From: Mika Fischer <mika.fischer@kit.edu>
To: linux-nfs@vger.kernel.org
Subject: Bug: Cleaning up of kerberos credentials by SSH with kerberized NFS leads to excessive log spam by rpc.gssd
Date: Tue, 6 Jul 2010 14:45:01 +0200 [thread overview]
Message-ID: <AANLkTim3hkqS-MivxL4C7Q7-xC_8P0ASPuKq-PKsZx5C@mail.gmail.com> (raw)
Hi,
we're having the following problem at our institute where we use
Kerberos to secure our NFS mounts.
This is copied from the OpenSuSE bug report here:
https://bugzilla.novell.com/show_bug.cgi?id=620066
----
SSH by default deletes Kerberos credentials when a user logs out.
If the user left a program running (for instance via screen), and if Kerberos
credentials are needed to access the home directories (kerberized NFS),
rpc.gssd will fail to obtain Kerberos credentials.
The problem is that it generates excessive amounts of warnings in the syslog to
this effect (about 1100 warnings per second), which then quickly fill up the
hard drive.
Reproducible: Always
Steps to Reproduce:
1. Log in (via SSH) to host that mounts home directory via kerberized NFS
2. Start screen with some process accessing the home dir inside
3. Detach screen
4. Close SSH session
5. Wait for rpc.gssd credentials cache to expire
Actual Results:
When the process still running on the target host tries to access the home
directory, rpc.gssd will try and fail to obtain kerberos credentials for the
user. It will then spam the syslog with the following warning
----
<date> <hostname> rpc.gssd[<pid>]: WARNING: Failed to create krb5 context for
user with uid <uid> for server <other hostname>
----
This is repeated ad infinitum until the offending process is killed manually.
The logfile otherwise quickly fills up the partition.
Expected Results:
Maybe one warning or no warning at all should be emitted (the latter is the
case for *expired* credentials). See also
https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/293705 for the case of
expired credentials.
----
So it seems that for the case of expired credentials, this problem has
been addressed already. Now we're having the same problem with missing
credentials. Are we doing something wrong? I'm surprised that not more
people have run into this problem.
Any advice would be much appreciated.
Best,
Mika
--
Mika Fischer email: mika.fischer@kit.edu
Institut für Anthropomatik phone: +49 721 608 4735
Universität Karlsruhe (TH) fax: +49 721 60 77 21
Adenauerring 2 web: http://cvhci.ira.uka.de/~mfischer
76131 Karlsruhe office: room 228, building 50.20
reply other threads:[~2010-07-06 13:04 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AANLkTim3hkqS-MivxL4C7Q7-xC_8P0ASPuKq-PKsZx5C@mail.gmail.com \
--to=mika.fischer@kit.edu \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).