.

unfortunately, like comment #3 reported, the quota is not the problem.

I was encountering the very same problem in an identical environment (nfs4 and LDAP based nameservice) but on DEBIAN (!).
Since I was not able to find any relevant bug reports within the Debian bug tracking system, I was very delighted to find someone having the same problem and reporting it here.

Following this and another bug report I found at RedHat (https://bugzilla.redhat.com/show_bug.cgi?id=876705), I placed the following kernel parameters configuration:

in /etc/sysctl.d/nfsv4_idmap_maxkeys:

  # NFSv4 idmap entries are counted against a very low quota
  # https://bugzilla.redhat.com/show_bug.cgi?id=876705
  kernel.keys.root_maxkeys = 1000
  kernel.keys.maxkeys = 1000

After activating that with sysctl the problem was gone with my installation.

For your reference:

before applying the "fix" in comment #9 the keys seem to be saturated (199/200).
(That was after "ls -al" in a nfs4 mounted dir with ~500 different owners)

# cat /proc/key-users
    0: 204 203/203 199/200 6275/20000

After enabling the new key quotas it showed:

# cat /proc/key-users
    0: 516 515/515 511/1000 16185/20000

running:
sudo sysctl kernel.keys.root_maxkeys=1000
sudo sysctl kernel.keys.maxkeys=1000

fixes the issue for me to some extent. I still have some files with 4294967294 instead of nobody or nogroup.

I only see the problem on one ldap and nfsv4 client running ubuntu 14.04 LTS (as a testbed). My other servers are running 12.04 and don't have the issue. They don't seem to be using these keys at all. Is idmaping enabled by default on 14.04 where it wasn't in 12.04?

I have created and attached a file 30-nfsv4-quota.conf for /etc/sysctl.d/ that ups the limit at boot time for ubuntu. It fixes the limit problem but I still have 4294967294 showing up instead of nobody or nogroup.

Confirmed on ubuntu 14.04 kernel 3.13.0-27-generic with NFSv4 mounts to an Isilon filesystem - even with very high values for the various kernel.keys parameters, we still get sporadic failures for UID/username mappings resulting in user or group IDs on new files showing up as 4294967294 rather than the correct value.

Our LDAP has < 250 users, and I've set these sysctl values on the NFS clients:

kernel.keys.gc_delay = 300
kernel.keys.maxbytes = 20000
kernel.keys.maxkeys = 10000
kernel.keys.persistent_keyring_expiry = 259200
kernel.keys.root_maxbytes = 400000
kernel.keys.root_maxkeys = 10000

Confirm this for 12.04 with hwe and trusty-kernel (linux-3.13.0-32-generic #57~precise1-Ubuntu)

We have less than 100 ldap users and under 100 groups.
On some clients here we have to use hwe with a newer kernel to support the hardware.
And on exactly those and only those clients from time to time gid and/or uid shows up with 4294967294 for some or all home directories.

gid/uid is ok on the other 12.04 clients with default kernel (3.2.0-67-generic #101-Ubuntu)

So this too seems to point towards a bug or misconfiguration with Kernel 3.13

user-keys show e.g. 0: 110 109/109 102/200 3778/20000 so quota isn't reached by far.

Confirm this for 14.04 with 3.13.0-35-generic kernel on server and clients (all are x86_64).

Had to use nfds.nfs4_disable_idmapping=0 in order for allow idmapping to work on old (10.04 and RHEL58) clients.

Maybe this will help: issuing of 'sudo nfsidmap -c' solves problem immediately till next time.

