[Bug 740620] New: no X-login with automount + kerberos

bugzilla_noreply＠novell.com

10 Jan 2012 10 Jan '12

21:09

https://bugzilla.novell.com/show_bug.cgi?id=740620 https://bugzilla.novell.com/show_bug.cgi?id=740620#c0 Summary: no X-login with automount + kerberos Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: x86-64 OS/Version: openSUSE 11.2 Status: NEW Severity: Major Priority: P5 - None Component: X.Org AssignedTo: bnc-team-xorg-bugs@forge.provo.novell.com ReportedBy: k.slott@vink-slott.dk QAContact: xorg-maintainer-bugs@forge.provo.novell.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux i686; rv:9.0) Gecko/20100101 Firefox/9.0 I think there is some kind of catch 22 I have a 11.3 based network with with auto mounted home-dirs using LDAP/NFS4/Kerberos. Everything works smoothly with 11.3 client installations. A fresh installed 12.1 workstation does not allow login. Reproducible: Didn't try Steps to Reproduce: I have problem remembering the exact order/steps I took, in essence I think is was something like: 1. fresh install a 12.1. During install select ldap and automounted home using sssd - leave rest as default 2. update 3. add kerberos 4. remove samba (Bug 724777) When I get time in a couple of days I'll try to recreate from scratch. Actual Results: A cold boot after the Kerberos tickets has expired newer present a gui login box. It just stays waiting with a spinning cursor. On the file server I see that the client tries to access the last logged in users home - which obviously fails as the kerberos ticket for this user is not created yet. Expected Results: A gui login box If I switch to a console and perform a text login for last logged on user (thereby creating the missing ticket and mounting the users home) the DM recovers and presents the login box. I have tried to set KDM_USERS = nobody in /etc/sysconfig/displaymanager but this setting seems to be ignored. After a successful login I compare mount options and see some differences in mount options used by 11.3 and 12.1 per@11.3:~> mount | grep "home/per" zap.vink-slott.dk:/home/per on /home/per type nfs4 (rw,sync,intr,tcp,proto=tcp,sec=krb5,sloppy,addr=192.168.6.6,clientaddr=192.168.6.105) per@12.1:~> mount | grep "home/per" zap.vink-slott.dk:/home/per on /home/per type nfs4 (rw,relatime,vers=4,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.6.72,minorversion=0,local_lock=none,addr=192.168.6.6) The automount point distributed via LDAP looks like this: dn: cn=*,nisMapName=auto.home,dc=vink-slott,dc=dk objectClass: nisObject cn: * nisMapEntry: -fstype=nfs4,rw,sync,proto=tcp,sec=krb5 zap.vink-slott.dk:/home/& nisMapName: ldap I tried to add soft to nisMapEntry but, although I see that the mount is now soft on 12.1 as well, it did not solve the login problem. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Show replies by date

bugzilla_noreply＠novell.com

10 Jan 10 Jan

23:08

New subject: [Bug 740620] no X-login with automount + kerberos

https://bugzilla.novell.com/show_bug.cgi?id=740620 https://bugzilla.novell.com/show_bug.cgi?id=740620#c1 Stefan Dirsch changed: What |Removed |Added ---------------------------------------------------------------------------- Component|X.Org |Other AssignedTo|bnc-team-xorg-bugs@forge.pr |bnc-team-screening@forge.pr |ovo.novell.com |ovo.novell.com QAContact|xorg-maintainer-bugs@forge. |qa@suse.de |provo.novell.com | --- Comment #1 from Stefan Dirsch 2012-01-10 23:08:06 UTC --- Not sure, whethe this issue is related to X at all. Therefore reassigning to Other component for now. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

12 Feb 12 Feb

15:12

New subject: [Bug 740620] no X-login with automount + kerberos

https://bugzilla.novell.com/show_bug.cgi?id=740620 https://bugzilla.novell.com/show_bug.cgi?id=740620#c2 Klaus Slott changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P1 - Urgent Severity|Major |Critical --- Comment #2 from Klaus Slott 2012-02-12 15:12:15 UTC --- I had several OpenSUSE 11.3 systems working fine using the above combination automount/LDAP/NFS4/Kerberos. Due to the above I decided to be only upgrade to 11.4 - but only to find the same problem in 11.4. This is on a 11.3 machine updated to 11.4 with zypper dup. The problem also results in a hard lock on a system if the user leaves a session open and his kerberos ticket expires. The is critical if more that one user works on the same machine as all NFS activity is locked. When this happens system log is spammed with messages like: Feb 12 13:20:01 maxmini kernel: [72392.656659] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 s Feb 12 13:20:06 maxmini kernel: [72397.664791] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 s Feb 12 13:20:11 maxmini kernel: [72402.672737] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 s It sure looks like the same problem these Debian guys are discussing here http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648155 I think the priority on this should be raised, as 11.3 now has end of life and the no reliable way to use nfs with kerberos anymore -- Regards Klaus -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

