pkg-perl-maintainers team mailing list archive
-
pkg-perl-maintainers team
-
Mailing list archive
-
Message #01441
[Bug 794112] [NEW] Kerberos + LDAP + NFSv4 on Natty - Unable to recover unattended client
You have been subscribed to a public bug:
Hi there!
I've configured a Natty client/server pair to authenticate over Kerberos
and LDAP and to mount user home directories via NFSv4 with sec=krb5. I
am using a slight variation on the configuration described here:
http://www.danbishop.org/2011/05/01/ubuntu-11-04-sbs-small-business-
server-setup-part-3-openldap/
Under this setup, user sessions that are left unattended for a long
period of time -- eg, when someone goes home for the night but stays
logged in -- always result in a wedged machine. What do I mean by
"wedged?" When the user returns to their session (the next morning), the
screen is sorta grayed out. Keystrokes and mouse movement fail to elicit
a reaction from the OS. I can switch to an ANSI terminal (Ctrl+Alt+F1),
but cannot log in as the offending user there; the prompt will accept a
username and password by never return. I CAN login using my localadmin,
presumably because it uses UNIX authentication rather than
LDAP/Kerberos. I have heretofore been unable to recover the machine as
the localadmin, though. If localadmin attempts to sudo reboot the
machine, the reboot process starts but never finishes.
Some odd things in the server syslog:
Jun 6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: NEEDED_PREAUTH: nfs/carina.co57.lan@xxxxxxxx for krbtgt/CO57.LAN@xxxxxxxx, Additional pre-authentication required
Jun 6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, nfs/carina.co57.lan@xxxxxxxx for krbtgt/CO57.LAN@xxxxxxxx
Jun 6 07:40:15 server krb5kdc[822]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, nfs/carina.co57.lan@xxxxxxxx for nfs/server.co57.lan@xxxxxxxx
Jun 6 07:40:15 server krb5kdc[822]: TGS_REQ (3 etypes {1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=1}, nfs/carina.co57.lan@xxxxxxxx for nfs/server.co57.lan@xxxxxxxx
Jun 6 07:40:15 server nslcd[950]: [92ef4c] nslcd_passwd_byname(nfs/carina.co57.lan): invalid user name
Jun 6 07:46:49 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun 6 07:46:49 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
Jun 6 07:48:51 server slapd[836]: <= bdb_equality_candidates: (uidNumber) not indexed
Jun 6 07:49:20 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun 6 07:57:07 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun 6 07:57:07 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
Jun 6 07:59:35 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun 6 08:00:00 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
Jun 6 08:00:01 server slapd[836]: last message repeated 3 times
And from all over the client syslog:
Jun 6 10:53:28 carina kernel: [47636.670075] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:33 carina kernel: [47641.666533] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:38 carina kernel: [47646.662437] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:43 carina kernel: [47651.658844] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:48 carina kernel: [47656.655152] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:53 carina kernel: [47661.651498] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:58 carina kernel: [47666.647829] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:03 carina kernel: [47671.644084] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:08 carina kernel: [47676.640219] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:13 carina kernel: [47681.636699] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:18 carina kernel: [47686.632981] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:23 carina kernel: [47691.629134] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:28 carina kernel: [47696.625429] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:33 carina kernel: [47701.621717] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:38 carina kernel: [47706.617861] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:43 carina kernel: [47711.614235] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:48 carina kernel: [47716.610530] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:53 carina kernel: [47721.606813] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
My intuition is the following: The user's client-side Kerberos ticket is
expiring (RPCSEC_GSS errors) and the sec=krb5 on NFS is sitting in a
poll loop, waiting for a new one. This is somehow causing the rest of
the system to grind to a halt, whether through resource usage or
blocking in the kernel. I will continue to investigate and post evidence
as I come by it. In the meantime, does anybody have any ideas?
Cheers!
~Brian
** Affects: libauthen-simple-kerberos-perl (Ubuntu)
Importance: Undecided
Status: New
** Tags: kerberos krb5 ldap nfs
--
Kerberos + LDAP + NFSv4 on Natty - Unable to recover unattended client
https://bugs.launchpad.net/bugs/794112
You received this bug notification because you are a member of Debian Perl Group, which is subscribed to libauthen-simple-kerberos-perl in Ubuntu.