[Bug 794112] Re: Kerberos + LDAP + NFSv4 on Natty - Unable to recover unattended client

Ubuntu Foundation's Bug Bot 794112 at bugs.launchpad.net
Wed Aug 22 20:19:10 UTC 2012 

The attachment "nfs-utils_1.2.5-3ubuntu4.debdiff" of this bug report has
been identified as being a patch in the form of a debdiff.  The ubuntu-
sponsors team has been subscribed to the bug report so that they can
review and hopefully sponsor the debdiff.  In the event that this is in
fact not a patch you can resolve this situation by removing the tag
'patch' from the bug report and editing the attachment so that it is not
flagged as a patch.  Additionally, if you are member of the ubuntu-
sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by
Brian Murray.  Please contact him regarding any issues with the action
taken in this bug report.]

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/794112

Title:
  Kerberos + LDAP + NFSv4 on Natty - Unable to recover unattended client

Status in Network Authentication System:
  New
Status in NFS-Utils - NFS support files common to client and server:
  New
Status in “linux” package in Ubuntu:
  Incomplete
Status in “linux” source package in Precise:
  Incomplete
Status in “nfs-utils” package in Debian:
  New

Bug description:
  Hi there!

  I've configured a Natty client/server pair to authenticate over
  Kerberos and LDAP and to mount user home directories via NFSv4 with
  sec=krb5. I am using a slight variation on the configuration described
  here: http://www.danbishop.org/2011/05/01/ubuntu-11-04-sbs-small-
  business-server-setup-part-3-openldap/

  Under this setup, user sessions that are left unattended for a long
  period of time -- eg, when someone goes home for the night but stays
  logged in -- always result in a wedged machine. What do I mean by
  "wedged?" When the user returns to their session (the next morning),
  the screen is sorta grayed out. Keystrokes and mouse movement fail to
  elicit a reaction from the OS. I can switch to an ANSI terminal
  (Ctrl+Alt+F1), but cannot log in as the offending user there; the
  prompt will accept a username and password but never return. I CAN
  login using my localadmin, presumably because it uses UNIX
  authentication rather than LDAP/Kerberos. I have heretofore been
  unable to recover the machine as the localadmin, though. If localadmin
  attempts to sudo reboot the machine, the reboot process starts but
  never finishes.

  Some odd things in the server syslog:

  Jun  6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: NEEDED_PREAUTH: nfs/carina.co57.lan at CO57.LAN for krbtgt/CO57.LAN at CO57.LAN, Additional pre-authentication required
  Jun  6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, nfs/carina.co57.lan at CO57.LAN for krbtgt/CO57.LAN at CO57.LAN
  Jun  6 07:40:15 server krb5kdc[822]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, nfs/carina.co57.lan at CO57.LAN for nfs/server.co57.lan at CO57.LAN
  Jun  6 07:40:15 server krb5kdc[822]: TGS_REQ (3 etypes {1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=1}, nfs/carina.co57.lan at CO57.LAN for nfs/server.co57.lan at CO57.LAN
  Jun  6 07:40:15 server nslcd[950]: [92ef4c] nslcd_passwd_byname(nfs/carina.co57.lan): invalid user name
  Jun  6 07:46:49 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
  Jun  6 07:46:49 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
  Jun  6 07:48:51 server slapd[836]: <= bdb_equality_candidates: (uidNumber) not indexed
  Jun  6 07:49:20 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
  Jun  6 07:57:07 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
  Jun  6 07:57:07 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
  Jun  6 07:59:35 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
  Jun  6 08:00:00 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
  Jun  6 08:00:01 server slapd[836]: last message repeated 3 times

  And from all over the client syslog:

  Jun  6 10:53:28 carina kernel: [47636.670075] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:53:33 carina kernel: [47641.666533] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:53:38 carina kernel: [47646.662437] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:53:43 carina kernel: [47651.658844] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:53:48 carina kernel: [47656.655152] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:53:53 carina kernel: [47661.651498] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:53:58 carina kernel: [47666.647829] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:03 carina kernel: [47671.644084] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:08 carina kernel: [47676.640219] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:13 carina kernel: [47681.636699] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:18 carina kernel: [47686.632981] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:23 carina kernel: [47691.629134] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:28 carina kernel: [47696.625429] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:33 carina kernel: [47701.621717] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:38 carina kernel: [47706.617861] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:43 carina kernel: [47711.614235] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:48 carina kernel: [47716.610530] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:53 carina kernel: [47721.606813] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.

  My intuition is the following: The user's client-side Kerberos ticket
  is expiring (RPCSEC_GSS errors) and the sec=krb5 on NFS is sitting in
  a poll loop, waiting for a new one. This is somehow causing the rest
  of the system to grind to a halt, whether through resource usage or
  blocking in the kernel. I will continue to investigate and post
  evidence as I come by it. In the meantime, does anybody have any
  ideas?

  Cheers!
  ~Brian

To manage notifications about this bug go to:
https://bugs.launchpad.net/kerberos/+bug/794112/+subscriptions

More information about the Ubuntu-sponsors mailing list