[Bug 794112] Re: Kerberos + LDAP + NFSv4 on Natty - Unable to recover unattended client

Timo Aaltonen tjaalton at ubuntu.com
Fri Nov 18 11:50:11 UTC 2011 

related to this discussion:

http://www.spinics.net/lists/linux-nfs/msg25492.html

** Package changed: ubuntu => nfs-utils (Ubuntu)

** Changed in: nfs-utils (Ubuntu)
   Importance: Undecided => High

** Also affects: nfs-utils (Ubuntu Precise)
   Importance: High
       Status: Confirmed

** Bug watch added: Debian Bug tracker #648155
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648155

** Also affects: nfs-utils (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648155
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to nfs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/794112

Title:
  Kerberos + LDAP + NFSv4 on Natty - Unable to recover unattended client

Status in Kerberos - Authentication Sytem:
  New
Status in NFS-Utils - NFS support files common to client and server:
  New
Status in “nfs-utils” package in Ubuntu:
  Confirmed
Status in “nfs-utils” source package in Precise:
  Confirmed
Status in “nfs-utils” package in Debian:
  Unknown

Bug description:
  Hi there!

  I've configured a Natty client/server pair to authenticate over
  Kerberos and LDAP and to mount user home directories via NFSv4 with
  sec=krb5. I am using a slight variation on the configuration described
  here: http://www.danbishop.org/2011/05/01/ubuntu-11-04-sbs-small-
  business-server-setup-part-3-openldap/

  Under this setup, user sessions that are left unattended for a long
  period of time -- eg, when someone goes home for the night but stays
  logged in -- always result in a wedged machine. What do I mean by
  "wedged?" When the user returns to their session (the next morning),
  the screen is sorta grayed out. Keystrokes and mouse movement fail to
  elicit a reaction from the OS. I can switch to an ANSI terminal
  (Ctrl+Alt+F1), but cannot log in as the offending user there; the
  prompt will accept a username and password but never return. I CAN
  login using my localadmin, presumably because it uses UNIX
  authentication rather than LDAP/Kerberos. I have heretofore been
  unable to recover the machine as the localadmin, though. If localadmin
  attempts to sudo reboot the machine, the reboot process starts but
  never finishes.

  Some odd things in the server syslog:

  Jun  6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: NEEDED_PREAUTH: nfs/carina.co57.lan at CO57.LAN for krbtgt/CO57.LAN at CO57.LAN, Additional pre-authentication required
  Jun  6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, nfs/carina.co57.lan at CO57.LAN for krbtgt/CO57.LAN at CO57.LAN
  Jun  6 07:40:15 server krb5kdc[822]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, nfs/carina.co57.lan at CO57.LAN for nfs/server.co57.lan at CO57.LAN
  Jun  6 07:40:15 server krb5kdc[822]: TGS_REQ (3 etypes {1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=1}, nfs/carina.co57.lan at CO57.LAN for nfs/server.co57.lan at CO57.LAN
  Jun  6 07:40:15 server nslcd[950]: [92ef4c] nslcd_passwd_byname(nfs/carina.co57.lan): invalid user name
  Jun  6 07:46:49 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
  Jun  6 07:46:49 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
  Jun  6 07:48:51 server slapd[836]: <= bdb_equality_candidates: (uidNumber) not indexed
  Jun  6 07:49:20 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
  Jun  6 07:57:07 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
  Jun  6 07:57:07 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
  Jun  6 07:59:35 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
  Jun  6 08:00:00 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
  Jun  6 08:00:01 server slapd[836]: last message repeated 3 times

  And from all over the client syslog:

  Jun  6 10:53:28 carina kernel: [47636.670075] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:53:33 carina kernel: [47641.666533] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:53:38 carina kernel: [47646.662437] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:53:43 carina kernel: [47651.658844] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:53:48 carina kernel: [47656.655152] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:53:53 carina kernel: [47661.651498] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:53:58 carina kernel: [47666.647829] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:03 carina kernel: [47671.644084] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:08 carina kernel: [47676.640219] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:13 carina kernel: [47681.636699] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:18 carina kernel: [47686.632981] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:23 carina kernel: [47691.629134] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:28 carina kernel: [47696.625429] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:33 carina kernel: [47701.621717] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:38 carina kernel: [47706.617861] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:43 carina kernel: [47711.614235] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:48 carina kernel: [47716.610530] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:53 carina kernel: [47721.606813] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.

  My intuition is the following: The user's client-side Kerberos ticket
  is expiring (RPCSEC_GSS errors) and the sec=krb5 on NFS is sitting in
  a poll loop, waiting for a new one. This is somehow causing the rest
  of the system to grind to a halt, whether through resource usage or
  blocking in the kernel. I will continue to investigate and post
  evidence as I come by it. In the meantime, does anybody have any
  ideas?

  Cheers!
  ~Brian

To manage notifications about this bug go to:
https://bugs.launchpad.net/kerberos/+bug/794112/+subscriptions

More information about the foundations-bugs mailing list