[Bug 794112] [NEW] Kerberos + LDAP + NFSv4 on Natty - Unable to recover unattended client

Launchpad Bug Tracker 794112 at bugs.launchpad.net
Wed Aug 22 20:19:09 UTC 2012 

You have been subscribed to a public bug by Ubuntu Foundation's Bug Bot (crichton):

Hi there!

I've configured a Natty client/server pair to authenticate over Kerberos
and LDAP and to mount user home directories via NFSv4 with sec=krb5. I
am using a slight variation on the configuration described here:
http://www.danbishop.org/2011/05/01/ubuntu-11-04-sbs-small-business-
server-setup-part-3-openldap/

Under this setup, user sessions that are left unattended for a long
period of time -- eg, when someone goes home for the night but stays
logged in -- always result in a wedged machine. What do I mean by
"wedged?" When the user returns to their session (the next morning), the
screen is sorta grayed out. Keystrokes and mouse movement fail to elicit
a reaction from the OS. I can switch to an ANSI terminal (Ctrl+Alt+F1),
but cannot log in as the offending user there; the prompt will accept a
username and password but never return. I CAN login using my localadmin,
presumably because it uses UNIX authentication rather than
LDAP/Kerberos. I have heretofore been unable to recover the machine as
the localadmin, though. If localadmin attempts to sudo reboot the
machine, the reboot process starts but never finishes.

Some odd things in the server syslog:

Jun  6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: NEEDED_PREAUTH: nfs/carina.co57.lan at CO57.LAN for krbtgt/CO57.LAN at CO57.LAN, Additional pre-authentication required
Jun  6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, nfs/carina.co57.lan at CO57.LAN for krbtgt/CO57.LAN at CO57.LAN
Jun  6 07:40:15 server krb5kdc[822]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, nfs/carina.co57.lan at CO57.LAN for nfs/server.co57.lan at CO57.LAN
Jun  6 07:40:15 server krb5kdc[822]: TGS_REQ (3 etypes {1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=1}, nfs/carina.co57.lan at CO57.LAN for nfs/server.co57.lan at CO57.LAN
Jun  6 07:40:15 server nslcd[950]: [92ef4c] nslcd_passwd_byname(nfs/carina.co57.lan): invalid user name
Jun  6 07:46:49 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun  6 07:46:49 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
Jun  6 07:48:51 server slapd[836]: <= bdb_equality_candidates: (uidNumber) not indexed
Jun  6 07:49:20 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun  6 07:57:07 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun  6 07:57:07 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
Jun  6 07:59:35 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun  6 08:00:00 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
Jun  6 08:00:01 server slapd[836]: last message repeated 3 times

And from all over the client syslog:

Jun  6 10:53:28 carina kernel: [47636.670075] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun  6 10:53:33 carina kernel: [47641.666533] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun  6 10:53:38 carina kernel: [47646.662437] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun  6 10:53:43 carina kernel: [47651.658844] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun  6 10:53:48 carina kernel: [47656.655152] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun  6 10:53:53 carina kernel: [47661.651498] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun  6 10:53:58 carina kernel: [47666.647829] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun  6 10:54:03 carina kernel: [47671.644084] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun  6 10:54:08 carina kernel: [47676.640219] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun  6 10:54:13 carina kernel: [47681.636699] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun  6 10:54:18 carina kernel: [47686.632981] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun  6 10:54:23 carina kernel: [47691.629134] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun  6 10:54:28 carina kernel: [47696.625429] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun  6 10:54:33 carina kernel: [47701.621717] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun  6 10:54:38 carina kernel: [47706.617861] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun  6 10:54:43 carina kernel: [47711.614235] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun  6 10:54:48 carina kernel: [47716.610530] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun  6 10:54:53 carina kernel: [47721.606813] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.

My intuition is the following: The user's client-side Kerberos ticket is
expiring (RPCSEC_GSS errors) and the sec=krb5 on NFS is sitting in a
poll loop, waiting for a new one. This is somehow causing the rest of
the system to grind to a halt, whether through resource usage or
blocking in the kernel. I will continue to investigate and post evidence
as I come by it. In the meantime, does anybody have any ideas?

Cheers!
~Brian

** Affects: kerberos
     Importance: Undecided
         Status: New

** Affects: nfs-utils
     Importance: Undecided
         Status: New

** Affects: linux (Ubuntu)
     Importance: High
         Status: Incomplete

** Affects: linux (Ubuntu Precise)
     Importance: High
     Assignee: Chris J Arges (christopherarges)
         Status: Incomplete

** Affects: nfs-utils (Debian)
     Importance: Unknown
         Status: New


** Tags: kerberos krb5 ldap nfs patch rls-mgr-p-tracking
-- 
Kerberos + LDAP + NFSv4 on Natty - Unable to recover unattended client
https://bugs.launchpad.net/bugs/794112
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list