The work around in the RH ticket did not fix my issues on Ubuntu Trusty

# uname -a
Linux gentoo 3.13.0-35-generic #62-Ubuntu SMP Fri Aug 15 01:58:42 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

# cat /proc/sys/kernel/keys/root_maxbytes
200000

#cat /proc/sys/kernel/keys/root_maxkeys
10000

# cat /etc/sysctl.conf | grep root_
kernel.keys.root_maxkeys=10000
kernel.keys.root_maxbytes=200000

# ls -l ~/.ssh/
total 291
-rw------- 1 blkperl them 6387 Mar 28 11:37 authorized_keys
-rw------- 1 4294967294 them 672 Aug 15 11:44 config
-rw------- 1 4294967294 them 25 Jul 25 11:17 id_rsa
-rw------- 1 4294967294 them 159617 Aug 13 18:22 known_hosts
-rw------- 1 4294967294 them 158443 Jul 30 10:11 known_hosts.old
drwxr-xr-x 3 4294967294 them 18 Jan 30 2014 old
-rw------- 1 4294967294 them 1679 Aug 12 17:03 test-deploy_id_rsa
-rw------- 1 4294967294 them 398 Aug 12 17:03 test-deploy_id_rsa.pub

@blkperl

William, could you please confirm that you are using kernel at least 3.13.0-35.62 (this is a solution to #1344405 which may also cause similar effects).

Could you also please provide the output of:
$ sudo cat /proc/key-users

You may also try to increase values (beside their root_* counterparts):
kernel.keys.maxkeys=10000
kernel.keys.maxbytes=200000

Regards,
Dariusz

Hi Dariusz,

chicken:~# cat /proc/key-users
    0: 32 31/31 25/10000 537/200000
 3404: 4 4/4 4/200 38/20000
11254: 3 3/3 3/200 39/20000

I'm seeing the issue on both of the latest kernels 3.13.0.36.43 and 3.13.0.35.42

Increasing the values maxkeys and maxbytes and rebooting seems to have worked. I'll let you know if the systems change their mind.

Still seeing the issue after increasing maxkeys and maxbytes as specified in the last comment.

Hello William,

Regarding your comment #20: did the contents of /proc/key-users when you observe to issue somehow differ from the ones you posted in comment#19?

What I am trying to determine is whether for some reasons the quota is hit on your machine when you observe the issue or is it caused by any other error.

Thank you.

Here's an example of a broken machine with the increased maxkeys and maxbytes. It doesn't look different to me from the one in #19.

# cat /proc/key-users
    0: 23 22/22 16/10000 322/200000
11254: 5 5/5 5/10000 49/200000

We also tried installing the 3.16.3-031603-generic #201409171435 kernel and rebooting but the issue is still persistant.

William,

I'm sorry, but I cannot reproduce this issue with the kernels you mentioned.

Are you able to provide me sosreport from the affected system?

You could also try adding -vvv option to your /etc/request-key.d/id_resolver.conf to make it look like this:
create id_resolver * * /usr/sbin/nfsidmap -vvv -t 600 %k %d

and then list the problematic directory. There should be more verbose output either in dmesg output or in the syslog.

Thank you,
Dariusz

I have poked at this a bit. On my system, running this:

#!/bin/bash
while [ 1 ]; do
  touch foo
  test=`ls -lh foo | grep -v c.hetherington`
  if [ "$test" == "" ]; then
    echo "OOPS"
    echo $test
  fi
  sleep 1s
  rm foo
done

prints OOPS exactly 10 minutes after the first resolution of my username (c.hetherington) to my uid (10000). When this happens, -2 is returned as the uid/gid of the test file.

As far as I can see:

nfs_map_name_to_uid() returns -2 in *uid; it calls
nfs_idmap_lookup_id() which fails because it calls
nfs_idmap_get_key() which fails because it calls
nfs_idmap_request_key() which fails because it calls
request_key_with_auxdata() which fails because it calls
wait_for_key_construction() which fails because
key_validate() returns EKEYEXPIRED.

At some point subsequently, a new call to nfs_map_name_to_uid ends up calling /sbin/request-key after which everything is ok again.

I'm printk()ing the kernel and testing here so let me know if there's anything useful I can try.

The attached patch is a hack (to Ubuntu's 3.13.0 as shipped with 14.04) which seems to help here. I am no kernel developer, but maybe it will help to describe the problem and suggest a proper solution.

The attachment "0001-Invalidate-expired-keys-when-they-are-requested-in-o.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

The ubuntu kernel uses the same values as the upstream kernel in regards to these values. They are tunable for exactly this kind of case.

