rpc.gssd: ERROR: GSS-API: error in gss_free_lucid_sec_context(): GSS_S_NO_CONTEXT

Bug #1331201 reported by Sergio Gelato on 2014-06-17
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
NFS-Utils
Unknown
Unknown
nfs-utils (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Unassigned

Bug Description

[Test Case]
See comment #5.

After upgrading from precise to trusty, I started seeing the following error messages in the logs whenever there was Kerberized NFS activity:

Jun 17 08:02:43 hostname rpc.gssd[1021]: ERROR: GSS-API: error in gss_free_lucid_sec_context(): GSS_S_NO_CONTEXT (No context has been established) - Unknown errorJun 17 08:02:43 hostname rpc.gssd[1021]: WARN: failed to free lucid sec context

I've determined this to be a regression introduced (into upstream release 1.2.8) by commit 051eb4863cf880f0349a1de44517f9c99a9c5bd4. The bug is still present in upstream release 1.3.0. I've successfully tested the attached, obvious patch.

Sergio Gelato (sergio-gelato) wrote :

The attachment "90-gss-free-lucid-sec-context.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Adam Conrad (adconrad) wrote :

Uploaded to both utopic and trusty.

Brian Murray (brian-murray) wrote :

Sergio - could you provide a test case which is part of the Stable Release Update process so that we can get this fixed in 14.04? Thanks for the patch!

https://wiki.ubuntu.com/StableReleaseUpdates#Procedure

* Brian Murray [2014-06-25 18:54:46 -0000]:
> Sergio - could you provide a test case which is part of the Stable
> Release Update process so that we can get this fixed in 14.04?

Let me try. The problem manifested itself spontaneously in my production
environment so I'm not sure exactly which ingredients are required
and which are optional. The following is probably overspecified.

Prerequisites:
-- a Kerberos realm (EXAMPLE.ORG); my KDC runs Heimdal (slightly modified
from Debian wheezy) but I see no reason why this should matter here.
-- an NFS server host (server.example.org) with /etc/krb5.keytab containing
valid keys for <email address hidden>, package nfs-kernel-server
installed, a filesystem at /export/nfs and an entry for it in /etc/exports:
/export/nfs client.example.org(sec=krb5p,rw,root_squash,sync,no_subtree_check)
This server can but need not be running Ubuntu 14.04 (in my tests it was
running Debian wheezy).
-- an NFS client host (client.example.org) with autofs configured to automount
server.example.org:/export/nfs somewhere (say, on /srv/nfs), running
the version of rpc.gssd that is to be tested. Remember to include sec=krb5p
in the mount options. It is recommended to run rpc.gssd with a short timeout
(e.g., rpc.gssd -t 60) at least for the purposes of this test: the bug
manifests itself when rpc.gssd prepares a new GSS context for the kernel,
so it helps to force this to happen often. In my environment the client
has machine credentials in /etc/krb5.keytab
(<email address hidden>, <email address hidden>
and <email address hidden>) though this is probably overkill
for the purposes of this test. The problem should be reproducible with a
static mount (no autofs) as well but I haven't actually tried that.

Testing procedure:
1. Log in to client.example.org as a non-root user with a corresponding
principal in EXAMPLE.ORG.
2. Obtain a Kerberos TGT for this user, either as part of the login process
(pam_krb5) or interactively by running kinit.
3. Try to access the mountpoint of the NFS share (/srv/nfs). A simple
 ls /srv/nfs
should be enough. This is expected to succeed even when the bug is present;
if it doesn't, the setup must be incorrect.
4. Look for warning messages from rpc.gssd (as in the subject of this bug
report) in the client's syslog (or, if running rpc.gssd -f, on standard
error) triggered by the NFS activity at step 3. These messages should no
longer appear once the patch is applied.

I've glossed over the configuration of /etc/idmapd.conf since I expect it
should all work with default settings there.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nfs-utils - 1:1.2.8-6ubuntu4

---------------
nfs-utils (1:1.2.8-6ubuntu4) utopic; urgency=medium

  * Add patch from Sergio Gelato to adjust for changes to the ctx
    argument of the serialize_krb5_ctx() function (LP: #1331201)
 -- Adam Conrad <email address hidden> Wed, 25 Jun 2014 12:23:09 -0600

Changed in nfs-utils (Ubuntu):
status: New → Fix Released
description: updated
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nfs-utils (Ubuntu Trusty):
status: New → Confirmed

Hello Sergio, or anyone else affected,

Accepted nfs-utils into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/nfs-utils/1:1.2.8-6ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in nfs-utils (Ubuntu Trusty):
status: Confirmed → Fix Committed
tags: added: verification-needed
Sergio Gelato (sergio-gelato) wrote :

Version: 1:1.2.8-6ubuntu1.1 verified on trusty amd64.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nfs-utils - 1:1.2.8-6ubuntu1.1

---------------
nfs-utils (1:1.2.8-6ubuntu1.1) trusty; urgency=medium

  * Add patch from Sergio Gelato to adjust for changes to the ctx
    argument of the serialize_krb5_ctx() function (LP: #1331201)
 -- Adam Conrad <email address hidden> Wed, 25 Jun 2014 12:23:09 -0600

Changed in nfs-utils (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for nfs-utils has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.