Comment 23 for bug 794112

Here seems to be the kernel patch we're expecting: http://www.spinics.net/lists/linux-nfs/msg31197.html

Regards
Le 1 juil. 2012 à 17:14, Dominic Gross a écrit :

>> The Kernel posted by Chris allows, (with console login), the user to unlock the
>> screensaver
>
> Well, this seems to fix the original bug reported here. Which is that
> nobody can log in using LDAP / Kerberos once a ticket of one signed in
> user expired.
>
>> but applications, such like web browser, remains stuck and the session has to
>> be restarted in order to work properly.
>
> This looks like the intended behavior to me. The user's Kerberos Ticket
> expires some time after log in. At that point the applications can no
> longer access the user's NFS home directory and the applications get
> stuck or crash. Once a user enters his / her password again a new ticket
> is granted and the user can log into the session /access the home
> directory again. However, in my experience few applications fully
> recover from not being able to access the home directory for a longer
> time.
>
> So, it seems to me, that in order to fix this remaining issue one needs
> to set up something to automatically renew Kerberos Tickets. This can be
> implemented either via a cronjob or packages like kstart or sssd.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/794112
>
> Title:
> Kerberos + LDAP + NFSv4 on Natty - Unable to recover unattended client
>
> Status in Network Authentication System:
> New
> Status in The Linux Kernel:
> New
> Status in NFS-Utils - NFS support files common to client and server:
> New
> Status in “linux” package in Ubuntu:
> Incomplete
> Status in “linux” source package in Precise:
> Incomplete
> Status in “nfs-utils” package in Debian:
> New
>
> Bug description:
> Hi there!
>
> I've configured a Natty client/server pair to authenticate over
> Kerberos and LDAP and to mount user home directories via NFSv4 with
> sec=krb5. I am using a slight variation on the configuration described
> here: http://www.danbishop.org/2011/05/01/ubuntu-11-04-sbs-small-
> business-server-setup-part-3-openldap/
>
> Under this setup, user sessions that are left unattended for a long
> period of time -- eg, when someone goes home for the night but stays
> logged in -- always result in a wedged machine. What do I mean by
> "wedged?" When the user returns to their session (the next morning),
> the screen is sorta grayed out. Keystrokes and mouse movement fail to
> elicit a reaction from the OS. I can switch to an ANSI terminal
> (Ctrl+Alt+F1), but cannot log in as the offending user there; the
> prompt will accept a username and password but never return. I CAN
> login using my localadmin, presumably because it uses UNIX
> authentication rather than LDAP/Kerberos. I have heretofore been
> unable to recover the machine as the localadmin, though. If localadmin
> attempts to sudo reboot the machine, the reboot process starts but
> never finishes.
>
> Some odd things in the server syslog:
>
> Jun 6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: NEEDED_PREAUTH: <email address hidden> for <email address hidden>, Additional pre-authentication required
> Jun 6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, <email address hidden> for <email address hidden>
> Jun 6 07:40:15 server krb5kdc[822]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, <email address hidden> for <email address hidden>
> Jun 6 07:40:15 server krb5kdc[822]: TGS_REQ (3 etypes {1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=1}, <email address hidden> for <email address hidden>
> Jun 6 07:40:15 server nslcd[950]: [92ef4c] nslcd_passwd_byname(nfs/carina.co57.lan): invalid user name
> Jun 6 07:46:49 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
> Jun 6 07:46:49 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
> Jun 6 07:48:51 server slapd[836]: <= bdb_equality_candidates: (uidNumber) not indexed
> Jun 6 07:49:20 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
> Jun 6 07:57:07 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
> Jun 6 07:57:07 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
> Jun 6 07:59:35 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
> Jun 6 08:00:00 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
> Jun 6 08:00:01 server slapd[836]: last message repeated 3 times
>
> And from all over the client syslog:
>
> Jun 6 10:53:28 carina kernel: [47636.670075] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
> Jun 6 10:53:33 carina kernel: [47641.666533] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
> Jun 6 10:53:38 carina kernel: [47646.662437] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
> Jun 6 10:53:43 carina kernel: [47651.658844] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
> Jun 6 10:53:48 carina kernel: [47656.655152] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
> Jun 6 10:53:53 carina kernel: [47661.651498] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
> Jun 6 10:53:58 carina kernel: [47666.647829] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
> Jun 6 10:54:03 carina kernel: [47671.644084] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
> Jun 6 10:54:08 carina kernel: [47676.640219] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
> Jun 6 10:54:13 carina kernel: [47681.636699] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
> Jun 6 10:54:18 carina kernel: [47686.632981] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
> Jun 6 10:54:23 carina kernel: [47691.629134] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
> Jun 6 10:54:28 carina kernel: [47696.625429] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
> Jun 6 10:54:33 carina kernel: [47701.621717] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
> Jun 6 10:54:38 carina kernel: [47706.617861] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
> Jun 6 10:54:43 carina kernel: [47711.614235] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
> Jun 6 10:54:48 carina kernel: [47716.610530] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
> Jun 6 10:54:53 carina kernel: [47721.606813] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
>
> My intuition is the following: The user's client-side Kerberos ticket
> is expiring (RPCSEC_GSS errors) and the sec=krb5 on NFS is sitting in
> a poll loop, waiting for a new one. This is somehow causing the rest
> of the system to grind to a halt, whether through resource usage or
> blocking in the kernel. I will continue to investigate and post
> evidence as I come by it. In the meantime, does anybody have any
> ideas?
>
> Cheers!
> ~Brian
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/kerberos/+bug/794112/+subscriptions

--
    Christophe Ségui
   Responsable
   informatique
Institut de Mathématiques de Toulouse
Université de Toulouse - CNRS
118 Route de Narbonne
31062 Toulouse Cedex 09

Tel : (+33) 5 61 55 63 78
<email address hidden>
http://www.math.univ-toulouse.fr