[Bug 409438] [NEW] Multi-user sec=krb5 NFSv4 client blocks when one user has an expired ticket
Neil Hoggarth
neil.hoggarth at dpag.ox.ac.uk
Wed Aug 5 16:46:45 UTC 2009
Public bug reported:
I have an Ubuntu 08.04.3 NFSv4 server and a number of NFSv4 clients,
also running Ubuntu 08.04.3.
The clients use autofs to mount user home directories from the server.
I use Kerberos to authenticate the users logging into the clients (using
pam_krb5), and require Kerberos authentication of NFS traffic via the
sec=krb5 export and mount options.
Things seem to work normally on a workstation used by only one user -
people can log in, get, valid kerberos tickets from the KDC and their
home directory mounts automatically.
However, a problem arises on multi-user systems: if one user (say "user
A") has successfully logged in and left themselves logged in such that
their Kerberos TGT has expired, then a second user ("user B") attempts
to log into the same system then the attempt to access the home
directory of "user B" blocks indefinately. If "user A" subsequently
obtains a new Kerberos TGT then the login attempt belonging to "user B"
unblocks and runs to a successful completion.
While "B" is blocked, the kernel logs the following error message over
and over again, at a very high rate (3000-6000 times a second):
Aug 5 11:37:14 ulf kernel: [3099781.024499] Error: state recovery failed on NFSv4 server 163.1.248.155 with error 13
Aug 5 11:37:14 ulf kernel: [3099781.025007] Error: state recovery failed on NFSv4 server 163.1.248.155 with error 13
Aug 5 11:37:14 ulf kernel: [3099781.025483] Error: state recovery failed on NFSv4 server 163.1.248.155 with error 13
The symptoms that I am observing sound exactly like
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=446238
To be clear: I expect user A's access to NFS mounted filesystems to fail
when their Kerberos tickets have expired, but I don't expect user B's
access to the same filesystems to depend on user A.
ProblemType: Bug
Architecture: amd64
Date: Wed Aug 5 17:09:42 2009
Dependencies:
DistroRelease: Ubuntu 8.04
Package: linux None [modified: /var/lib/dpkg/info/linux.list]
PackageArchitecture: amd64
ProcEnviron:
PATH=/opt/mricron:/nfs4/willis.dpag.ox.ac.uk/software/unix/matlab/2009a/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
LANG=en_GB.UTF-8
SHELL=/bin/bash
SourcePackage: linux-meta
Uname: Linux 2.6.24-24-generic x86_64
** Affects: linux-meta (Ubuntu)
Importance: Undecided
Status: New
** Tags: apport-bug krb5 nfs4
--
Multi-user sec=krb5 NFSv4 client blocks when one user has an expired ticket
https://bugs.launchpad.net/bugs/409438
You received this bug notification because you are a member of Kernel
Bugs, which is subscribed to linux-meta in ubuntu.
More information about the kernel-bugs
mailing list