2011-06-07 15:48:31 |
Brian the Lion |
bug |
|
|
added bug |
2011-06-07 15:49:31 |
Brian the Lion |
tags |
|
kerberos krb5 ldap nfs |
|
2011-06-08 16:40:27 |
Shimi Chen |
affects |
ubuntu |
libauthen-simple-kerberos-perl (Ubuntu) |
|
2011-06-08 17:48:17 |
Ansgar Burchardt |
affects |
libauthen-simple-kerberos-perl (Ubuntu) |
ubuntu |
|
2011-06-17 21:00:35 |
Brian the Lion |
bug |
|
|
added subscriber Kees Cook |
2011-06-17 21:01:14 |
Brian the Lion |
bug |
|
|
added subscriber Ubuntu Security Team |
2011-06-17 21:04:06 |
Brian the Lion |
bug |
|
|
added subscriber Ubuntu Kernel Team |
2011-06-17 21:04:47 |
Brian the Lion |
bug |
|
|
added subscriber Anibal Monsalve Salazar |
2011-06-17 21:05:18 |
Brian the Lion |
bug |
|
|
added subscriber Ben Hutchings |
2011-06-18 02:43:34 |
Ben Hutchings |
removed subscriber Ben Hutchings |
|
|
|
2011-06-21 01:52:58 |
Brian the Lion |
bug task added |
|
kerberos |
|
2011-06-21 01:53:30 |
Brian the Lion |
bug task added |
|
nfs-utils |
|
2011-06-21 03:43:38 |
Brian the Lion |
bug |
|
|
added subscriber Alex Mauer |
2011-06-21 03:43:50 |
Brian the Lion |
bug |
|
|
added subscriber Mark Hannon |
2011-06-21 15:38:11 |
Brian the Lion |
description |
Hi there!
I've configured a Natty client/server pair to authenticate over Kerberos and LDAP and to mount user home directories via NFSv4 with sec=krb5. I am using a slight variation on the configuration described here: http://www.danbishop.org/2011/05/01/ubuntu-11-04-sbs-small-business-server-setup-part-3-openldap/
Under this setup, user sessions that are left unattended for a long period of time -- eg, when someone goes home for the night but stays logged in -- always result in a wedged machine. What do I mean by "wedged?" When the user returns to their session (the next morning), the screen is sorta grayed out. Keystrokes and mouse movement fail to elicit a reaction from the OS. I can switch to an ANSI terminal (Ctrl+Alt+F1), but cannot log in as the offending user there; the prompt will accept a username and password by never return. I CAN login using my localadmin, presumably because it uses UNIX authentication rather than LDAP/Kerberos. I have heretofore been unable to recover the machine as the localadmin, though. If localadmin attempts to sudo reboot the machine, the reboot process starts but never finishes.
Some odd things in the server syslog:
Jun 6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: NEEDED_PREAUTH: nfs/carina.co57.lan@CO57.LAN for krbtgt/CO57.LAN@CO57.LAN, Additional pre-authentication required
Jun 6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, nfs/carina.co57.lan@CO57.LAN for krbtgt/CO57.LAN@CO57.LAN
Jun 6 07:40:15 server krb5kdc[822]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, nfs/carina.co57.lan@CO57.LAN for nfs/server.co57.lan@CO57.LAN
Jun 6 07:40:15 server krb5kdc[822]: TGS_REQ (3 etypes {1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=1}, nfs/carina.co57.lan@CO57.LAN for nfs/server.co57.lan@CO57.LAN
Jun 6 07:40:15 server nslcd[950]: [92ef4c] nslcd_passwd_byname(nfs/carina.co57.lan): invalid user name
Jun 6 07:46:49 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun 6 07:46:49 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
Jun 6 07:48:51 server slapd[836]: <= bdb_equality_candidates: (uidNumber) not indexed
Jun 6 07:49:20 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun 6 07:57:07 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun 6 07:57:07 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
Jun 6 07:59:35 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun 6 08:00:00 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
Jun 6 08:00:01 server slapd[836]: last message repeated 3 times
And from all over the client syslog:
Jun 6 10:53:28 carina kernel: [47636.670075] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:33 carina kernel: [47641.666533] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:38 carina kernel: [47646.662437] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:43 carina kernel: [47651.658844] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:48 carina kernel: [47656.655152] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:53 carina kernel: [47661.651498] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:58 carina kernel: [47666.647829] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:03 carina kernel: [47671.644084] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:08 carina kernel: [47676.640219] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:13 carina kernel: [47681.636699] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:18 carina kernel: [47686.632981] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:23 carina kernel: [47691.629134] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:28 carina kernel: [47696.625429] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:33 carina kernel: [47701.621717] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:38 carina kernel: [47706.617861] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:43 carina kernel: [47711.614235] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:48 carina kernel: [47716.610530] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:53 carina kernel: [47721.606813] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
My intuition is the following: The user's client-side Kerberos ticket is expiring (RPCSEC_GSS errors) and the sec=krb5 on NFS is sitting in a poll loop, waiting for a new one. This is somehow causing the rest of the system to grind to a halt, whether through resource usage or blocking in the kernel. I will continue to investigate and post evidence as I come by it. In the meantime, does anybody have any ideas?
