Bug ID 931308
Summary Gssd fails to renew credentials
Classification openSUSE
Product openSUSE 12.3
Version Final
Hardware Other
OS SLES 11
Status NEW
Severity Normal
Priority P5 - None
Component Basesystem
Assignee bnc-team-screening@forge.provo.novell.com
Reporter Anna.Schumaker@Netapp.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

This bug is seen when running SLES11 SP3 and SLES11 SP4, but I can't find where
to file SLES bugs anywhere in this bugzilla.  Please let me know if this is in
the wrong place!

Description of problem:

Gssd fails to renew credentials when running with uid=0 and client and server
clocks are just a few seconds off.

Version-Release number of selected component (if applicable):
nfs-client-1.2.3-18.40.15 (SLES11 SP3)

How reproducible:
Just to make the issue easier to reproduce, change the lifetime of the issued 
service ticket to something short, say 2m, by modifying /etc/krb5.conf
ticket_lifetime=2m

Steps to Reproduce:
1. sudo mount -t nfs4 -o sec=krb5 nfs.server.com:/ /mnt
2. sudo dd if=/dev/zero of=/mnt/testfile bs=1 count=10000000

Basically, mount your kerberized NFS server and start job that lasts longer
than
chosen ticket lifetime (i.e., dd that would take longer than 2min to complete).

Actual results:
"dd" will fail with "permission denied" when credentials expire.

See failure logged in var log messages,
ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_CREDENTIALS_EXPIRED (The
referenced credential has expired) - Unknown error
WARNING: Failed while limiting krb5 encryption types for user with uid 0
WARNING: Failed to create machine krb5 context with credentials cache
FILE:/tmp/krb5cc_machine_GATEWAY.2WIRE.NET for server ipa120.gateway.2wire.net
WARNING: Machine cache is prematurely expired or corrupted trying to recreate
cache for server ipa120.gateway.2wire.net


Expected results:
"dd" should finish to completion

Additional info:

This problem has been address in the upstream nfs-utils and is fixed by:
commit da54dec3cb40095cac96fd2d838144129262ac7f
Author: Lukas Hejtmanek <xhejtman@gmail.com>
Date:   Wed Mar 20 13:24:02 2013 -0400

   gssd - expired credentials problem

I noticed that there is a problem with expired credentials if NFS
client's time is even few seconds behind KDC's or NFS server's time.
Client's kernel requests new GSS context but rpc.gssd is happy with
existing krb cache as it valid according to local time.

Signed-off-by: Steve Dickson <steved@redhat.com>

You are receiving this mail because: