[Bug 740620] New: no X-login with automount + kerberos
https://bugzilla.novell.com/show_bug.cgi?id=740620 https://bugzilla.novell.com/show_bug.cgi?id=740620#c0 Summary: no X-login with automount + kerberos Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: x86-64 OS/Version: openSUSE 11.2 Status: NEW Severity: Major Priority: P5 - None Component: X.Org AssignedTo: bnc-team-xorg-bugs@forge.provo.novell.com ReportedBy: k.slott@vink-slott.dk QAContact: xorg-maintainer-bugs@forge.provo.novell.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux i686; rv:9.0) Gecko/20100101 Firefox/9.0 I think there is some kind of catch 22 I have a 11.3 based network with with auto mounted home-dirs using LDAP/NFS4/Kerberos. Everything works smoothly with 11.3 client installations. A fresh installed 12.1 workstation does not allow login. Reproducible: Didn't try Steps to Reproduce: I have problem remembering the exact order/steps I took, in essence I think is was something like: 1. fresh install a 12.1. During install select ldap and automounted home using sssd - leave rest as default 2. update 3. add kerberos 4. remove samba (Bug 724777) When I get time in a couple of days I'll try to recreate from scratch. Actual Results: A cold boot after the Kerberos tickets has expired newer present a gui login box. It just stays waiting with a spinning cursor. On the file server I see that the client tries to access the last logged in users home - which obviously fails as the kerberos ticket for this user is not created yet. Expected Results: A gui login box If I switch to a console and perform a text login for last logged on user (thereby creating the missing ticket and mounting the users home) the DM recovers and presents the login box. I have tried to set KDM_USERS = nobody in /etc/sysconfig/displaymanager but this setting seems to be ignored. After a successful login I compare mount options and see some differences in mount options used by 11.3 and 12.1 per@11.3:~> mount | grep "home/per" zap.vink-slott.dk:/home/per on /home/per type nfs4 (rw,sync,intr,tcp,proto=tcp,sec=krb5,sloppy,addr=192.168.6.6,clientaddr=192.168.6.105) per@12.1:~> mount | grep "home/per" zap.vink-slott.dk:/home/per on /home/per type nfs4 (rw,relatime,vers=4,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.6.72,minorversion=0,local_lock=none,addr=192.168.6.6) The automount point distributed via LDAP looks like this: dn: cn=*,nisMapName=auto.home,dc=vink-slott,dc=dk objectClass: nisObject cn: * nisMapEntry: -fstype=nfs4,rw,sync,proto=tcp,sec=krb5 zap.vink-slott.dk:/home/& nisMapName: ldap I tried to add soft to nisMapEntry but, although I see that the mount is now soft on 12.1 as well, it did not solve the login problem. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=740620
https://bugzilla.novell.com/show_bug.cgi?id=740620#c1
Stefan Dirsch
https://bugzilla.novell.com/show_bug.cgi?id=740620
https://bugzilla.novell.com/show_bug.cgi?id=740620#c2
Klaus Slott
https://bugzilla.novell.com/show_bug.cgi?id=740620
https://bugzilla.novell.com/show_bug.cgi?id=740620#c3
Klaus Slott
https://bugzilla.novell.com/show_bug.cgi?id=740620
https://bugzilla.novell.com/show_bug.cgi?id=740620#c4
kk zhang
https://bugzilla.novell.com/show_bug.cgi?id=740620
https://bugzilla.novell.com/show_bug.cgi?id=740620#c5
Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=740620
https://bugzilla.novell.com/show_bug.cgi?id=740620#c6
--- Comment #6 from Klaus Slott
https://bugzilla.novell.com/show_bug.cgi?id=740620
https://bugzilla.novell.com/show_bug.cgi?id=740620#c7
Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=740620
https://bugzilla.novell.com/show_bug.cgi?id=740620#c8
Linux Admin
https://bugzilla.novell.com/show_bug.cgi?id=740620
https://bugzilla.novell.com/show_bug.cgi?id=740620#c9
--- Comment #9 from Klaus Slott
https://bugzilla.novell.com/show_bug.cgi?id=740620
https://bugzilla.novell.com/show_bug.cgi?id=740620#c10
--- Comment #10 from Linux Admin
https://bugzilla.novell.com/show_bug.cgi?id=740620
https://bugzilla.novell.com/show_bug.cgi?id=740620#c11
Joschi Brauchle
https://bugzilla.novell.com/show_bug.cgi?id=740620
https://bugzilla.novell.com/show_bug.cgi?id=740620#c12
--- Comment #12 from Linux Admin
https://bugzilla.novell.com/show_bug.cgi?id=740620
https://bugzilla.novell.com/show_bug.cgi?id=740620#c13
--- Comment #13 from Klaus Slott
So make it short: Yes, patching gssd fixes the problem, BUT changes kerberized NFS behaviour (in a bad way -- my opinion). Instead, one should change the DM configuration to prevent accessing the user home before the user acquires a ticket!
Well I might agree with your opinion, if the NFS blocking only hit the task trying to access the users home drive. But that is not so. When a a ticket expires then all NFS access hangs hitting every user on the affected workstation. Other users have no way of escaping as they are not able to issue a new ticket for the user blocking NFS. This might be related to the performance problem I also see. I suspect that NFS+kerberos access is single treaded. But I have not yet found time to investigate further into this. On top of that there are other programs which may try to look in the a users home during login. As an example ssh tries to access .ssh/authorized key and is blocked to. This effectively disables ssh login completely. So patching gssd might not be the correct solution, but replacing KDM is only fixing a small part of the problem. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=740620
https://bugzilla.novell.com/show_bug.cgi?id=740620#c14
--- Comment #14 from Linux Admin
https://bugzilla.novell.com/show_bug.cgi?id=740620
https://bugzilla.novell.com/show_bug.cgi?id=740620#c15
--- Comment #15 from Joschi Brauchle
https://bugzilla.novell.com/show_bug.cgi?id=740620
https://bugzilla.novell.com/show_bug.cgi?id=740620#c16
--- Comment #16 from Joschi Brauchle
So reporting an error is the behavior I would expect, rather than looping infinitively. Most programs will(should) catch the write error and give the user a second try.
Of course, looping infinitely is a problem -- but returning an EACCESS error is also not the right solution! The user with the expired ticket should be given a chance to renter his PW and acquire a new ticket! All other users should, of course, not be affected at all! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
I think that there must be a different problem deep inside the gssd, that causes the blockage for all users! Amen. As mentioned above I have a suspicion that all NFS access is serialized somewhere in the client. In my setup (using the Debian patch) I see severe
https://bugzilla.novell.com/show_bug.cgi?id=740620
https://bugzilla.novell.com/show_bug.cgi?id=740620#c17
--- Comment #17 from Klaus Slott
https://bugzilla.novell.com/show_bug.cgi?id=740620
https://bugzilla.novell.com/show_bug.cgi?id=740620#c18
Linux Admin
participants (1)
-
bugzilla_noreply@novell.com