Description of problem: When an NFS server is rebooted while an NFS client has an NFSv4/krb5 export mounted, the NFS client can not access the content of the mountpoint even a few minutes after the NFS server has completed the reboot. Following the reboot of the NFS server, it receives RPC_GSS_PROC_DATA packets from the NFS client. In svcauth_gss_accept(): ------------------------------------------------------------ 830 case RPC_GSS_PROC_DATA: 831 case RPC_GSS_PROC_DESTROY: 832 *authp = rpcsec_gsserr_credproblem; 833 rsci = gss_svc_searchbyctx(&gc->gc_ctx); 834 if (!rsci) 835 goto auth_err; 937 auth_err: 938 /* Restore write pointer to original value: */ 939 xdr_ressize_check(rqstp, reject_stat); 940 ret = SVC_DENIED; 941 goto out; ------------------------------------------------------------ gss_svc_searchbyctx() returns NULL which results in authp being set to rpcsec_gsserr_credproblem and svcauth_gss_accept() returning SVC_DENIED. Eventually svc_authenticate() returns SVC_DENIED and auth_stat is set to rpcsec_gsserr_credproblem: ------------------------------------------------------------ 255 int 256 svc_process(struct svc_serv *serv, struct svc_rqst *rqstp) 257 { 320 auth_res = svc_authenticate(rqstp, &auth_stat); 328 switch (auth_res) { 329 case SVC_OK: 330 break; 331 case SVC_GARBAGE: 332 rpc_stat = rpc_garbage_args; 333 goto err_bad; 334 case SVC_SYSERR: 335 rpc_stat = rpc_system_err; 336 goto err_bad; 337 case SVC_DENIED: => 338 auth_stat = rpc_autherr_badcred; 339 goto err_bad_auth; 340 case SVC_DROP: 341 goto dropit; 342 case SVC_COMPLETE: 343 goto sendit; 344 } ------------------------------------------------------------ In RHEL4 the auth_stat value of rpcsec_gsserr_credproblem is overwritten and set to rpc_autherr_badcred. If the NFS server returns RPCSEC_GSS_CREDPROBLEM, then the NFS client calls call_refresh() and refreshes the credentials, which is the RHEL5 behaviour. An RPC_AUTH_BADCRED results in the NFS client doing a retry instead. Version-Release number of selected component (if applicable): * Red Hat Enterprise Linux AS release 4 (Nahant Update 7) * Kernel 2.6.9-78 How reproducible: * Always Steps to Reproduce: 0. Setup a kerberized NFS environment. 1. On the NFS client, mount the NFSv4/krb5 export at /mnt/test 2. Do an ls /mnt/test 3. Reboot the NFS server. Wait till the NFS server restarts. 4. Do an ls /mnt/test Actual results: ls: /mnt/test: Permission denied Expected results: * The content of the directory. Additional info: * If you wait ~ 45 minutes, the ls /mnt/test will succeed. I suspect there is a timeout on the NFS client that results in the NFS client sending an RPC_GSS_PROC_INIT packet. Regards, Harshula
Created attachment 355646 [details] Tested patch
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Committed in 89.36.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2011-0263.html