I brought this case up with the Ubuntu Kernel team, and unfortunately due to the fact that this could potentially be used in a memory-exhaustion, denial of service type attack we will not be changing from the default values. That being said if the mainline kernel decides to change the defaults we would definitely consider following mainline. For most machines raising these default values isn't an issue. However since Ubuntu is so prevalent in virtualized environments where memory is more restricted we will not be changing these values.

If you feel strongly that these values need to be changed please pursue with the mainline linux maintainers.

@Carl Hetherington

Your patch is interesting. Please submit it to the mainline kernel, and to stable if you feel it deserves to go into stable. Once it hits stable it will then likely get picked up by the Ubuntu 3.13 kernel.

Actually, I think this patch is a bit less invasive. I'll submit to the mainline kernel list and pick up my fire extinguisher ;)

nfs_patch2.patch works for me w/ ~27000 home directory setup. Thanks! Please do link to the lkml if you can (might take a few days to appear).

Hi Bryan, I'm glad it's working, thanks for the report. No response on LKML yet; here's the message:

https://lkml.org/lkml/2014/9/30/435

For anyone following at home:
http://www.spinics.net/lists/linux-nfs/msg47185.html

@Carl, For the future, it's probably better to use https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/ at least when you're pushing upstream. It does help a lot for possibly SRUing to know that it works on the trusty branch too :). Thanks for all your work!

I am not entirely sure if this is 100%ly related to this bug, but let me tell you my story here (contains another workaround):

I was also experiencing the problem of frequently having my files owned by 4294967294.
Setup is Ubuntu 14.04 with automounted nfs4/kerberos homes, the NFS server is running Debian Wheezy.

The problem was not existing with the previously used Ubuntu 13.10, so I began investigating and tried almost everything I found (which is mostly documented here), ranging from setting sysctl values to installing the kernel patch posted here.

However, nothing did help, so I decided to debug via /proc/keys:

While I still had the problem, /proc/keys (as seen by root) showed keys like this:

0094f999 I--Q--- 1 15s 3b010000 0 0 id_legacy uid:user@fqdn: 5

Note worthing is the remaining time of 15 seconds, shortly thereafter the problem occured for me and /proc/keys looked like
this:

0094f999 I--Q--- 1 expd 3b010000 0 0 id_legacy uid:user@fqdn: 5

The key was "expired" and there was no new one in the list.
So I issued "nfsidmap -v -c" (which did repair the situation everytime I have tried) and voilà:

5482b3a I--Q--- 1 9m 3b010000 0 0 id_legacy uid:user@fqdn: 5

I had a fresh key with a lifetime of ~ 10 minutes. But listen up, now comes the final workaround which has "fixed" the problem for about 3 or 4 days now:

 # apt-get install keyutils
 # restart idmapd
 # nfsidmap -v -c

And now the keys do no longer expire:

2014218e I--Q--- 1 perm 3b010000 0 0 id_resolv uid:user@fqdn: 5

As already mentioned, this is working since several days now without any issues, my stress-test to check this is by the way:

 somedir$ for i in $(seq 100000); do touch $i;sleep 0.2;done
 somedir$ while (true); do ls -lR | grep 4294967294;done

I still do not know exactly why installing keyutils has solved the issue or why this package was not previously installed as a dependency, but hey, it is a workaround at least for me and maybe others.

Hi Michael,

Thanks... installing keyutils seems to work for me too (without the kernel patch). I haven't investigated too closely, but it looks like the two fixes are sort-of equivalent. The userspace fix is far more appealing, though!

Interesting.. keyutils doesn't seem to help in my case. I'm running ls on the ~27000 user accounts home directory..

I don't understand why this would help... all nfsidmap would do is clear it once, and then it can fill up again/expire again.

Bryan: AFAICS the thing is that keyutils changes things so that the id_resolv uid:user@fqdn keys never expire. Without it, they expire after 10 minutes, and that triggers the bug which my kernel patch "fixes".

@carlh
Ah, your kernel patch also fixes the case where the key cache get's filled. (Which is my issue)

Status changed to 'Confirmed' because the bug affects multiple users.