Cheers!
~Brian |
Hi there!
I've configured a Natty client/server pair to authenticate over Kerberos and LDAP and to mount user home directories via NFSv4 with sec=krb5. I am using a slight variation on the configuration described here: http://www.danbishop.org/2011/05/01/ubuntu-11-04-sbs-small-business-server-setup-part-3-openldap/
Under this setup, user sessions that are left unattended for a long period of time -- eg, when someone goes home for the night but stays logged in -- always result in a wedged machine. What do I mean by "wedged?" When the user returns to their session (the next morning), the screen is sorta grayed out. Keystrokes and mouse movement fail to elicit a reaction from the OS. I can switch to an ANSI terminal (Ctrl+Alt+F1), but cannot log in as the offending user there; the prompt will accept a username and password but never return. I CAN login using my localadmin, presumably because it uses UNIX authentication rather than LDAP/Kerberos. I have heretofore been unable to recover the machine as the localadmin, though. If localadmin attempts to sudo reboot the machine, the reboot process starts but never finishes.
Some odd things in the server syslog:
Jun 6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: NEEDED_PREAUTH: nfs/carina.co57.lan@CO57.LAN for krbtgt/CO57.LAN@CO57.LAN, Additional pre-authentication required
Jun 6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, nfs/carina.co57.lan@CO57.LAN for krbtgt/CO57.LAN@CO57.LAN
Jun 6 07:40:15 server krb5kdc[822]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, nfs/carina.co57.lan@CO57.LAN for nfs/server.co57.lan@CO57.LAN
Jun 6 07:40:15 server krb5kdc[822]: TGS_REQ (3 etypes {1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=1}, nfs/carina.co57.lan@CO57.LAN for nfs/server.co57.lan@CO57.LAN
Jun 6 07:40:15 server nslcd[950]: [92ef4c] nslcd_passwd_byname(nfs/carina.co57.lan): invalid user name
Jun 6 07:46:49 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun 6 07:46:49 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
Jun 6 07:48:51 server slapd[836]: <= bdb_equality_candidates: (uidNumber) not indexed
Jun 6 07:49:20 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun 6 07:57:07 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun 6 07:57:07 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
Jun 6 07:59:35 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun 6 08:00:00 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
Jun 6 08:00:01 server slapd[836]: last message repeated 3 times
And from all over the client syslog:
Jun 6 10:53:28 carina kernel: [47636.670075] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:33 carina kernel: [47641.666533] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:38 carina kernel: [47646.662437] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:43 carina kernel: [47651.658844] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:48 carina kernel: [47656.655152] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:53 carina kernel: [47661.651498] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:58 carina kernel: [47666.647829] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:03 carina kernel: [47671.644084] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:08 carina kernel: [47676.640219] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:13 carina kernel: [47681.636699] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:18 carina kernel: [47686.632981] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:23 carina kernel: [47691.629134] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:28 carina kernel: [47696.625429] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:33 carina kernel: [47701.621717] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:38 carina kernel: [47706.617861] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:43 carina kernel: [47711.614235] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:48 carina kernel: [47716.610530] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:53 carina kernel: [47721.606813] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
My intuition is the following: The user's client-side Kerberos ticket is expiring (RPCSEC_GSS errors) and the sec=krb5 on NFS is sitting in a poll loop, waiting for a new one. This is somehow causing the rest of the system to grind to a halt, whether through resource usage or blocking in the kernel. I will continue to investigate and post evidence as I come by it. In the meantime, does anybody have any ideas?
Cheers!
