We mount user home directories (using automount) from an nfs4 server
with sec=krb5.
Using older kernels (2.6.32 for example) when the user ticket expires
attempts to access the mount get EPERM. This is no big deal, the
workstation is probably in the screensaver so the user enters her
password, a new ticket is granted and everything carries on.
At some point (before or after 2.6.39) this behaviour changed.
Now attempts to access the mount point hang and an endless stream of:
Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server xxxx
messages is printed to the kernel log. The user doesn't get prompted
for a password and can only get a new ticket by moving to a text console
and logging in again (which unblocks things).
(This is Debian bug
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648155 and Ubuntu bug
https://bugs.launchpad.net/ubuntu/+bug/794112 ).
The client is Debian Sid, with kernel 3.1.0-rc10 on a Dell core i5 based
Optiplex 390. (The same problem occurs in the standard Debian 3.0 kernel).
Linux cretic 3.1.0-rc10 #1 SMP Thu Nov 10 11:45:46 CET 2011 x86_64 GNU/Linux
The server is Debian Squeeze, kernel 2.6.32.
What should I be trying to do to debug this?
Here is a ridiculously stupid patch that fixes the behaviour to be
closer to what I want.
Now, if the krb5 ticket has expired processes get a EKEYEXPIRED error
and the kernel doesn't waste its time printing "ticket expired" errors.
From the point of view of someone who has their home directory nfs
mounted they go home after work, when they get back in the morning they
give their password to the screensaver, pam_krb5 gets a new ticket and
everything works.
(Without this hack the screensaver hangs before presenting the password
prompt, presumably accessing something in the home directory).
Anyone care to comment?
On 14/11/11 15:33, John Hughes wrote:
> Here is a ridiculously stupid patch that fixes the behaviour to be
> closer to what I want.
>
> Now, if the krb5 ticket has expired processes get a EKEYEXPIRED error
> and the kernel doesn't waste its time printing "ticket expired" errors.
A slight modification of the patch is needed to avoid scads of "state
manager failed" errors, if we get EKEYEXPIRED in
nfs4_recovery_handle_error we *should* return zero, but we don't want to
call nfs4_warn_keyexpired (there is no reason to log this, it's not a
kernel problem).
Here's a cleaner version of the patch.
Does anybody care about this? Will anybody read this message?