I think this patch:
http://article.gmane.org/gmane.linux.nfs/67156
is another fix for this bug. I'm sure it is more elegant than mine. @Bryan: perhaps you could test it?

Works for original case, except nogroup now returns 4294967294, will ping list with results..

Or not.. it seems my issue was fixed somewhere between 3.13 and 3.17rc7...

It turns out in 3.17rc4 the root_maxkeys/bytes were greatly increased which is actually what solved my issue.. Sorry for the noise.

Raw notes:
with key utils - 3.17.rc7 - main issue gone, nogroup is now 4294967294
without key utils - 3.17-rc7 - main issue gone, nogroup is fine too

all rest without key utils
3.17-rc4 - no 4294967294 in output
/proc/sys/kernel/keys/root_maxbytes 25000000
/proc/sys/kernel/keys/root_maxkeys 1000000

3.17-rc3 - ~24000 in 3.17-rc4
/proc/sys/kernel/keys/root_maxkeys 200
/proc/sys/kernel/keys/root_maxbytes 20000

Hello Bryan,

The commit that has fixed this was https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=738c5d190f6540539a04baf36ce21d46b5da04bd

I think we can make use of it.

@Dariusz

My understanding is that we can't backport a config change (say to trusty). Since that was done upstream won't it just hit vivid in it's own time? In the mean time, this is configurable so a user can change their config in trusty.

@Bryan

Yes, you're right. It should hit vivid and since it is already configurable by sysctl there is no point in backporting.

The fixes for the problem I was seeing related to this bug are in Linux 3.18:

https://lkml.org/lkml/2014/12/7/202

(by David Howells).

I believe this is the commit in question:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0b0a84154eff56913e91df29de5c3a03a0029e38

Looks like a good canditate for considering a cherry-pick.

Carl, I have backported the fixes to trusty kernel. Could you please give them a try in your environment?

The build is available in my PPA (ppa:dgadomski/kernel-nfs).

Thanks!

@Dariusz: As I have similar problems with the HWE-Kernel of trusty for my precise installation, is it possible for ayou to build the fixed kernel also for trusty?
Or is there a plan to include the patch in the official trusty kernel?

I have tried your trusty-kernel, but I was not able to load the nvidia-331 kernel module, as there where some drm-related (drm_open etc.)symbols missing...
Stef.

Moving linux tracks back to In Progress due different solution.

Is there an ETA on including this in the main repos? I notice there's been a kernel update since Dariusz's patched kernel but it looks like this fix wasn't included.

The fix has been tagged as:
- Ubuntu-3.13.0-50.82 for Trusty
- Ubuntu-3.16.0-35.46 for Utopic

I don't see those version available in -updates yet, so please give it some more time to be release.

Thanks!

Ah, excellent. That release is in the kernel-team PPA - that'll do for the moment!

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-utopic' to 'verification-done-utopic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Thanks for the fix.
Is there also a linux-image-generic-lts-trusty (for 12.04LTS )test kernel available?

Stef

I have tried yesterday the image linux-image-3.13.0-51-generic for Precise (linux-signed-image-generic-lts-trusty 3.13.0.51.44).
With no luck. I have again after some time the userid 4294967294 in shown for a lot of files and users.
So the problem seams unfixed for me.

Stef

stef: can you please check after you observe the problem if your key quota is not exceeded? You may do this with:
$ sudo cat /proc/key-users

This fix is known to solve the expired keys problem, but if the cause of the issue you are experiencing is the capacity of the key quota you may have to extend it (please see comment #2).

Thanks!

This bug was fixed in the package linux - 3.16.0-36.48

---------------
linux (3.16.0-36.48) utopic; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1443946
  * Merged back Ubuntu-3.16.0-34.47 security release

linux (3.16.0-35.46) utopic; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1442324

  [ Andy Whitcroft ]

  * [Config] CONFIG_DEFAULT_MMAP_MIN_ADDR needs to match on armhf and arm64
    - LP: #1418140

  [ Chris J Arges ]

  * [Config] CONFIG_PCIEASPM_DEBUG=y
    - LP: #1398544

  [ dann frazier ]