~Brian |
|
2011-06-21 16:57:37 |
Brian the Lion |
bug |
|
|
added subscriber Steve Langasek |
2011-07-01 05:41:37 |
Andreas Bonelli |
bug |
|
|
added subscriber Andreas Bonelli |
2011-07-06 13:37:15 |
Marc Deslauriers |
removed subscriber Ubuntu Security Team |
|
|
|
2011-09-01 22:11:27 |
Launchpad Janitor |
ubuntu: status |
New |
Confirmed |
|
2011-09-01 22:11:36 |
cjs |
bug |
|
|
added subscriber cjs |
2011-11-18 11:50:11 |
Timo Aaltonen |
affects |
ubuntu |
nfs-utils (Ubuntu) |
|
2011-11-18 11:50:11 |
Timo Aaltonen |
nfs-utils (Ubuntu): importance |
Undecided |
High |
|
2011-11-18 11:50:30 |
Timo Aaltonen |
nominated for series |
|
Ubuntu Precise |
|
2011-11-18 11:50:30 |
Timo Aaltonen |
bug task added |
|
nfs-utils (Ubuntu Precise) |
|
2011-11-18 11:51:19 |
Timo Aaltonen |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648155 |
|
2011-11-18 11:51:19 |
Timo Aaltonen |
bug task added |
|
nfs-utils (Debian) |
|
2011-11-18 11:52:19 |
Timo Aaltonen |
bug |
|
|
added subscriber Timo Aaltonen |
2011-11-24 08:26:21 |
Bug Watch Updater |
nfs-utils (Debian): status |
Unknown |
New |
|
2012-03-01 19:44:09 |
Nate Crawford |
bug |
|
|
added subscriber Nate Crawford |
2012-03-23 03:18:27 |
Kate Stewart |
tags |
kerberos krb5 ldap nfs |
kerberos krb5 ldap nfs rls-mgr-p-tracking |
|
2012-03-26 16:29:08 |
Chris J Arges |
bug task added |
|
linux |
|
2012-03-26 16:29:25 |
Chris J Arges |
linux: assignee |
|
Chris J Arges (christopherarges) |
|
2012-04-05 23:51:00 |
Tor Martin Slåen |
bug |
|
|
added subscriber Tor Martin Slåen |
2012-04-14 01:03:08 |
Shawn Haggett |
bug |
|
|
added subscriber Shawn Haggett |
2012-04-19 03:43:29 |
Steve Langasek |
affects |
nfs-utils (Ubuntu Precise) |
linux (Ubuntu Precise) |
|
2012-04-19 03:43:29 |
Steve Langasek |
linux (Ubuntu Precise): status |
Confirmed |
Incomplete |
|
2012-04-23 08:39:22 |
Ingar Smedstad |
bug |
|
|
added subscriber Ingar Smedstad |
2012-06-18 13:20:24 |
Christophe Ségui |
bug |
|
|
added subscriber Christophe Ségui |
2012-06-21 02:10:41 |
Steve Atwell |
bug |
|
|
added subscriber Goobuntu Team |
2012-06-21 15:30:35 |
Etienne Goyer |
bug |
|
|
added subscriber Etienne Goyer |
2012-07-01 15:27:55 |
Dominic Gross |
bug |
|
|
added subscriber Dominic Gross |
2012-07-01 22:59:51 |
Dominic Gross |
bug |
|
|
added subscriber Dominic Groß |
2012-07-01 23:02:09 |
Dominic Gross |
removed subscriber Dominic Gross |
|
|
|
2012-07-02 14:57:09 |
nabdan |
bug |
|
|
added subscriber nabdan |
2012-07-08 03:27:14 |
Heath Loder |
bug |
|
|
added subscriber Heath Loder |
2012-08-02 20:50:07 |
Matthew L. Dailey |
bug |
|
|
added subscriber Matthew L. Dailey |
2012-08-14 14:28:00 |
Chris J Arges |
linux (Ubuntu Precise): assignee |
|
Chris J Arges (christopherarges) |
|
2012-08-14 14:28:08 |
Chris J Arges |
bug task deleted |
linux |
|
|
2012-08-22 19:14:02 |
Matthew L. Dailey |
attachment added |
|
nfs-utils_1.2.5-3ubuntu4.debdiff https://bugs.launchpad.net/ubuntu/+source/linux/+bug/794112/+attachment/3272258/+files/nfs-utils_1.2.5-3ubuntu4.debdiff |
