expired kerberos credentials cause significant syslog spam
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nfs-utils (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Hardy |
Fix Released
|
Medium
|
Unassigned | ||
Intrepid |
Won't Fix
|
Medium
|
Unassigned | ||
nfs-utils (openSUSE) |
Fix Released
|
Critical
|
Bug Description
This bug can cause an installation's filesystem to fill up due to excessive logging by rpc.gssd, when the user's Kerberos credentials have expired and they have /home mounted via Kerberised NFS.
An explanation of how the bug has been addressed in the development branch, including the relevant version numbers of packages modified in order to implement the fix.
This bug has been fixed in the development branch, by way of a patch (fixed in 1:1.1.2-4ubuntu2)
The patch is attached to this bug report.
TEST CASE: have a system that mounts /home via Kerberised NFS. kdestroy. Wait ~15 minutes for rpc.gssd's cached credentials to expire. Perform activities that attempt to access files in $HOME. Much logging like what is below will occur.
This is a very simple patch. The potential for regression is slim, as all this patch does is decrease the logging verbosity of a few messages below that of normal operation.
Oct 8 17:05:18 swan rpc.gssd[4747]: WARNING: Failed to create krb5 context for user with uid 85153 for server *REDACTED*
Oct 8 17:05:18 swan rpc.gssd[4747]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - No credentials cache found
Oct 8 17:05:18 swan rpc.gssd[4747]: WARNING: Failed to create krb5 context for user with uid 85153 for server *REDACTED*
Oct 8 17:05:18 swan rpc.gssd[4747]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - No credentials cache found
Oct 8 17:05:18 swan rpc.gssd[4747]: WARNING: Failed to create krb5 context for user with uid 85153 for server *REDACTED*
Oct 8 17:05:18 swan rpc.gssd[4747]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - No credentials cache found
Oct 8 17:05:18 swan rpc.gssd[4747]: WARNING: Failed to create krb5 context for user with uid 85153 for server *REDACTED*
Oct 8 17:05:18 swan rpc.gssd[4747]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - No credentials cache found
Oct 8 17:05:18 swan rpc.gssd[4747]: WARNING: Failed to create krb5 context for user with uid 85153 for server *REDACTED*
Oct 8 17:05:18 swan rpc.gssd[4747]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - No credentials cache found
Oct 8 17:05:18 swan rpc.gssd[4747]: WARNING: Failed to create krb5 context for user with uid 85153 for server *REDACTED*
Oct 8 17:05:18 swan rpc.gssd[4747]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - No credentials cache found
Oct 8 17:05:18 swan rpc.gssd[4747]: WARNING: Failed to create krb5 context for user with uid 85153 for server *REDACTED*
Oct 8 17:05:18 swan rpc.gssd[4747]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - No credentials cache found
Related branches
description: | updated |
tags: |
added: verification-done removed: verification-needed |
Changed in nfs-utils (openSUSE): | |
importance: | Unknown → Medium |
status: | Unknown → Fix Released |
Changed in nfs-utils (openSUSE): | |
importance: | Medium → Critical |
Hi Andrew, thanks for the debdiff.
I've a question though...
This patch appears to be doing two things. First, it's altering the priority on some debug messages - this part I think is perfectly fine.
The other part is affecting the message printing logic:
+--- nfs-utils- 1.1.2.orig/ utils/gssd/ err_util. c 1.1.2/utils/ gssd/err_ util.c
++++ nfs-utils-
+@@ -49,6 +49,10 @@
+ {
+ va_list args;
+
++ /* Decrease verbosity so we don't log so much */
++ if ((priority - verbosity) > 1)
++ return;
++
+ /* Don't bother formatting a message we're never going to print! */
+ if (priority > verbosity)
+ return;
So this is changing the logic so it avoids printing messages unless the 'priority' is more than 'verbosity+1'. This part I think should not be included. I think it's unnecessary anyway, and just doubles up on your other fix.
Would you mind re-rolling the debdiff with this piece omitted? (Or explain why it's needed if I'm missing something.)