  * [Config] CONFIG_RTC_DRV_EFI=y on arm64
    - LP: #1441291

  [ Upstream Kernel Changes ]

  * Revert "USB: serial: make bulk_out_size a lower limit"
    - LP: #1441317
  * Revert "i2c: core: Dispose OF IRQ mapping at client removal time"
    - LP: #1441317
  * Revert "net: cx82310_eth: use common match macro"
    - LP: #1441317
  * KEYS: request_key() should reget expired keys rather than give
    EKEYEXPIRED
    - LP: #1124250
  * drm/i915/bdw: 3D_CHICKEN3 has write mask bits
    - LP: #1374389
  * drm/i915: call lpt_init_clock_gating on BDW too
    - LP: #1374389
  * drm/i915/bdw: Apply workarounds in render ring init function
    - LP: #1374389
  * drm/i915/bdw: Cleanup pre prod workarounds
    - LP: #1374389
  * drm/i915: Refactor Broadwell PIPE_CONTROL emission into a helper.
    - LP: #1374389
  * drm/i915: Add the WaCsStallBeforeStateCacheInvalidate:bdw workaround.
    - LP: #1374389
  * drm/i915/bdw: Remove BDW preproduction W/As until C stepping.
    - LP: #1374389
  * drm/i915: Rework GPU reset sequence to match driver load & thaw
    - LP: #1384469
  * drm/ast: switch to using CACHED by default for sysram
    - LP: #1420627
  * drm/ast: Add missing entry to dclk_table[]
    - LP: #1420627
  * drm/ast: Add reduced blanking modes for wide screen mode
    - LP: #1420627
  * drm/ast: Try to use MMIO registers when PIO isn't supported
    - LP: #1420627
  * drm/ast: POST chip at probe time if VGA not enabled
    - LP: #1420627
  * drm/ast: Properly initialize P2A base before using it in
    ast_init_3rdtx()
    - LP: #1420627
  * drm/ast: Don't assume DVO enabled means SIL164 on uninitialized chips
    - LP: #1420627
  * drm/ast: Cleanup analog init code path
    - LP: #1420627
  * audit: correctly record file names with different path name types
    - LP: #1439441
  * of: Create of_console_check() for selecting a console specified in
    /chosen
    - LP: #1438585
  * of: Enable console on serial ports specified by /chosen/stdout-path
    - LP: #1438585
  * of: correct of_console_check()'s return value
    - LP: #1438585
  * of: Add bindings for chosen node, stdout-path
    - LP: #1438585
  * of: add optional options parameter to of_find_node_by_path()
    - LP: #1438585
  * of: support passing console options with stdout-path
    - LP: #1438585
  * netfilter: nf_tables: disable preemption when restoring chain counters
    - LP: #1441317
  * netfilter: nf_tables: fix leaks in error path of nf_tables_newchain()
    - LP: #1441317
  * ipvs: rerouting to local clients is not needed anymore
    - LP: #1441317
  * netfilter: nft_compat: fix module refcount underflow
    - LP: #1441317
  * netf...

This bug was fixed in the package linux - 3.13.0-51.84

---------------
linux (3.13.0-51.84) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1444141
  * Merged back Ubuntu-3.13.0-49.83 security release

linux (3.13.0-50.82) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1442285

  [ Andy Whitcroft ]

  * [Config] CONFIG_DEFAULT_MMAP_MIN_ADDR needs to match on armhf and arm64
    - LP: #1418140

  [ Chris J Arges ]

  * [Config] CONFIG_PCIEASPM_DEBUG=y
    - LP: #1398544

  [ Upstream Kernel Changes ]

