Bug 147233 - NFSv3 over Kerberos: gss_get_mic FAILED during xdm login attempt
NFSv3 over Kerberos: gss_get_mic FAILED during xdm login attempt
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Steve Dickson
Brian Brock
:
Depends On:
Blocks: 156322
  Show dependency treegraph
 
Reported: 2005-02-04 17:16 EST by Chuck Lever
Modified: 2007-11-30 17:07 EST (History)
4 users (show)

See Also:
Fixed In Version: RHSA-2005-514
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-05 08:45:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch 1/2 from trond (3.74 KB, patch)
2005-02-04 17:17 EST, Chuck Lever
no flags Details | Diff
patch 2/2 from trond (1.89 KB, patch)
2005-02-04 17:18 EST, Chuck Lever
no flags Details | Diff

  None (edit)
Description Chuck Lever 2005-02-04 17:16:03 EST
Description of problem:
Mounted my home directory with NFSv3,sec=krb5.  After logging out and
 waiting overnight, xdm login fails with this kernel log message:
"gss_get_mic FAILED (786432)" followed by "RPC: call_header failed,
exit EIO".  ssh login works OK.  rebooting the client clears the problem.

Version-Release number of selected component (if applicable):
2.6.10-1.741_FC3

How reproducible:
I've only seen this once, but I think it will recur any time i leave
xdm overnight with the unpatched kernel.

Steps to Reproduce:
1.  Mount your home directory via NFS, sec=krb5
2.  Normal daily activity on console via xdm and X windows
3.  Log out over night
4.  Attempt to log in again the next day
  
Actual results:
xdm login fails with this kernel log message: "gss_get_mic FAILED
(786432)" followed by "RPC: call_header failed, exit EIO".

Expected results:
xdm should allow the login to work normally, refreshing the Kerberos
credentials

Additional info:
This is addressed by a couple of patches in Trond's NFS_ALL patch for
2.6.10.  They are already included in 2.6.11, but will need to be
applied to RHEL 4.0.
Comment 1 Chuck Lever 2005-02-04 17:17:39 EST
Created attachment 110681 [details]
patch 1/2 from trond
Comment 2 Chuck Lever 2005-02-04 17:18:08 EST
Created attachment 110682 [details]
patch 2/2 from trond
Comment 3 Chuck Lever 2005-04-04 12:42:12 EDT
Confirmed: this problem also exists in RHEL 4 (2.6.9-5.0.3EL).  ETA for a fix?
Comment 8 Steve Dickson 2005-07-13 13:29:33 EDT
Chuck,

In http://people.redhat.com/steved/bz147233 is a RHEL4 kernel that
contains these patches. I'm in the process of setting up a test
environment to reproduce the problem and ensure the patchs solve
the problem.... but...  If, by chance, you have an environment that you
could 'pop' this kernel into to also verify the problem is fix, that
would good and definitely appreciated!! ;-)  

BTW... If you need a different flavor of kernel like x86_64 or such just 
let me know... tia... 

Comment 9 Chuck Lever 2005-07-14 08:44:31 EDT
i set up my desktop system to use NFSv3 with kerberos for my home directory, and
booted your test kernel.  logged out before going home yesterday, and tried to
log in this morning, but it failed:

Using username "cel".
cel@dexter.citi.umich.edu's password:
Last login: Wed Jul 13 20:31:19 2005 from
adsl-68-248-33-186.dsl.sfldmi.ameritech.net
Could not chdir to home directory /home/cel: Input/output error
-bash: /home/cel/.bash_profile: Input/output error
-bash-3.00$

these messages appeared in the log:

Jul 14 08:40:30 dexter sshd(pam_unix)[4634]: session opened for user cel by (uid=0)
Jul 14 08:40:31 dexter kernel: gss_marshal: gss_get_mic FAILED (786432)
Jul 14 08:40:31 dexter kernel: RPC: call_header failed, exit EIO
Jul 14 08:40:31 dexter kernel: gss_marshal: gss_get_mic FAILED (786432)
Jul 14 08:40:31 dexter kernel: RPC: call_header failed, exit EIO
Jul 14 08:40:31 dexter kernel: gss_marshal: gss_get_mic FAILED (786432)
Jul 14 08:40:31 dexter kernel: RPC: call_header failed, exit EIO
Jul 14 08:40:31 dexter kernel: gss_marshal: gss_get_mic FAILED (786432)
Jul 14 08:40:31 dexter kernel: RPC: call_header failed, exit EIO
Jul 14 08:40:31 dexter kernel: gss_marshal: gss_get_mic FAILED (786432)
Jul 14 08:40:31 dexter kernel: RPC: call_header failed, exit EIO
Jul 14 08:40:31 dexter kernel: gss_marshal: gss_get_mic FAILED (786432)
Jul 14 08:40:31 dexter kernel: RPC: call_header failed, exit EIO
Jul 14 08:40:31 dexter kernel: gss_marshal: gss_get_mic FAILED (786432)
Jul 14 08:40:31 dexter kernel: RPC: call_header failed, exit EIO
Jul 14 08:40:31 dexter kernel: gss_marshal: gss_get_mic FAILED (786432)
Jul 14 08:40:31 dexter kernel: RPC: call_header failed, exit EIO
Jul 14 08:40:31 dexter kernel: gss_marshal: gss_get_mic FAILED (786432)
Jul 14 08:40:31 dexter kernel: RPC: call_header failed, exit EIO
Jul 14 08:40:31 dexter kernel: gss_marshal: gss_get_mic FAILED (786432)
Jul 14 08:40:31 dexter kernel: RPC: call_header failed, exit EIO
Jul 14 08:40:31 dexter kernel: gss_marshal: gss_get_mic FAILED (786432)
Jul 14 08:40:31 dexter kernel: RPC: call_header failed, exit EIO
Jul 14 08:40:31 dexter kernel: gss_marshal: gss_get_mic FAILED (786432)
Jul 14 08:40:31 dexter kernel: RPC: call_header failed, exit EIO
Jul 14 08:41:02 dexter kernel: gss_marshal: gss_get_mic FAILED (786432)
Jul 14 08:41:02 dexter kernel: RPC: call_header failed, exit EIO
Jul 14 08:41:02 dexter kernel: gss_marshal: gss_get_mic FAILED (786432)
Jul 14 08:41:02 dexter kernel: RPC: call_header failed, exit EIO

this appears to be the same behavior as before...
Comment 10 Steve Dickson 2005-07-14 10:54:08 EDT
my bad... it appears the was a typo in the spec file that
stop the patch from being applied... I'm rebuilding a
new kernel at this moment... It might take a few minutes
depending on the health of our build system...

Question: I got a system set up to test this out, but
is there any type of pam configures I need to do
so I get a ticket when I log in? I've always just used
kinit to get tickets so I'm not clear as what has to
happen at during login....

As always, thats for you help!! its much appreciated...
Comment 11 Chuck Lever 2005-07-14 11:08:48 EDT
the root cause is that the server is expiring it's GSS context before the client
expires its context and credential.  the next day, logging in attempts to access
files in a directory using the client's cached context, which the server has by
now long forgotten.  the bugs are in the client-side GSS logic that is supposed
to recover from this situation.

so you can use login (after waiting for the server context to expire) to
reproduce this easily.  but you can also do this by hand simply by mounting a
file system with NFS and krb5, kinit'ing, and waiting overnight.

i used "authconfig" to set up the PAM configuration on my system to acquire
kerberos credentials on login.  just select the "Kerberos 5 authentication" option.
Comment 12 Steve Dickson 2005-07-14 13:31:21 EDT
thanks... I'll try to the authconfig thing, if that doesn't work
I figure something out....

Anyways, I updated the kernels in http://people.redhat.com/steved/bz147233
Comment 13 Chuck Lever 2005-07-17 13:24:31 EDT
downloaded and installed your latest on friday.  i've logged in twice over the
weekend, and all appears to be working correctly on the client side now.

however, i see this on the filer, both with RHEL 4 update 1 and with your kernel:

Sun Jul 17 13:18:05 EDT [nfsd.rpc.request.bad:warning]: Client 141.211.133.33 is
sending bad rpc requests with error: RPC version mismatch or authenication error(73)
Sun Jul 17 13:18:05 EDT [nfsd.auth.status.bad:warning]: Client 141.211.133.33
has an authentication error 14
Sun Jul 17 13:18:05 EDT [nfsd.rpc.request.bad:warning]: Client 141.211.133.33 is
sending bad rpc requests with error: RPC version mismatch or authenication error(73)
Sun Jul 17 13:18:05 EDT [nfsd.auth.status.bad:warning]: Client 141.211.133.33
has an authentication error 14

but i suspect this is a different problem.  i will check this with a current
kernel.org kernel to see if it is resolved there.
Comment 14 Steve Dickson 2005-07-18 08:48:31 EDT
My test also showed the problem seem to be fixed with the above
kernel. Unfortunately, it seems my messaging on my filer is not
set up correctly since /etc/log/messages is symbolicly linked
to /etc/messages which does not exist.

Is there another way to look at the filer's log?
Comment 19 Red Hat Bugzilla 2005-10-05 08:45:05 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-514.html

Note You need to log in before you can comment on or make changes to this bug.