[Bug 794112] Re: Kerberos + LDAP + NFSv4 on Natty - Unable to recover unattended client

Matthew L. Dailey matthew.l.dailey at dartmouth.edu
Thu Sep 6 18:02:00 UTC 2012 

Hi Adam,

Yes - we are running the unpatched precise kernel. I don't remember the
version when I first started testing with my nfs-utils patch, but we're
currently running linux-image-3.2.0-30-generic version 3.2.0-30.48. A
few systems that haven't rebooted recently are still on linux-
headers-3.2.0-29-generic version 3.2.0-29.46.

I've been running my nfs-utils patch on about 70 machines with
kerberized nfs home directories since August 22nd and all blocking
issues we were seeing on credential expiration are gone.

Thanks and let me know if you need any other info.

-Matt

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/794112

Title:
  Kerberos + LDAP + NFSv4 on Natty - Unable to recover unattended client

Status in Network Authentication System:
  New
Status in NFS-Utils - NFS support files common to client and server:
  New
Status in “linux” package in Ubuntu:
  Incomplete
Status in “linux” source package in Precise:
  Incomplete
Status in “nfs-utils” package in Debian:
  New

Bug description:
  Hi there!

  I've configured a Natty client/server pair to authenticate over
  Kerberos and LDAP and to mount user home directories via NFSv4 with
  sec=krb5. I am using a slight variation on the configuration described
  here: http://www.danbishop.org/2011/05/01/ubuntu-11-04-sbs-small-
  business-server-setup-part-3-openldap/

  Under this setup, user sessions that are left unattended for a long
  period of time -- eg, when someone goes home for the night but stays
  logged in -- always result in a wedged machine. What do I mean by
  "wedged?" When the user returns to their session (the next morning),
  the screen is sorta grayed out. Keystrokes and mouse movement fail to
  elicit a reaction from the OS. I can switch to an ANSI terminal
  (Ctrl+Alt+F1), but cannot log in as the offending user there; the
  prompt will accept a username and password but never return. I CAN
  login using my localadmin, presumably because it uses UNIX
  authentication rather than LDAP/Kerberos. I have heretofore been
  unable to recover the machine as the localadmin, though. If localadmin
  attempts to sudo reboot the machine, the reboot process starts but
  never finishes.

  Some odd things in the server syslog:

  Jun  6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: NEEDED_PREAUTH: nfs/carina.co57.lan at CO57.LAN for krbtgt/CO57.LAN at CO57.LAN, Additional pre-authentication required
  Jun  6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, nfs/carina.co57.lan at CO57.LAN for krbtgt/CO57.LAN at CO57.LAN
  Jun  6 07:40:15 server krb5kdc[822]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, nfs/carina.co57.lan at CO57.LAN for nfs/server.co57.lan at CO57.LAN
  Jun  6 07:40:15 server krb5kdc[822]: TGS_REQ (3 etypes {1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=1}, nfs/carina.co57.lan at CO57.LAN for nfs/server.co57.lan at CO57.LAN
  Jun  6 07:40:15 server nslcd[950]: [92ef4c] nslcd_passwd_byname(nfs/carina.co57.lan): invalid user name
  Jun  6 07:46:49 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
  Jun  6 07:46:49 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
  Jun  6 07:48:51 server slapd[836]: <= bdb_equality_candidates: (uidNumber) not indexed
  Jun  6 07:49:20 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
  Jun  6 07:57:07 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
  Jun  6 07:57:07 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
  Jun  6 07:59:35 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
  Jun  6 08:00:00 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
  Jun  6 08:00:01 server slapd[836]: last message repeated 3 times

  And from all over the client syslog:

  Jun  6 10:53:28 carina kernel: [47636.670075] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:53:33 carina kernel: [47641.666533] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:53:38 carina kernel: [47646.662437] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:53:43 carina kernel: [47651.658844] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:53:48 carina kernel: [47656.655152] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:53:53 carina kernel: [47661.651498] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:53:58 carina kernel: [47666.647829] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:03 carina kernel: [47671.644084] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:08 carina kernel: [47676.640219] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:13 carina kernel: [47681.636699] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:18 carina kernel: [47686.632981] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:23 carina kernel: [47691.629134] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:28 carina kernel: [47696.625429] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:33 carina kernel: [47701.621717] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:38 carina kernel: [47706.617861] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:43 carina kernel: [47711.614235] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:48 carina kernel: [47716.610530] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:53 carina kernel: [47721.606813] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.

  My intuition is the following: The user's client-side Kerberos ticket
  is expiring (RPCSEC_GSS errors) and the sec=krb5 on NFS is sitting in
  a poll loop, waiting for a new one. This is somehow causing the rest
  of the system to grind to a halt, whether through resource usage or
  blocking in the kernel. I will continue to investigate and post
  evidence as I come by it. In the meantime, does anybody have any
  ideas?

  Cheers!
  ~Brian

To manage notifications about this bug go to:
https://bugs.launchpad.net/kerberos/+bug/794112/+subscriptions

More information about the Ubuntu-sponsors mailing list