Kerberos + LDAP + NFSv4 - Unable to recover unattended client
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Kerberos |
New
|
Undecided
|
Unassigned | ||
NFS-Utils |
New
|
Undecided
|
Unassigned | ||
nfs-utils (Debian) |
Fix Released
|
Unknown
|
|||
nfs-utils (Ubuntu) |
Fix Released
|
High
|
Adam Stokes | ||
Precise |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
Those who heavily rely on kerberized mounted home directories
[Test Case]
Hi there!
I've configured a Natty client/server pair to authenticate over Kerberos and LDAP and to mount user home directories via NFSv4 with sec=krb5. I am using a slight variation on the configuration described here: http://
Under this setup, user sessions that are left unattended for a long period of time -- eg, when someone goes home for the night but stays logged in -- always result in a wedged machine. What do I mean by "wedged?" When the user returns to their session (the next morning), the screen is sorta grayed out. Keystrokes and mouse movement fail to elicit a reaction from the OS. I can switch to an ANSI terminal (Ctrl+Alt+F1), but cannot log in as the offending user there; the prompt will accept a username and password but never return. I CAN login using my localadmin, presumably because it uses UNIX authentication rather than LDAP/Kerberos. I have heretofore been unable to recover the machine as the localadmin, though. If localadmin attempts to sudo reboot the machine, the reboot process starts but never finishes.
[Regression Potentional]
Seems minimal as we are adding an additional condition check for expired tickets.
[More info]
Some odd things in the server syslog:
Jun 6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: NEEDED_PREAUTH: <email address hidden> for <email address hidden>, Additional pre-authentication required
Jun 6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, <email address hidden> for <email address hidden>
Jun 6 07:40:15 server krb5kdc[822]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, <email address hidden> for <email address hidden>
Jun 6 07:40:15 server krb5kdc[822]: TGS_REQ (3 etypes {1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=1}, <email address hidden> for <email address hidden>
Jun 6 07:40:15 server nslcd[950]: [92ef4c] nslcd_passwd_
Jun 6 07:46:49 server slapd[836]: <= bdb_equality_
Jun 6 07:46:49 server slapd[836]: <= bdb_equality_
Jun 6 07:48:51 server slapd[836]: <= bdb_equality_
Jun 6 07:49:20 server slapd[836]: <= bdb_equality_
Jun 6 07:57:07 server slapd[836]: <= bdb_equality_
Jun 6 07:57:07 server slapd[836]: <= bdb_equality_
Jun 6 07:59:35 server slapd[836]: <= bdb_equality_
Jun 6 08:00:00 server slapd[836]: <= bdb_equality_
Jun 6 08:00:01 server slapd[836]: last message repeated 3 times
And from all over the client syslog:
Jun 6 10:53:28 carina kernel: [47636.670075] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:33 carina kernel: [47641.666533] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:38 carina kernel: [47646.662437] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:43 carina kernel: [47651.658844] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:48 carina kernel: [47656.655152] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:53 carina kernel: [47661.651498] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:58 carina kernel: [47666.647829] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:03 carina kernel: [47671.644084] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:08 carina kernel: [47676.640219] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:13 carina kernel: [47681.636699] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:18 carina kernel: [47686.632981] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:23 carina kernel: [47691.629134] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:28 carina kernel: [47696.625429] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:33 carina kernel: [47701.621717] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:38 carina kernel: [47706.617861] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:43 carina kernel: [47711.614235] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:48 carina kernel: [47716.610530] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:53 carina kernel: [47721.606813] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
My intuition is the following: The user's client-side Kerberos ticket is expiring (RPCSEC_GSS errors) and the sec=krb5 on NFS is sitting in a poll loop, waiting for a new one. This is somehow causing the rest of the system to grind to a halt, whether through resource usage or blocking in the kernel. I will continue to investigate and post evidence as I come by it. In the meantime, does anybody have any ideas?
Cheers!
~Brian
tags: | added: kerberos krb5 ldap nfs |
affects: | ubuntu → libauthen-simple-kerberos-perl (Ubuntu) |
description: | updated |
Changed in ubuntu: | |
status: | New → Confirmed |
Changed in nfs-utils (Debian): | |
status: | Unknown → New |
tags: | added: rls-mgr-p-tracking |
Changed in linux (Ubuntu Precise): | |
assignee: | nobody → Chris J Arges (christopherarges) |
no longer affects: | linux |
summary: |
- Kerberos + LDAP + NFSv4 on Natty - Unable to recover unattended client + Kerberos + LDAP + NFSv4 - Unable to recover unattended client |
Changed in linux (Ubuntu Precise): | |
milestone: | none → ubuntu-12.04.2 |
tags: | added: verification-done-precise |
tags: | added: verification-done |
tags: |
added: verification-done removed: verification-needed |
Changed in nfs-utils (Ubuntu Precise): | |
assignee: | Adam Stokes (adam-stokes) → nobody |
Changed in nfs-utils (Debian): | |
status: | New → Fix Released |
I don't see why this should be related to libauthen- simple- kerberos- perl.