rpc.gssd does not handle missing machine credential cache
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nfs-utils (Ubuntu) |
Confirmed
|
Medium
|
Unassigned |
Bug Description
We use NFSv3 with kerberos authentication. The filer is a netapp. The client is:
Description: Ubuntu 10.04 LTS
Release: 10.04
We patch /etc/init/gssd.conf to add extra credential caches:
exec rpc.gssd -d /var/run/
We enabled extra rpc.gssd logging and received the following:
Oct 15 01:31:40 sh12.redacted rpc.gssd[320]: Full hostname for 'filer.redacted' is 'filer.redacted'
Oct 15 01:31:40 sh12.redacted rpc.gssd[320]: Full hostname for 'sh12.redacted' is 'sh12.redacted'
Oct 15 01:31:40 sh12.redacted rpc.gssd[320]: Key table entry not found while getting keytab entry for 'root/sh12.
Oct 15 01:31:40 sh12.redacted rpc.gssd[320]: Success getting keytab entry for 'nfs/sh12.
Oct 15 01:31:40 sh12.redacted rpc.gssd[320]: ERROR: Credentials cache file '/var/run/
Oct 15 01:31:40 sh12.redacted rpc.gssd[320]: INFO: Credentials in CC 'FILE:/
Oct 15 01:31:40 sh12.redacted rpc.gssd[320]: using FILE:/var/
Oct 15 01:31:40 sh12.redacted rpc.gssd[320]: using environment variable to select krb5 ccache FILE:/var/
Oct 15 01:31:40 sh12.redacted rpc.gssd[320]: creating context using fsuid 0 (save_uid 0)
Oct 15 01:31:40 sh12.redacted rpc.gssd[320]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - Credentials cache file '/var/run/
Oct 15 01:31:40 sh12.redacted rpc.gssd[320]: WARNING: Failed while limiting krb5 encryption types for user with uid 0
Oct 15 01:31:40 sh12.redacted rpc.gssd[320]: WARNING: Failed to create krb5 context for user with uid 0 with credentials cache FILE:/var/
Oct 15 01:31:40 sh12.redacted rpc.gssd[320]: WARNING: Failed to create krb5 context for user with uid 0 with any credentials cache for server filer.redacted
Oct 15 01:31:40 sh12.redacted rpc.gssd[320]: doing error downcall
Steps to Reproduce:
Install lucid (with sec=krb5 mounts and rpc.gssd enabled...)
mount a sec=krb5 volume (rpc.gssd will generate a krb5cc_
Delete the credential cache
try to mount another sec=krb5 volume -> fails.
This logline:
Oct 15 01:31:40 sh12.redacted rpc.gssd[320]: INFO: Credentials in CC 'FILE:/
Seems to indicate that rpc.gssd is keeping some kind of in-process state that the credential cache is not expired (and thus good) even if the credential cache is deleted from under it.
I thought this was fixed upstream in:
http://
However when I back-ported the nfs-utils-1.2.2 package (from maverick) that has this patch applied; however the issue is still repeatable when running that version.
There is a nagging issue as well as to what exactly is deleting the credentials cache on my affected machines (this is not normal behavior and only a small number of machines are affected.) I hope to get a better idea of that problem shortly.
Changed in nfs-utils (Ubuntu): | |
importance: | Undecided → Medium |
status: | New → Confirmed |
nfs-utils 1.2.3 shows the same behavior.