21:28

New subject: [Bug 740620] no X-login with automount + kerberos

https://bugzilla.novell.com/show_bug.cgi?id=740620 https://bugzilla.novell.com/show_bug.cgi?id=740620#c3 Klaus Slott changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Other |Network --- Comment #3 from Klaus Slott 2012-02-12 21:28:27 UTC --- Bug 740620 (and maybee 743969) is most likely the same problem. System locks up and cant even shut down. This is valid even if NFS is soft mounted. I agree with Stefan that this is not related to X and note that a patch to nfs-utils is suggested (see link to Debian bug above). Therefore reassigning to network as I guess that is where nfs belongs? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

9 Mar 9 Mar

07:49

New subject: [Bug 740620] no X-login with automount + kerberos

https://bugzilla.novell.com/show_bug.cgi?id=740620 https://bugzilla.novell.com/show_bug.cgi?id=740620#c4 kk zhang changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED CC| |kkzhang@novell.com Resolution| |NORESPONSE --- Comment #4 from kk zhang 2012-03-09 07:49:20 UTC --- Long time no response.So closed.Feel free to reopen it.Thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10 Mar 10 Mar

08:34

New subject: [Bug 740620] no X-login with automount + kerberos

https://bugzilla.novell.com/show_bug.cgi?id=740620 https://bugzilla.novell.com/show_bug.cgi?id=740620#c5 Jan Engelhardt changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |REOPENED CC| |jengelh@medozas.de Component|Network |KDE4 Workspace Resolution|NORESPONSE | AssignedTo|bnc-team-screening@forge.pr |kde-maintainers@suse.de |ovo.novell.com | --- Comment #5 from Jan Engelhardt 2012-03-10 08:33:56 UTC --- (Revert bogus close.) Certain display managers/login screens attempt to read /home/user/.dmrc. That fails in your case. Normally that is not an issue, so do you see anything else on the server side regarding file accesses? Is it perhaps attempting to look at all users and this just taking time? If a console login is all fine, time to blame the DM :) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

15:10

New subject: [Bug 740620] no X-login with automount + kerberos

https://bugzilla.novell.com/show_bug.cgi?id=740620 https://bugzilla.novell.com/show_bug.cgi?id=740620#c6 --- Comment #6 from Klaus Slott 2012-03-10 15:10:23 UTC --- I wonder why I have selected 11.2 on this issue, it relates to 11.4 and 12.1. Actually I was considering to accept the close and reopen this bug on 12.1 with a better description. As I noted above DM is not to blame, it is the kerberos nfs4 combination. Problem is when a kerberos ticket is expired all attempts t connect to a nfs drive will stall the workstation. This is the same as described in bug 705470 and possibly in bug 743969, and might be solved as described on the link to debian above. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

11 Mar 11 Mar

13:13

New subject: [Bug 740620] no X-login with automount + kerberos

https://bugzilla.novell.com/show_bug.cgi?id=740620 https://bugzilla.novell.com/show_bug.cgi?id=740620#c7 Jan Engelhardt changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Component|KDE4 Workspace |Kernel Resolution| |DUPLICATE AssignedTo|kde-maintainers@suse.de |kernel-maintainers@forge.pr | |ovo.novell.com --- Comment #7 from Jan Engelhardt 2012-03-11 13:13:08 UTC --- The Debian link most certainly is worth something. *** This bug has been marked as a duplicate of bug 705470 *** http://bugzilla.novell.com/show_bug.cgi?id=705470 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

7 May 7 May

20:06

New subject: [Bug 740620] no X-login with automount + kerberos

https://bugzilla.novell.com/show_bug.cgi?id=740620 https://bugzilla.novell.com/show_bug.cgi?id=740620#c8 Linux Admin changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |update@mrc-systems.de --- Comment #8 from Linux Admin 2012-05-07 20:06:41 UTC --- I see the same kdm problem here on my 2 12.1 test systems. (nfs4, ldap/krb5 authentication) Suddenly kdm3 and kdm4 hangs after selecting the user. The root cause is a expires ticket for this user, which wasn't removed after shutdown of the machine (unclean logout?) Using the good old xdm has solved the problem so far, but it's a little uncomfortable, as the user has to shutdown the box via the poweroff button... At the moment I am testing as a workaround the removal of all tickets in /tmp/ during bootup. But this will not solve the problem with a user logged in while the ticket expires. Maybe krb5-ticket-watcher can help to circumvent this problem... With 11.1/kdm3 this issue is not present, there are tons of old ticketfiles which does not have any effect. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

