[Bug 409438] [NEW] Multi-user sec=krb5 NFSv4 client blocks when one user has an expired ticket

Neil Hoggarth neil.hoggarth at dpag.ox.ac.uk
Wed Aug 5 16:46:45 UTC 2009 

Public bug reported:

I have an Ubuntu 08.04.3 NFSv4 server and a number of NFSv4 clients, 
also running Ubuntu 08.04.3.

The clients use autofs to mount user home directories from the server.

I use Kerberos to authenticate the users logging into the clients (using 
pam_krb5), and require Kerberos authentication of NFS traffic via the
sec=krb5 export and mount options.

Things seem to work normally on a workstation used by only one user - 
people can log in, get, valid kerberos tickets from the KDC and their 
home directory mounts automatically.

However, a problem arises on multi-user systems: if one user (say "user 
A") has successfully logged in and left themselves logged in such that 
their Kerberos TGT has expired, then a second user ("user B") attempts 
to log into the same system then the attempt to access the home 
directory of "user B" blocks indefinately. If "user A" subsequently 
obtains a new Kerberos TGT then the login attempt belonging to "user B" 
unblocks and runs to a successful completion.

While "B" is blocked, the kernel logs the following error message over 
and over again, at a very high rate (3000-6000 times a second):

Aug  5 11:37:14 ulf kernel: [3099781.024499] Error: state recovery failed on NFSv4 server 163.1.248.155 with error 13
Aug  5 11:37:14 ulf kernel: [3099781.025007] Error: state recovery failed on NFSv4 server 163.1.248.155 with error 13
Aug  5 11:37:14 ulf kernel: [3099781.025483] Error: state recovery failed on NFSv4 server 163.1.248.155 with error 13

The symptoms that I am observing sound exactly like

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=446238

To be clear: I expect user A's access to NFS mounted filesystems to fail 
when their Kerberos tickets have expired, but I don't expect user B's 
access to the same filesystems to depend on user A.

ProblemType: Bug
Architecture: amd64
Date: Wed Aug  5 17:09:42 2009
Dependencies:
 
DistroRelease: Ubuntu 8.04
Package: linux None [modified: /var/lib/dpkg/info/linux.list]
PackageArchitecture: amd64
ProcEnviron:
 PATH=/opt/mricron:/nfs4/willis.dpag.ox.ac.uk/software/unix/matlab/2009a/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
 LANG=en_GB.UTF-8
 SHELL=/bin/bash
SourcePackage: linux-meta
Uname: Linux 2.6.24-24-generic x86_64

** Affects: linux-meta (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: apport-bug krb5 nfs4

-- 
Multi-user sec=krb5 NFSv4 client blocks when one user has an expired ticket
https://bugs.launchpad.net/bugs/409438
You received this bug notification because you are a member of Kernel
Bugs, which is subscribed to linux-meta in ubuntu.

More information about the kernel-bugs mailing list