  * KEYS: request_key() should reget expired keys rather than give
    EKEYEXPIRED
    - LP: #1124250
  * audit: correctly record file names with different path name types
    - LP: #1439441
  * KVM: x86: Check for nested events if there is an injectable interrupt
    - LP: #1413540
  * be2iscsi: fix memory leak in error path
    - LP: #1440156
  * block: remove old blk_iopoll_enabled variable
    - LP: #1440156
  * be2iscsi: Fix handling timed out MBX completion from FW
    - LP: #1440156
  * be2iscsi: Fix doorbell format for EQ/CQ/RQ s per SLI spec.
    - LP: #1440156
  * be2iscsi: Fix the session cleanup when reboot/shutdown happens
    - LP: #1440156
  * be2iscsi: Fix scsi_cmnd leakage in driver.
    - LP: #1440156
  * be2iscsi : Fix DMA Out of SW-IOMMU space error
    - LP: #1440156
  * be2iscsi: Fix retrieving MCCQ_WRB in non-embedded Mbox path
    - LP: #1440156
  * be2iscsi: Fix exposing Host in sysfs after adapter initialization is
    complete
    - LP: #1440156
  * be2iscsi: Fix interrupt Coalescing mechanism.
    - LP: #1440156
  * be2iscsi: Fix TCP parameters while connection offloading.
    - LP: #1440156
  * be2iscsi: Fix memory corruption in MBX path
    - LP: #1440156
  * be2iscsi: Fix destroy MCC-CQ before MCC-EQ is destroyed
    - LP: #1440156
  * be2iscsi: add an missing goto in error path
    - LP: #1440156
  * be2iscsi: remove potential junk pointer free
    - LP: #1440156
  * be2iscsi: Fix memory leak in mgmt_set_ip()
    - LP: #1440156
  * be2iscsi: Fix the sparse warning introduced in previous submission
    - LP: #1440156
  * be2iscsi: Fix updating the boot enteries in sysfs
    - LP: #1440156
  * be2iscsi: Fix processing CQE before connection resources are freed
    - LP: #1440156
  * be2iscsi : Fix kernel panic during reboot/shutdown
    - LP: #1440156
  * fixed invalid assignment of 64bit mask to host dma_boundary for scatter
    gather segment boundary limit.
    - LP: #1440156
  * quota: Store maximum space limit in bytes
    - LP: #1441284
  * ip: zero sockaddr returned on error queue
    - LP: #1441284
  * net: rps: fix cpu unplug
    - LP: #1441284
  * ipv6: stop sending PTB packets for MTU < 1280
    - LP: #1441284
  * netxen: fix netxen_nic_poll() logic
    - LP: #1441284
  * udp_diag: Fix socket skipping within chain
    - LP: #1441284
  * ping: Fix race in free in receive path
    - LP: #1441284
  * bnx2x: fix napi poll return value for repoll
    - LP: #1441284
  * net: don't OOPS on socket aio
    - LP: #1441284
  * bridge: dont send notification when skb->len == 0 in rtnl_bridge_notify
    - LP: #1441284
  * ipv4: tcp: get rid of ugly unicast_sock
...

Dariusz:
Today the problem has occurred again:
sudo cat /proc/key-users
    0: 65 64/64 58/200 810/20000
and the /var/mail folder was hit in this case.
After a while (about 1 hour) the problem diminishes with the following key-users result:
   0: 21 20/20 14/200 194/20000
As I don´t understand the meaning of this values, I don´t know what values I should use.
We have a ldap/krb5 setup with 30 users and 15 groups.
The kernel was
Linux version 3.13.0-51-generic (buildd@tipua) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #84~precise1-Ubuntu SMP Wed Apr 15 21:45:46 UTC 2015

Thanks Stef

Stef, thanks for the update.
Can you please confirm that you have upgraded your kernel to version 3.13.0-51.84 or later? This is the first release that has this fix. The version you mentioned earlier (3.13.0.51.44) is expected to be still affected by this bug.

Thank you.

Hi Dariusz,
I think
Linux version 3.13.0-51-generic (buildd@tipua) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #84~precise1-Ubuntu SMP Wed Apr 15 21:45:46
is the latest kernel.

dpkg -s linux-image-3.13.0-51-generic
Package: linux-image-3.13.0-51-generic
Status: install ok installed
Priority: optional
Section: kernel
Installed-Size: 192808
Maintainer: Ubuntu Kernel Team <email address hidden>
Architecture: amd64
Source: linux-lts-trusty
Version: 3.13.0-51.84~precise1

Thanks Stef

Thank you Stef. I have verified the fix on trusty with trusty kernel. I will try to set up a precise environment with trusty kernel and reproduce this issue.