8 May 8 May

05:48

New subject: [Bug 740620] no X-login with automount + kerberos

https://bugzilla.novell.com/show_bug.cgi?id=740620 https://bugzilla.novell.com/show_bug.cgi?id=740620#c9 --- Comment #9 from Klaus Slott 2012-05-08 05:48:10 UTC --- Using xdm will only partially solve the problem. The underlaying problem is still that ANY attempt to access a nfs share depending on a expired ticket will block the tread - and any subsequent nfs access. Removing expired ticket might help (have not tried) but in my case I also have to deal with users leaving a session open. I have build a test version including the Debian patch described above and this does indeed solve the login problem. But nfs performance still sucks when the system is under pressure. http://download.opensuse.org/repositories/home:/Mr_Manor:/branches:/openSUSE... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

08:05

New subject: [Bug 740620] no X-login with automount + kerberos

https://bugzilla.novell.com/show_bug.cgi?id=740620 https://bugzilla.novell.com/show_bug.cgi?id=740620#c10 --- Comment #10 from Linux Admin 2012-05-08 08:05:27 UTC --- As my test user normally logs in only for one day, I had defined the ticket-lifetime to 28 hours... So normally there is no issue. If you use krb5-ticket-watcher, you can automatically renew tickets... I have compile rpc.gssd with the applied patch yesterday too, so lets see if this helps. But I have to get expired tickets survive the logout... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

08:46

New subject: [Bug 740620] no X-login with automount + kerberos

https://bugzilla.novell.com/show_bug.cgi?id=740620 https://bugzilla.novell.com/show_bug.cgi?id=740620#c11 Joschi Brauchle changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |joschibrauchle@gmx.de --- Comment #11 from Joschi Brauchle 2012-05-08 08:46:28 UTC --- Hello Klaus, I strongly disagree that patching gssd is the correct solution! What the patch does is report an EACCESS error, once the ticket expires. This is not correct behavior in my opinion! The NFS mount should "hang" when the KRB ticket is expires, cecause it gives the user the ability to resume all it's processes, once he acquires a *new* ticket. What you should look at, is *not* to patch gssd, but rather change the display managers configuration, such that is places its user ".dmrc" file outside the user's home. Because your login problems relates from the DM trying to read the /home/<username>/.dmrc file, once you click on it's name in the login window. As the read access to the user home is not available before the user acquires a KRB ticket, this ".dmrc" file must be places elsewhere. There is a directive "DmrcDir=<dir>" for KDM in it's config file "/usr/share/kde4/config/kdm/kdmrc". In our configuration, we placed these files on a NON-KRB-secured NFS share, such that the DM can read without a ticket! So make it short: Yes, patching gssd fixes the problem, BUT changes kerberized NFS behaviour (in a bad way -- my opinion). Instead, one should change the DM configuration to prevent accessing the user home before the user acquires a ticket! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

09:06

New subject: [Bug 740620] no X-login with automount + kerberos

https://bugzilla.novell.com/show_bug.cgi?id=740620 https://bugzilla.novell.com/show_bug.cgi?id=740620#c12 --- Comment #12 from Linux Admin 2012-05-08 09:06:42 UTC --- With a 2minute lifetime I can confirm that the kdm issue is solved by the debian patch. I have also added RPCGSSDOPTS=-e to /etc/sysconfig/nfs and to the init.d script nfs. Also the expired ticket issue during a login session is solved. By canceling the nfs-requests the system stays responding and you can get e new ticket by entering kinit in an hopefully open terminal... @Joshi: you may be right concerning the kdm isssue, but the second issue renders the user with and hanging X-session. And you can not tell the normal user to switch to console and login in text mode to get the x-session working again... So its better to get an error as it was up to now, than wait to infinity and let the user do a hard reboot, as for him nothing else solves the problem.... Then of course he has the login problem with kdm (at the moment)..... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

09:10

New subject: [Bug 740620] no X-login with automount + kerberos

https://bugzilla.novell.com/show_bug.cgi?id=740620 https://bugzilla.novell.com/show_bug.cgi?id=740620#c13 --- Comment #13 from Klaus Slott 2012-05-08 09:10:33 UTC --- (In reply to comment #11)

...

So make it short: Yes, patching gssd fixes the problem, BUT changes kerberized NFS behaviour (in a bad way -- my opinion). Instead, one should change the DM configuration to prevent accessing the user home before the user acquires a ticket!

