[Bug 1331201] Re: rpc.gssd: ERROR: GSS-API: error in gss_free_lucid_sec_context(): GSS_S_NO_CONTEXT

Thu Jun 26 07:03:02 UTC 2014

* Brian Murray [2014-06-25 18:54:46 -0000]:
> Sergio - could you provide a test case which is part of the Stable
> Release Update process so that we can get this fixed in 14.04?

Let me try. The problem manifested itself spontaneously in my production
environment so I'm not sure exactly which ingredients are required
and which are optional. The following is probably overspecified.

Prerequisites:
-- a Kerberos realm (EXAMPLE.ORG); my KDC runs Heimdal (slightly modified
from Debian wheezy) but I see no reason why this should matter here.
-- an NFS server host (server.example.org) with /etc/krb5.keytab containing
valid keys for nfs/server.example.org at EXAMPLE.ORG, package nfs-kernel-server
installed, a filesystem at /export/nfs and an entry for it in /etc/exports:
/export/nfs client.example.org(sec=krb5p,rw,root_squash,sync,no_subtree_check)
This server can but need not be running Ubuntu 14.04 (in my tests it was
running Debian wheezy).
-- an NFS client host (client.example.org) with autofs configured to automount
server.example.org:/export/nfs somewhere (say, on /srv/nfs), running
the version of rpc.gssd that is to be tested. Remember to include sec=krb5p
in the mount options. It is recommended to run rpc.gssd with a short timeout
(e.g., rpc.gssd -t 60) at least for the purposes of this test: the bug
manifests itself when rpc.gssd prepares a new GSS context for the kernel,
so it helps to force this to happen often. In my environment the client
has machine credentials in /etc/krb5.keytab
(host/client.example.org at EXAMPLE.ORG, nfs/client.example.org at EXAMPLE.ORG
and root/client.example.org at EXAMPLE.ORG) though this is probably overkill
for the purposes of this test. The problem should be reproducible with a
static mount (no autofs) as well but I haven't actually tried that.

Testing procedure:
1. Log in to client.example.org as a non-root user with a corresponding
principal in EXAMPLE.ORG.
2. Obtain a Kerberos TGT for this user, either as part of the login process
(pam_krb5) or interactively by running kinit.
3. Try to access the mountpoint of the NFS share (/srv/nfs). A simple
	ls /srv/nfs
should be enough. This is expected to succeed even when the bug is present;
if it doesn't, the setup must be incorrect.
4. Look for warning messages from rpc.gssd (as in the subject of this bug
report) in the client's syslog (or, if running rpc.gssd -f, on standard
error) triggered by the NFS activity at step 3. These messages should no
longer appear once the patch is applied.

I've glossed over the configuration of /etc/idmapd.conf since I expect it
should all work with default settings there.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to nfs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/1331201

Title:
  rpc.gssd: ERROR: GSS-API: error in gss_free_lucid_sec_context():
  GSS_S_NO_CONTEXT

Status in “nfs-utils” package in Ubuntu:
  New
Status in “nfs-utils” source package in Trusty:
  New

Bug description:
  After upgrading from precise to trusty, I started seeing the following
  error messages in the logs whenever there was Kerberized NFS activity:

  Jun 17 08:02:43 hostname rpc.gssd[1021]: ERROR: GSS-API: error in gss_free_lucid_sec_context(): GSS_S_NO_CONTEXT (No context has been established) - Unknown error
  Jun 17 08:02:43 hostname rpc.gssd[1021]: WARN: failed to free lucid sec context

  I've determined this to be a regression introduced (into upstream
  release 1.2.8) by commit 051eb4863cf880f0349a1de44517f9c99a9c5bd4. The
  bug is still present in upstream release 1.3.0. I've successfully
  tested the attached, obvious patch.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1331201/+subscriptions