Hi Dariusz,
the problem is still present with Linux version 3.13.0-52-generic.

dpkg -s linux-image-3.13.0-52-generic
Package: linux-image-3.13.0-52-generic
Status: install ok installed
Priority: optional
Section: kernel
Installed-Size: 41219
Maintainer: Ubuntu Kernel Team <email address hidden>
Architecture: amd64
Source: linux
Version: 3.13.0-52.86

I guess all my other settings are fine.

Thanks Mario

I can confirm that the problem persists (and possibly even has become more common) here with the recent kernel update:

$ ls -ld /some-nfsv4-mounted-directory ; cat /proc/key-users ; uname -a
drwxrwsr-x 2 4294967294 4294967294 4096 Dec 20 2007 .
/proc/key-users: 0: 60 59/59 53/2000 1226/400000
Linux dirac.cl.cam.ac.uk 3.13.0-52-generic #85-Ubuntu SMP Wed Apr 29 16:44:17 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

$ dpkg-query -s keyutils
dpkg-query: package 'keyutils' is not installed and no information is available

$ grep -H '' /proc/sys/kernel/keys/*
/proc/sys/kernel/keys/gc_delay:300
/proc/sys/kernel/keys/maxbytes:20000
/proc/sys/kernel/keys/maxkeys:2000
/proc/sys/kernel/keys/persistent_keyring_expiry:259200
/proc/sys/kernel/keys/root_maxbytes:400000
/proc/sys/kernel/keys/root_maxkeys:2000

Documentation of /proc/sys/kernel/keys/* etc.:

  https://www.kernel.org/doc/Documentation/security/keys.txt

If I understood correctly, historically there have been two independently developed alternative user-space mechanisms that can perform uid <-> user name lookups for the Linux NFSv4 implementation in the kernel, one from the University of Michigan and one from NetApp:

A) /usr/sbin/rpc.idmapd runs as a daemon and listens to some pipe in /run/rpc_pipefs, and kernel sends requests via that pipe

B) kernel executes for each request the command /sbin/request-key, which according to /etc/request-key.* calls nfsidmap, which then answers to the kernel via the add_key() and keyctl() system calls

Which of these is meant to be used on Ubuntu 145.04 LTS, and how to I specify and verify that choice?

I'm asking, because I get syslog messages from rpc.idmapd such as

May 7 13:51:11 dirac nfsidmap[10738]: nss_getpwnam: name 'nobody' does not map into domain 'cl.cam.ac.uk'

and at the same time I also find nfsidmap-related keys in

$ sudo cat /proc/keys
[...]
2c6194e5 I--Q-N- 1 26s 3b010000 0 0 id_resolv uid:<email address hidden>
2d5a0c25 I--Q-N- 1 28s 3b010000 0 0 id_resolv uid:<email address hidden>
2e025d97 I--Q--- 1 9m 3b010000 0 0 id_legacy uid:<email address hidden>: 5
2e463b17 I--Q--- 1 9m 3b010000 0 0 id_legacy uid:<email address hidden>: 5
331c87da I--Q-N- 1 28s 3b010000 0 0 id_resolv gid:<email address hidden>
33955fd4 I--Q--- 1 9m 3b010000 0 0 id_legacy gid:<email address hidden>: 4
36702b00 I--Q-N- 1 28s 3b010000 0 0 id_resolv gid:<email address hidden>
376c94e9 I--Q-N- 1 28s 3b010000 0 0 id_resolv uid:<email address hidden>
37ef3e9a I--Q--- 1 9m 3b010000 0 0 id_legacy gid:<email address hidden>: 4
3c332878 I--Q--- 1 9m 3b010000 0 0 id_legacy gid:nobody: 6
3e585863 I------ 1 perm 1f030000 0 0 keyring .id_resolver: 36
3fbf548d I------ 1 perm 1f0b0000 0 0 keyring .system_keyring: 1

Are both these idmap systems really supposed to be active at the same time?

What is the difference between the id_resolv and id_legacy key types?