|
2012-08-22 19:14:37 |
Matthew L. Dailey |
attachment added |
|
19-ticket-expired-error.patch https://bugs.launchpad.net/ubuntu/+source/linux/+bug/794112/+attachment/3272259/+files/19-ticket-expired-error.patch |
|
2012-08-22 20:19:02 |
Ubuntu Foundations Team Bug Bot |
tags |
kerberos krb5 ldap nfs rls-mgr-p-tracking |
kerberos krb5 ldap nfs patch rls-mgr-p-tracking |
|
2012-08-22 20:19:08 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2012-09-12 20:47:53 |
Mark Russell |
bug |
|
|
added subscriber Mark Russell |
2012-09-13 15:18:50 |
Adam Stokes |
linux (Ubuntu Precise): assignee |
Chris J Arges (christopherarges) |
Adam Stokes (adam-stokes) |
|
2012-09-13 15:18:57 |
Adam Stokes |
linux (Ubuntu Precise): status |
Incomplete |
In Progress |
|
2012-09-13 18:48:35 |
Adam Stokes |
attachment added |
|
nfs-utils_1.2.6-3ubuntu2.1.quantal.debiff https://bugs.launchpad.net/ubuntu/+source/linux/+bug/794112/+attachment/3312962/+files/nfs-utils_1.2.6-3ubuntu2.1.quantal.debiff |
|
2012-09-13 18:49:25 |
Adam Stokes |
attachment added |
|
nfs-utils_1.2.5-3ubuntu3.1.precise.debdiff https://bugs.launchpad.net/ubuntu/+source/linux/+bug/794112/+attachment/3312996/+files/nfs-utils_1.2.5-3ubuntu3.1.precise.debdiff |
|
2012-09-13 18:49:40 |
Adam Stokes |
attachment removed |
nfs-utils_1.2.5-3ubuntu4.debdiff https://bugs.launchpad.net/ubuntu/+source/linux/+bug/794112/+attachment/3272258/+files/nfs-utils_1.2.5-3ubuntu4.debdiff |
|
|
2012-09-13 18:50:06 |
Adam Stokes |
linux (Ubuntu): status |
Incomplete |
In Progress |
|
2012-09-13 18:50:10 |
Adam Stokes |
linux (Ubuntu): assignee |
|
Adam Stokes (adam-stokes) |
|
2012-09-13 18:50:20 |
Adam Stokes |
bug |
|
|
added subscriber Adam Stokes |
2012-09-13 18:53:39 |
Adam Stokes |
description |
Hi there!
I've configured a Natty client/server pair to authenticate over Kerberos and LDAP and to mount user home directories via NFSv4 with sec=krb5. I am using a slight variation on the configuration described here: http://www.danbishop.org/2011/05/01/ubuntu-11-04-sbs-small-business-server-setup-part-3-openldap/
Under this setup, user sessions that are left unattended for a long period of time -- eg, when someone goes home for the night but stays logged in -- always result in a wedged machine. What do I mean by "wedged?" When the user returns to their session (the next morning), the screen is sorta grayed out. Keystrokes and mouse movement fail to elicit a reaction from the OS. I can switch to an ANSI terminal (Ctrl+Alt+F1), but cannot log in as the offending user there; the prompt will accept a username and password but never return. I CAN login using my localadmin, presumably because it uses UNIX authentication rather than LDAP/Kerberos. I have heretofore been unable to recover the machine as the localadmin, though. If localadmin attempts to sudo reboot the machine, the reboot process starts but never finishes.
