Multi-user sec=krb5 NFSv4 client blocks when one user has an expired ticket

Bug #409438 reported by Neil Hoggarth on 2009-08-05
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned
nfs-utils (Debian)
New
Unknown

Bug Description

I have an Ubuntu 08.04.3 NFSv4 server and a number of NFSv4 clients,
also running Ubuntu 08.04.3.

The clients use autofs to mount user home directories from the server.

I use Kerberos to authenticate the users logging into the clients (using
pam_krb5), and require Kerberos authentication of NFS traffic via the
sec=krb5 export and mount options.

Things seem to work normally on a workstation used by only one user -
people can log in, get, valid kerberos tickets from the KDC and their
home directory mounts automatically.

However, a problem arises on multi-user systems: if one user (say "user
A") has successfully logged in and left themselves logged in such that
their Kerberos TGT has expired, then a second user ("user B") attempts
to log into the same system then the attempt to access the home
directory of "user B" blocks indefinately. If "user A" subsequently
obtains a new Kerberos TGT then the login attempt belonging to "user B"
unblocks and runs to a successful completion.

While "B" is blocked, the kernel logs the following error message over
and over again, at a very high rate (3000-6000 times a second):

Aug 5 11:37:14 ulf kernel: [3099781.024499] Error: state recovery failed on NFSv4 server 163.1.248.155 with error 13
Aug 5 11:37:14 ulf kernel: [3099781.025007] Error: state recovery failed on NFSv4 server 163.1.248.155 with error 13
Aug 5 11:37:14 ulf kernel: [3099781.025483] Error: state recovery failed on NFSv4 server 163.1.248.155 with error 13

The symptoms that I am observing sound exactly like

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=446238

To be clear: I expect user A's access to NFS mounted filesystems to fail
when their Kerberos tickets have expired, but I don't expect user B's
access to the same filesystems to depend on user A.

ProblemType: Bug
Architecture: amd64
Date: Wed Aug 5 17:09:42 2009
Dependencies:

DistroRelease: Ubuntu 8.04
Package: linux None [modified: /var/lib/dpkg/info/linux.list]
PackageArchitecture: amd64
ProcEnviron:
 PATH=/opt/mricron:/nfs4/willis.dpag.ox.ac.uk/software/unix/matlab/2009a/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
 LANG=en_GB.UTF-8
 SHELL=/bin/bash
SourcePackage: linux-meta
Uname: Linux 2.6.24-24-generic x86_64

kernel-janitor (kernel-janitor) wrote :

[This is an automated message. Apologies if it has reached you inappropriately.]

This bug was reported against the linux-meta package when it likely should have been reported against the linux package instead. We are automatically transitioning this to the linux kernel package so that the appropriate teams are notified and made aware of this issue.

If this bug really is a bug in the linux-meta package you can move it back to linux-meta and set the Status to Confirmed, or contact us on the #ubuntu-kernel channel on the FreeNode IRC server. Thanks.

affects: linux-meta (Ubuntu) → linux (Ubuntu)
Neil Hoggarth (neil-hoggarth) wrote :

I have recently set up an Ubuntu 9.10 release candidate system for testing, and I am able to reproduce this
problem there, too. My new test system does not us the automounter - I encounter the same problem with
a statically (fstab) mounted NFS4 sec=krb5 home directory tree and two kerberised login accounts.

It seems to to affect a wide range of kernel versions, both i386 and amd64 architectures, and be
observable/reproducible on any system using pam-krb5 for authentication/ticket acquisition and kerberised
NFS4 home directories.

Timo Aaltonen (tjaalton) wrote :

Could you try the patches mentioned here:

http://linux-nfs.org/pipermail/nfsv4/2010-February/012075.html

They might help here too.

Changed in linux (Ubuntu):
status: New → Incomplete
Jeremy Foshee (jeremyfoshee) wrote :

This bug report was marked as Incomplete and has not had any updated comments for quite some time. As a result this bug is being closed. Please reopen if this is still an issue in the current Ubuntu release http://www.ubuntu.com/getubuntu/download . Also, please be sure to provide any requested information that may have been missing. To reopen the bug, click on the current status under the Status column and change the status back to "New". Thanks.

[This is an automated message. Apologies if it has reached you inappropriately; please just reply to this message indicating so.]

tags: added: kj-expired
Changed in linux (Ubuntu):
status: Incomplete → Expired

I have the same problem with Debian lenny as NFS server and NFS client.

Changed in linux (Ubuntu):
status: Expired → Confirmed

For reference I am adding this thread that contains more info from the submitter:

  http://linux-nfs.org/pipermail/nfsv4/2009-November/011598.html

Changed in nfs-utils (Debian):
status: Unknown → New
Timo Aaltonen (tjaalton) wrote :

Did you mean to say 'squeeze'? Lenny is old.

On Fri, 2010-07-02 at 09:27 +0000, Timo Aaltonen wrote:

> Did you mean to say 'squeeze'? Lenny is old.

No, I really meant "lenny". With "squeeze", mounting with Kerberos does
not even work (see my post to the Linux-NFS mailing list :>).

--
Laurent Bonnaud.

Timo Aaltonen (tjaalton) wrote :

Then I don't understand why you reopened the bug here. For the record, I haven't been able to reproduce this problem on lucid..

On Fri, 2010-07-02 at 16:40 +0000, Timo Aaltonen wrote:
>
> Then I don't understand why you reopened the bug here.

Because it had expired and had not been marked as fixed.

> For the record, I
> haven't been able to reproduce this problem on lucid..

Great news, thanks for the info ! I am looking forward to be able to
test this myself in squeeze...

I'm going to close this bug again...

--
Laurent Bonnaud.
http://www.lis.inpg.fr/pages_perso/bonnaud/

Changed in linux (Ubuntu):
status: Confirmed → Fix Released
Juha Erkkilä (juha-erkkila) wrote :

I am seeing a very similar issue with Ubuntu Lucid release. In my tests the kerberos ticket does not actually need to expire, instead it is enough if it is simply destroyed or removed from the filesystem. See http://www.spinics.net/lists/linux-nfs/msg22430.html for more information.

This bug also exists in RedHat:

  https://bugzilla.redhat.com/show_bug.cgi?id=537193

I would have liked to link both bugs but unfortunately launchpad does not know about the RedHat distribution.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.