[Bug 794112] Re: Kerberos + LDAP + NFSv4 on Natty - Unable to recover unattended client

Adam Stokes adam.stokes at canonical.com
Thu Sep 13 15:20:45 UTC 2012 

Excellent, thanks Matt. I'll get the SRU process rolling on this and see
if we can get this into the the distro.

Thanks again,
Adam

** Changed in: linux (Ubuntu Precise)
     Assignee: Chris J Arges (christopherarges) => Adam Stokes (adam-stokes)

** Changed in: linux (Ubuntu Precise)
       Status: Incomplete => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/794112

Title:
  Kerberos + LDAP + NFSv4 on Natty - Unable to recover unattended client

Status in Network Authentication System:
  New
Status in NFS-Utils - NFS support files common to client and server:
  New
Status in “linux” package in Ubuntu:
  Incomplete
Status in “linux” source package in Precise:
  In Progress
Status in “nfs-utils” package in Debian:
  New

Bug description:
  Hi there!

  I've configured a Natty client/server pair to authenticate over
  Kerberos and LDAP and to mount user home directories via NFSv4 with
  sec=krb5. I am using a slight variation on the configuration described
  here: http://www.danbishop.org/2011/05/01/ubuntu-11-04-sbs-small-
  business-server-setup-part-3-openldap/

  Under this setup, user sessions that are left unattended for a long
  period of time -- eg, when someone goes home for the night but stays
  logged in -- always result in a wedged machine. What do I mean by
  "wedged?" When the user returns to their session (the next morning),
  the screen is sorta grayed out. Keystrokes and mouse movement fail to
  elicit a reaction from the OS. I can switch to an ANSI terminal
  (Ctrl+Alt+F1), but cannot log in as the offending user there; the
  prompt will accept a username and password but never return. I CAN
  login using my localadmin, presumably because it uses UNIX
  authentication rather than LDAP/Kerberos. I have heretofore been
  unable to recover the machine as the localadmin, though. If localadmin
  attempts to sudo reboot the machine, the reboot process starts but
  never finishes.

  Some odd things in the server syslog:

  Jun  6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: NEEDED_PREAUTH: nfs/carina.co57.lan at CO57.LAN for krbtgt/CO57.LAN at CO57.LAN, Additional pre-authentication required
  Jun  6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, nfs/carina.co57.lan at CO57.LAN for krbtgt/CO57.LAN at CO57.LAN
  Jun  6 07:40:15 server krb5kdc[822]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, nfs/carina.co57.lan at CO57.LAN for nfs/server.co57.lan at CO57.LAN
  Jun  6 07:40:15 server krb5kdc[822]: TGS_REQ (3 etypes {1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=1}, nfs/carina.co57.lan at CO57.LAN for nfs/server.co57.lan at CO57.LAN
  Jun  6 07:40:15 server nslcd[950]: [92ef4c] nslcd_passwd_byname(nfs/carina.co57.lan): invalid user name
  Jun  6 07:46:49 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
  Jun  6 07:46:49 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
  Jun  6 07:48:51 server slapd[836]: <= bdb_equality_candidates: (uidNumber) not indexed
  Jun  6 07:49:20 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
  Jun  6 07:57:07 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
  Jun  6 07:57:07 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
  Jun  6 07:59:35 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
  Jun  6 08:00:00 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
  Jun  6 08:00:01 server slapd[836]: last message repeated 3 times

  And from all over the client syslog:

  Jun  6 10:53:28 carina kernel: [47636.670075] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:53:33 carina kernel: [47641.666533] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:53:38 carina kernel: [47646.662437] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:53:43 carina kernel: [47651.658844] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:53:48 carina kernel: [47656.655152] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:53:53 carina kernel: [47661.651498] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:53:58 carina kernel: [47666.647829] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:03 carina kernel: [47671.644084] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:08 carina kernel: [47676.640219] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:13 carina kernel: [47681.636699] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:18 carina kernel: [47686.632981] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:23 carina kernel: [47691.629134] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:28 carina kernel: [47696.625429] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:33 carina kernel: [47701.621717] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:38 carina kernel: [47706.617861] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:43 carina kernel: [47711.614235] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:48 carina kernel: [47716.610530] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
  Jun  6 10:54:53 carina kernel: [47721.606813] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.

  My intuition is the following: The user's client-side Kerberos ticket
  is expiring (RPCSEC_GSS errors) and the sec=krb5 on NFS is sitting in
  a poll loop, waiting for a new one. This is somehow causing the rest
  of the system to grind to a halt, whether through resource usage or
  blocking in the kernel. I will continue to investigate and post
  evidence as I come by it. In the meantime, does anybody have any
  ideas?

  Cheers!
  ~Brian

To manage notifications about this bug go to:
https://bugs.launchpad.net/kerberos/+bug/794112/+subscriptions

More information about the Ubuntu-sponsors mailing list