Some odd things in the server syslog:
Jun 6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: NEEDED_PREAUTH: nfs/carina.co57.lan@CO57.LAN for krbtgt/CO57.LAN@CO57.LAN, Additional pre-authentication required
Jun 6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, nfs/carina.co57.lan@CO57.LAN for krbtgt/CO57.LAN@CO57.LAN
Jun 6 07:40:15 server krb5kdc[822]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, nfs/carina.co57.lan@CO57.LAN for nfs/server.co57.lan@CO57.LAN
Jun 6 07:40:15 server krb5kdc[822]: TGS_REQ (3 etypes {1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=1}, nfs/carina.co57.lan@CO57.LAN for nfs/server.co57.lan@CO57.LAN
Jun 6 07:40:15 server nslcd[950]: [92ef4c] nslcd_passwd_byname(nfs/carina.co57.lan): invalid user name
Jun 6 07:46:49 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun 6 07:46:49 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
Jun 6 07:48:51 server slapd[836]: <= bdb_equality_candidates: (uidNumber) not indexed
Jun 6 07:49:20 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun 6 07:57:07 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun 6 07:57:07 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
Jun 6 07:59:35 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun 6 08:00:00 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
Jun 6 08:00:01 server slapd[836]: last message repeated 3 times
And from all over the client syslog:
Jun 6 10:53:28 carina kernel: [47636.670075] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:33 carina kernel: [47641.666533] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:38 carina kernel: [47646.662437] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:43 carina kernel: [47651.658844] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:48 carina kernel: [47656.655152] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:53 carina kernel: [47661.651498] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:58 carina kernel: [47666.647829] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:03 carina kernel: [47671.644084] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:08 carina kernel: [47676.640219] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:13 carina kernel: [47681.636699] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:18 carina kernel: [47686.632981] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:23 carina kernel: [47691.629134] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:28 carina kernel: [47696.625429] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:33 carina kernel: [47701.621717] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:38 carina kernel: [47706.617861] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:43 carina kernel: [47711.614235] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:48 carina kernel: [47716.610530] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:53 carina kernel: [47721.606813] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
My intuition is the following: The user's client-side Kerberos ticket is expiring (RPCSEC_GSS errors) and the sec=krb5 on NFS is sitting in a poll loop, waiting for a new one. This is somehow causing the rest of the system to grind to a halt, whether through resource usage or blocking in the kernel. I will continue to investigate and post evidence as I come by it. In the meantime, does anybody have any ideas?
Cheers!
~Brian |
[Impact]
Those who heavily rely on kerberized mounted home directories
[Test Case]
Hi there!
I've configured a Natty client/server pair to authenticate over Kerberos and LDAP and to mount user home directories via NFSv4 with sec=krb5. I am using a slight variation on the configuration described here: http://www.danbishop.org/2011/05/01/ubuntu-11-04-sbs-small-business-server-setup-part-3-openldap/
Under this setup, user sessions that are left unattended for a long period of time -- eg, when someone goes home for the night but stays logged in -- always result in a wedged machine. What do I mean by "wedged?" When the user returns to their session (the next morning), the screen is sorta grayed out. Keystrokes and mouse movement fail to elicit a reaction from the OS. I can switch to an ANSI terminal (Ctrl+Alt+F1), but cannot log in as the offending user there; the prompt will accept a username and password but never return. I CAN login using my localadmin, presumably because it uses UNIX authentication rather than LDAP/Kerberos. I have heretofore been unable to recover the machine as the localadmin, though. If localadmin attempts to sudo reboot the machine, the reboot process starts but never finishes.
[Regression Potentional]
Seems minimal as we are adding an additional condition check for expired tickets.
[More info]
Some odd things in the server syslog:
Jun 6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: NEEDED_PREAUTH: nfs/carina.co57.lan@CO57.LAN for krbtgt/CO57.LAN@CO57.LAN, Additional pre-authentication required
Jun 6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, nfs/carina.co57.lan@CO57.LAN for krbtgt/CO57.LAN@CO57.LAN
Jun 6 07:40:15 server krb5kdc[822]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, nfs/carina.co57.lan@CO57.LAN for nfs/server.co57.lan@CO57.LAN
Jun 6 07:40:15 server krb5kdc[822]: TGS_REQ (3 etypes {1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=1}, nfs/carina.co57.lan@CO57.LAN for nfs/server.co57.lan@CO57.LAN
Jun 6 07:40:15 server nslcd[950]: [92ef4c] nslcd_passwd_byname(nfs/carina.co57.lan): invalid user name
Jun 6 07:46:49 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun 6 07:46:49 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
Jun 6 07:48:51 server slapd[836]: <= bdb_equality_candidates: (uidNumber) not indexed
Jun 6 07:49:20 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun 6 07:57:07 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun 6 07:57:07 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
Jun 6 07:59:35 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun 6 08:00:00 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
Jun 6 08:00:01 server slapd[836]: last message repeated 3 times
And from all over the client syslog:
Jun 6 10:53:28 carina kernel: [47636.670075] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:33 carina kernel: [47641.666533] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:38 carina kernel: [47646.662437] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:43 carina kernel: [47651.658844] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:48 carina kernel: [47656.655152] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:53 carina kernel: [47661.651498] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:58 carina kernel: [47666.647829] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:03 carina kernel: [47671.644084] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:08 carina kernel: [47676.640219] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:13 carina kernel: [47681.636699] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:18 carina kernel: [47686.632981] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:23 carina kernel: [47691.629134] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:28 carina kernel: [47696.625429] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:33 carina kernel: [47701.621717] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:38 carina kernel: [47706.617861] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:43 carina kernel: [47711.614235] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:48 carina kernel: [47716.610530] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:53 carina kernel: [47721.606813] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
My intuition is the following: The user's client-side Kerberos ticket is expiring (RPCSEC_GSS errors) and the sec=krb5 on NFS is sitting in a poll loop, waiting for a new one. This is somehow causing the rest of the system to grind to a halt, whether through resource usage or blocking in the kernel. I will continue to investigate and post evidence as I come by it. In the meantime, does anybody have any ideas?
