continuous handle_nullreq: failed; please move to gssproxy
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| nfs-utils (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
[don't look at the system config. The actual server can't contact your bug system, so this is being submitted from a desktop]
Ubuntu 22.04.1. NFS server using kerberized NFS.
Occasionally individual users lose access to their files, typically at login. They get permission failed. The server shows continuous messages:
rpc.svcgssd[5672]: WARNING: handle_nullreq: failed reading request.
Looking at the code, this seems to happen when the GSS token is too large for the fixed kernel buffer. The limit is documented as 2K, except that the protocol to svcgssd is in text, so it's 4K there. Using strace, I can see that when the system is working, some of the tokens are very nearly 4K.
This problem should be fixed by using gssproxy instead of svcgssd. I'd suggest that you move to gssproxy as the default. I think we'll see increasing evidence of this problem as sites move to newer versions of Kerberos.
The problem seems to have started when we upgraded our IPA servers. The newest version of Kerberos includes PACs in the Kerberos tickets. That increases the size of tickets. We're guessing that this was enough to push the system into this failure mode intermittently.
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: nfs-common 1:2.6.1-1ubuntu1.2
ProcVersionSign
Uname: Linux 5.19.0-35-generic x86_64
.etc.request-
ApportVersion: 2.20.11-0ubuntu82.4
Architecture: amd64
CasperMD5CheckR
CurrentDesktop: ubuntu:GNOME
Date: Thu Jul 20 14:56:18 2023
InstallationDate: Installed on 2022-11-07 (254 days ago)
InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1)
NFSMounts:
NFSv4Mounts: /staff/users temp.lcsr.
SourcePackage: nfs-utils
UpgradeStatus: No upgrade log present (probably fresh install)
modified.
modified.
mtime.conffile.
mtime.conffile.
| Charles Hedrick (hedrick) wrote | #1 |
