Kerberos + LDAP + NFSv4 on Natty - Unable to recover unattended client

Asked by Brian the Lion on 2011-06-06

Hi there!

I've configured a Natty client/server pair to authenticate over Kerberos and LDAP and to mount user home directories via NFSv4 with sec=krb5. I am using a slight variation on the configuration described here: http://www.danbishop.org/2011/05/01/ubuntu-11-04-sbs-small-business-server-setup-part-3-openldap/

Under this setup, user sessions that are left unattended for a long period of time -- eg, when someone goes home for the night but stays logged in -- always result in a wedged machine. What do I mean by "wedged?" When the user returns to their session (the next morning), the screen is sorta grayed out. Keystrokes and mouse movement fail to elicit a reaction from the OS. I can switch to an ANSI terminal (Ctrl+Alt+F1), but cannot log in as the offending user there; the prompt will accept a username and password by never return. I CAN login using my localadmin, presumably because it uses UNIX authentication rather than LDAP/Kerberos. I have heretofore been unable to recover the machine as the localadmin, though. If localadmin attempts to sudo reboot the machine, the reboot process starts but never finishes.

Some odd things in the server syslog:

Jun 6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: NEEDED_PREAUTH: <email address hidden> for <email address hidden>, Additional pre-authentication required
Jun 6 07:40:15 server krb5kdc[822]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, <email address hidden> for <email address hidden>
Jun 6 07:40:15 server krb5kdc[822]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=18}, <email address hidden> for <email address hidden>
Jun 6 07:40:15 server krb5kdc[822]: TGS_REQ (3 etypes {1 3 2}) 192.168.0.59: ISSUE: authtime 1307360415, etypes {rep=18 tkt=18 ses=1}, <email address hidden> for <email address hidden>
Jun 6 07:40:15 server nslcd[950]: [92ef4c] nslcd_passwd_byname(nfs/carina.co57.lan): invalid user name
Jun 6 07:46:49 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun 6 07:46:49 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
Jun 6 07:48:51 server slapd[836]: <= bdb_equality_candidates: (uidNumber) not indexed
Jun 6 07:49:20 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun 6 07:57:07 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun 6 07:57:07 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
Jun 6 07:59:35 server slapd[836]: <= bdb_equality_candidates: (uid) not indexed
Jun 6 08:00:00 server slapd[836]: <= bdb_equality_candidates: (cn) not indexed
Jun 6 08:00:01 server slapd[836]: last message repeated 3 times

And from all over the client syslog:

Jun 6 10:53:28 carina kernel: [47636.670075] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:33 carina kernel: [47641.666533] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:38 carina kernel: [47646.662437] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:43 carina kernel: [47651.658844] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:48 carina kernel: [47656.655152] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:53 carina kernel: [47661.651498] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:53:58 carina kernel: [47666.647829] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:03 carina kernel: [47671.644084] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:08 carina kernel: [47676.640219] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:13 carina kernel: [47681.636699] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:18 carina kernel: [47686.632981] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:23 carina kernel: [47691.629134] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:28 carina kernel: [47696.625429] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:33 carina kernel: [47701.621717] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:38 carina kernel: [47706.617861] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:43 carina kernel: [47711.614235] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:48 carina kernel: [47716.610530] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.
Jun 6 10:54:53 carina kernel: [47721.606813] Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server 192.168.0.2.

My intuition is the following: The user's client-side Kerberos ticket is expiring (RPCSEC_GSS errors) and the sec=krb5 on NFS is sitting in a poll loop, waiting for a new one. This is somehow causing the rest of the system to grind to a halt, whether through resource usage or blocking in the kernel. I will continue to investigate and post evidence as I come by it. In the meantime, does anybody have any ideas?

Cheers!
~Brian

Question information

Language:
English Edit question
Status:
Open
For:
Ubuntu openldap Edit question
Assignee:
No assignee Edit question
Last query:
2011-06-06
Last reply:

Can you help with this problem?

Provide an answer of your own, or ask Brian the Lion for more information if necessary.

To post a message you must log in.