Cheers!
~Brian |
|
2012-09-13 18:54:06 |
Adam Stokes |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2012-09-13 18:55:24 |
Adam Stokes |
summary |
Kerberos + LDAP + NFSv4 on Natty - Unable to recover unattended client |
Kerberos + LDAP + NFSv4 - Unable to recover unattended client |
|
2012-09-20 13:29:46 |
Adam Stokes |
linux (Ubuntu Precise): milestone |
|
ubuntu-12.04.2 |
|
2012-09-28 18:00:36 |
Stéphane Graber |
affects |
linux (Ubuntu) |
nfs-utils (Ubuntu) |
|
2012-09-28 18:00:48 |
Stéphane Graber |
nfs-utils (Ubuntu): status |
In Progress |
Fix Released |
|
2012-09-28 18:31:01 |
Stéphane Graber |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2012-09-28 18:44:38 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/nfs-utils |
|
2012-10-04 10:08:16 |
Kjell Braden |
bug |
|
|
added subscriber Kjell Braden |
2012-10-04 14:32:23 |
Adam Stokes |
tags |
kerberos krb5 ldap nfs patch rls-mgr-p-tracking |
kerberos krb5 ldap nfs patch rls-mgr-p-tracking verification-done-precise |
|
2012-10-04 14:32:37 |
Adam Stokes |
tags |
kerberos krb5 ldap nfs patch rls-mgr-p-tracking verification-done-precise |
kerberos krb5 ldap nfs patch rls-mgr-p-tracking verification-done verification-done-precise |
|
2012-10-10 15:14:06 |
Adam Conrad |
nfs-utils (Ubuntu Precise): status |
In Progress |
Fix Committed |
|
2012-10-10 15:14:13 |
Adam Conrad |
bug |
|
|
added subscriber SRU Verification |
2012-10-10 15:14:33 |
Adam Conrad |
tags |
kerberos krb5 ldap nfs patch rls-mgr-p-tracking verification-done verification-done-precise |
kerberos krb5 ldap nfs patch rls-mgr-p-tracking verification-done-precise |
|
2012-10-10 15:14:34 |
Adam Conrad |
tags |
kerberos krb5 ldap nfs patch rls-mgr-p-tracking verification-done-precise |
kerberos krb5 ldap nfs patch rls-mgr-p-tracking verification-done-precise verification-needed |
|
2012-10-10 15:57:37 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/precise-proposed/nfs-utils |
|
2012-10-10 17:37:34 |
Steve Atwell |
tags |
kerberos krb5 ldap nfs patch rls-mgr-p-tracking verification-done-precise verification-needed |
kerberos krb5 ldap nfs patch rls-mgr-p-tracking verification-done verification-done-precise |
|
2012-10-17 20:57:25 |
Clint Byrum |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2012-10-17 20:58:12 |
Launchpad Janitor |
nfs-utils (Ubuntu Precise): status |
Fix Committed |
Fix Released |
|
2013-11-21 05:48:33 |
Launchpad Janitor |
branch linked |
|
lp:~ubuntu-branches/ubuntu/saucy/nfs-utils/saucy-proposed |
|
2013-11-21 22:04:47 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/trusty-proposed/nfs-utils |
|
2014-01-07 23:20:29 |
mahmoud |
nfs-utils (Ubuntu Precise): assignee |
Adam Stokes (adam-stokes) |
|
|
2015-07-19 18:56:57 |
Kjell Braden |
removed subscriber Kjell Braden |
|
|
|