What does it mean to have negative id_resolv and non-negative id_legacy keys at the same time, as above?

Where is all this NFSv4 uid/gid translation mechanics documented?

Hi,

the prolem is still present with

dpkg -s linux-image-3.16.0-38-generic
Package: linux-image-3.16.0-38-generic
Status: install ok installed
Priority: optional
Section: kernel
Installed-Size: 43744
Maintainer: Ubuntu Kernel Team <email address hidden>
Architecture: amd64
Source: linux-lts-utopic
Version: 3.16.0-38.52~14.04.1

I would be happy contributing to fix the problem. Not using nfsv4 is not a nice option.

Thanks

Still see this with 3.13.0-53-generic

Installing larger values as suggested above wasn't initially very successful. As suggested a "nfsidmap -c" and that seemed to have worked for now.

I'm running into this problem (keys don't get automatically renewed and are expired after 10 minutes) on a precise server running the trusty lts kernel.

I've just rebooted into the latest version (3.13.0.53.46), and the problem is still present.

#33 mentions that installing keyutils fixes this. It "fixes" it by making the keys permanent (and thus increasing the likelihood of running out of space in the cache), and only with the trusty version of keyutils. With the precise version of keyutils, keys still expire and do not get renewed.

Still, for people affected by the lack of renewal issue, you can install the trusty version of keyutils + libkeyutils1 + libnfsidmap2 (the trusty packages install cleanly on precise), and your keys will become permanent (beware of cache filling though).

Amending #71: still seeing this problem.

This bug affects Precise, but it's not marked so. Back in June, I had mentioned that it was possible to make the keys permanent by using the trusty versions of keyutils + libkeyutils1 + libnfsidmap2. This is now not possible anymore with the latest kernel versions available on Precise.

I understand that making the keys permanent is not actually a solution, but right now, on Precise with the trusty-lts kernel the keys keep getting expired and not renewed. This is wrong and needs to be fixed.

I did one more test on Trusty today, running 3.13.0-57-generic kernel. Installing keyutils (no other hacks needed), makes the keys turn permanent (which serves as a workaround but leads to problems because of the cache getting full).

Without keyutils, the keys do NOT get renewed as they should.

So, this is the current state:

Precise running 3.2 kernel: not affected
Precise running 3.13 lts kernel: keys do not get renewed, no way to make them permanent without ugly hacks.
Trusty running 3.13 kernel: keys do not get renewed, they can be made permanent by running keyutils.

In the Precise + lts kernel case, it's possible to hack around the userland tools to make the keys become permanent (keyutils + libkeyutils1 + libnfsidmap2 from trusty + /usr/sbin/nfsidmap + /etc/request-key.d/id_resolver.conf from nfs-common in trusty). I was not able to find a way to make the keys renew automatically which would be the right behavior.

Hi, I'm still seeing this error.

root@XX:~# uname -r
3.13.0-77-generic
root@XX~#
root@~# cat /etc/issue
Ubuntu 14.04.4 LTS \n \l

root@:~#

Hi, Am I still hitting this bug ?

root@XX:~# uname -r
3.13.0-77-generic
root@XX~#
root@~# cat /etc/issue
Ubuntu 14.04.4 LTS \n \l

root@:~#

root@prod-login-west01:~# ls -l /u4/ | head
total 9356
drwx--x--x 6 nobody staff 4096 Jun 24 2013 aabdul
drwx--x--x 75 nobody staff 24576 Feb 12 2015 aadhikar
drwxr-xr-x 3 4294967294 daemon 4096 Nov 6 2013 aaggarwa
drwx--x--x 27 nobody staff 20480 Jul 22 2012 aalness
drwx--x--x 3 4294967294 staff 4096 Aug 1 2012 aamehta
drwx--x--x 4 nobody staff 4096 Dec 10 2012 aamsalem
drwx--x--x 4 4294967294 staff 4096 Jan 23 2015 aamte
drwxr-xr-x 3 4294967294 staff 4096 Jul 15 2014 aanand
drwx--x--x 2 4294967294 staff 4096 Mar 26 2013 aassfalg
root@prod-login-west01:~#