Well I might agree with your opinion, if the NFS blocking only hit the task trying to access the users home drive. But that is not so. When a a ticket expires then all NFS access hangs hitting every user on the affected workstation. Other users have no way of escaping as they are not able to issue a new ticket for the user blocking NFS. This might be related to the performance problem I also see. I suspect that NFS+kerberos access is single treaded. But I have not yet found time to investigate further into this. On top of that there are other programs which may try to look in the a users home during login. As an example ssh tries to access .ssh/authorized key and is blocked to. This effectively disables ssh login completely. So patching gssd might not be the correct solution, but replacing KDM is only fixing a small part of the problem. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10:13

New subject: [Bug 740620] no X-login with automount + kerberos

https://bugzilla.novell.com/show_bug.cgi?id=740620 https://bugzilla.novell.com/show_bug.cgi?id=740620#c14 --- Comment #14 from Linux Admin 2012-05-08 10:13:41 UTC --- I now have reproduced the lockup for other users: So now I know, why I have sometimes problems to reach the client via ssh.... With a single expired ticket, no login, no ssh etc. is possible as every ticket-request is blocking. And rpc.gssd is running with >50% cpu usage. Running sessions of other users seams to be unaffected, as long they do not issue a new ticket or want to log out. Then rpc.gssd is blocking every request. So reporting an error is the behavior I would expect, rather than looping infinitively. Most programs will(should) catch the write error and give the user a second try. Otherwise the user must assume a system hang, as he does not get any error message. (And if he tries to click in some menu entries the x-server menu bug will freeze the X-server which will end in a hard boot in many cases.) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

12:31

New subject: [Bug 740620] no X-login with automount + kerberos

https://bugzilla.novell.com/show_bug.cgi?id=740620 https://bugzilla.novell.com/show_bug.cgi?id=740620#c15 --- Comment #15 from Joschi Brauchle 2012-05-08 12:31:53 UTC --- Hello Klaus, I completely agree with you, that this problem is bad, because it affects all Nfs users on the machine, not only the user with the expired ticket! My point comes from what I read on some NFS mailling list: returning EACCESS in the situation of an expired ticket is a BIG change in the behavior of kerberized NFS. As long as there is a switch to turn this on or off (as there is in your patch), then that is ok! But personally, I think that there must be a different problem deep inside the gssd, that causes the blockage for all users! I would like to see someone investigate deeper and see if the workflow inside gssd can be adapted, such that the problem is fixed + the current behavior is kept the same. Because currently, one has to either A) live with the problem, if you want to stick with the current behavior, or B) accept the change in behavior of kerberized NFS if you want to fix the problem. The current patch only fixes the problem if you are willing to accept that change. If not, the problem is still there! Hence, I think the bug is not "resolved" at all, rather it's "circumvented" for some users. By the way, i would be happy to help debug the problem... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

12:38

New subject: [Bug 740620] no X-login with automount + kerberos

https://bugzilla.novell.com/show_bug.cgi?id=740620 https://bugzilla.novell.com/show_bug.cgi?id=740620#c16 --- Comment #16 from Joschi Brauchle 2012-05-08 12:38:58 UTC --- (In reply to comment #14)

...

So reporting an error is the behavior I would expect, rather than looping infinitively. Most programs will(should) catch the write error and give the user a second try.

Of course, looping infinitely is a problem -- but returning an EACCESS error is also not the right solution! The user with the expired ticket should be given a chance to renter his PW and acquire a new ticket! All other users should, of course, not be affected at all! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

13:07

New subject: [Bug 740620] no X-login with automount + kerberos

...

I think that there must be a different problem deep inside the gssd, that causes the blockage for all users! Amen. As mentioned above I have a suspicion that all NFS access is serialized somewhere in the client. In my setup (using the Debian patch) I see severe

https://bugzilla.novell.com/show_bug.cgi?id=740620 https://bugzilla.novell.com/show_bug.cgi?id=740620#c17 --- Comment #17 from Klaus Slott 2012-05-08 13:07:30 UTC --- (In reply to comment #15) performance issues when some program generates a lot of NFS traffic, in effect taking the workstation several minutes to react to something like ls command. Unfortunately I'am not a programmer myself, I merely took the Debian patch and verified that it looked plausible - and applied it. I really hope someone more skilled would look into this! (should we reopen this, make a new, or settle for 705470?) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

31 Oct 31 Oct

09:09

New subject: [Bug 740620] no X-login with automount + kerberos

https://bugzilla.novell.com/show_bug.cgi?id=740620 https://bugzilla.novell.com/show_bug.cgi?id=740620#c18 Linux Admin changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Kernel |Kernel Product|openSUSE 12.1 |openSUSE 12.2 OS/Version|openSUSE 11.2 |openSUSE 12.2 --- Comment #18 from Linux Admin 2012-10-31 09:09:55 UTC --- As the problem still exist in 12.2, I have tested ubuntu 12.04. Ubuntu knows the "-e" switch and by the way has a longer support lifetime. So I am planing to switch over to ubuntu LTS /trinity after using suse products for 18 years now. Bye bye Suse. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

4205

Age (days ago)

4500

Last active (days ago)

List overview

Download

18 comments

1 participants

participants (1)

bugzilla_noreply＠novell.com

[Bug 740620] New: no X-login with automount + kerberos

tags

participants (1)