Description of problem: Mounted my home directory with NFSv3,sec=krb5. After logging out and waiting overnight, xdm login fails with this kernel log message: "gss_get_mic FAILED (786432)" followed by "RPC: call_header failed, exit EIO". ssh login works OK. rebooting the client clears the problem. Version-Release number of selected component (if applicable): 2.6.10-1.741_FC3 How reproducible: I've only seen this once, but I think it will recur any time i leave xdm overnight with the unpatched kernel. Steps to Reproduce: 1. Mount your home directory via NFS, sec=krb5 2. Normal daily activity on console via xdm and X windows 3. Log out over night 4. Attempt to log in again the next day Actual results: xdm login fails with this kernel log message: "gss_get_mic FAILED (786432)" followed by "RPC: call_header failed, exit EIO". Expected results: xdm should allow the login to work normally, refreshing the Kerberos credentials Additional info: This is addressed by a couple of patches in Trond's NFS_ALL patch for 2.6.10. They are already included in 2.6.11, but will need to be applied to RHEL 4.0.
Created attachment 110681 [details] patch 1/2 from trond
Created attachment 110682 [details] patch 2/2 from trond
Confirmed: this problem also exists in RHEL 4 (2.6.9-5.0.3EL). ETA for a fix?
Chuck, In http://people.redhat.com/steved/bz147233 is a RHEL4 kernel that contains these patches. I'm in the process of setting up a test environment to reproduce the problem and ensure the patchs solve the problem.... but... If, by chance, you have an environment that you could 'pop' this kernel into to also verify the problem is fix, that would good and definitely appreciated!! ;-) BTW... If you need a different flavor of kernel like x86_64 or such just let me know... tia...
i set up my desktop system to use NFSv3 with kerberos for my home directory, and booted your test kernel. logged out before going home yesterday, and tried to log in this morning, but it failed: Using username "cel". cel.umich.edu's password: Last login: Wed Jul 13 20:31:19 2005 from adsl-68-248-33-186.dsl.sfldmi.ameritech.net Could not chdir to home directory /home/cel: Input/output error -bash: /home/cel/.bash_profile: Input/output error -bash-3.00$ these messages appeared in the log: Jul 14 08:40:30 dexter sshd(pam_unix)[4634]: session opened for user cel by (uid=0) Jul 14 08:40:31 dexter kernel: gss_marshal: gss_get_mic FAILED (786432) Jul 14 08:40:31 dexter kernel: RPC: call_header failed, exit EIO Jul 14 08:40:31 dexter kernel: gss_marshal: gss_get_mic FAILED (786432) Jul 14 08:40:31 dexter kernel: RPC: call_header failed, exit EIO Jul 14 08:40:31 dexter kernel: gss_marshal: gss_get_mic FAILED (786432) Jul 14 08:40:31 dexter kernel: RPC: call_header failed, exit EIO Jul 14 08:40:31 dexter kernel: gss_marshal: gss_get_mic FAILED (786432) Jul 14 08:40:31 dexter kernel: RPC: call_header failed, exit EIO Jul 14 08:40:31 dexter kernel: gss_marshal: gss_get_mic FAILED (786432) Jul 14 08:40:31 dexter kernel: RPC: call_header failed, exit EIO Jul 14 08:40:31 dexter kernel: gss_marshal: gss_get_mic FAILED (786432) Jul 14 08:40:31 dexter kernel: RPC: call_header failed, exit EIO Jul 14 08:40:31 dexter kernel: gss_marshal: gss_get_mic FAILED (786432) Jul 14 08:40:31 dexter kernel: RPC: call_header failed, exit EIO Jul 14 08:40:31 dexter kernel: gss_marshal: gss_get_mic FAILED (786432) Jul 14 08:40:31 dexter kernel: RPC: call_header failed, exit EIO Jul 14 08:40:31 dexter kernel: gss_marshal: gss_get_mic FAILED (786432) Jul 14 08:40:31 dexter kernel: RPC: call_header failed, exit EIO Jul 14 08:40:31 dexter kernel: gss_marshal: gss_get_mic FAILED (786432) Jul 14 08:40:31 dexter kernel: RPC: call_header failed, exit EIO Jul 14 08:40:31 dexter kernel: gss_marshal: gss_get_mic FAILED (786432) Jul 14 08:40:31 dexter kernel: RPC: call_header failed, exit EIO Jul 14 08:40:31 dexter kernel: gss_marshal: gss_get_mic FAILED (786432) Jul 14 08:40:31 dexter kernel: RPC: call_header failed, exit EIO Jul 14 08:41:02 dexter kernel: gss_marshal: gss_get_mic FAILED (786432) Jul 14 08:41:02 dexter kernel: RPC: call_header failed, exit EIO Jul 14 08:41:02 dexter kernel: gss_marshal: gss_get_mic FAILED (786432) Jul 14 08:41:02 dexter kernel: RPC: call_header failed, exit EIO this appears to be the same behavior as before...
my bad... it appears the was a typo in the spec file that stop the patch from being applied... I'm rebuilding a new kernel at this moment... It might take a few minutes depending on the health of our build system... Question: I got a system set up to test this out, but is there any type of pam configures I need to do so I get a ticket when I log in? I've always just used kinit to get tickets so I'm not clear as what has to happen at during login.... As always, thats for you help!! its much appreciated...
the root cause is that the server is expiring it's GSS context before the client expires its context and credential. the next day, logging in attempts to access files in a directory using the client's cached context, which the server has by now long forgotten. the bugs are in the client-side GSS logic that is supposed to recover from this situation. so you can use login (after waiting for the server context to expire) to reproduce this easily. but you can also do this by hand simply by mounting a file system with NFS and krb5, kinit'ing, and waiting overnight. i used "authconfig" to set up the PAM configuration on my system to acquire kerberos credentials on login. just select the "Kerberos 5 authentication" option.
thanks... I'll try to the authconfig thing, if that doesn't work I figure something out.... Anyways, I updated the kernels in http://people.redhat.com/steved/bz147233
downloaded and installed your latest on friday. i've logged in twice over the weekend, and all appears to be working correctly on the client side now. however, i see this on the filer, both with RHEL 4 update 1 and with your kernel: Sun Jul 17 13:18:05 EDT [nfsd.rpc.request.bad:warning]: Client 141.211.133.33 is sending bad rpc requests with error: RPC version mismatch or authenication error(73) Sun Jul 17 13:18:05 EDT [nfsd.auth.status.bad:warning]: Client 141.211.133.33 has an authentication error 14 Sun Jul 17 13:18:05 EDT [nfsd.rpc.request.bad:warning]: Client 141.211.133.33 is sending bad rpc requests with error: RPC version mismatch or authenication error(73) Sun Jul 17 13:18:05 EDT [nfsd.auth.status.bad:warning]: Client 141.211.133.33 has an authentication error 14 but i suspect this is a different problem. i will check this with a current kernel.org kernel to see if it is resolved there.
My test also showed the problem seem to be fixed with the above kernel. Unfortunately, it seems my messaging on my filer is not set up correctly since /etc/log/messages is symbolicly linked to /etc/messages which does not exist. Is there another way to look at the filer's log?
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-514.html