Here are the reproduction steps: I have 3 different servers hosting nfs client, server and KDC. I set the ticket lifetime to 10 minutes on the client and server (in krb5.conf). When adding a principal I used specified "-maxlife "10 minutes" -maxrenew 2017-04-30". I specified max_life (to 10 mins) in the kdc.conf file. I am using machine credentials on the client (running operation as root user).
Run iozone or bonnie from 2 different clients and you should see the issue within an hour. The issue seems to be with the clock-skew which is set to 5 minutes by default. The server is seeing context timeout of 15 mins while it should have been 10 mins (taking the clock-skew into account). Client is rejecting the server messages if the context is used for more than 10 mins (on the server). This happens thrice and the user operation fails. Please let me know if you need any other details. Thanks, Satya. On Sun, Mar 19, 2017 at 5:08 PM, Malahal Naineni <mala...@gmail.com> wrote: > If I understand, you have renewable ticket and commands fail when the > ticket expires? I will let our folks tests it. Any more details on > reproducing this issue. > > On Fri, Mar 17, 2017 at 9:59 AM, Satya Prakash GS > <g.satyaprak...@gmail.com> wrote: >> Has anyone seen client ops failing with error -13 because of context >> expiry on client (gss_verify_mic fails). >> Surprisingly with little load, it's consistently reproducible on my setup. >> Can someone point me to the relevant commits if this has already been fixed. >> >> Thanks, >> Satya. >> >> On Mon, Mar 13, 2017 at 4:01 PM, Satya Prakash GS >> <g.satyaprak...@gmail.com> wrote: >>> My bad, I should have mentioned the version in the original post. >>> >>> Mahalal was kind enough to share a list of relevant commits. With the >>> patches I continued to see the issue. I suspect the client code is not >>> handling GSS_S_CONTEXT_EXPIRED correctly on a call to gss_verify_mic. >>> Instead I fixed the server code to timeout the ticket 5 mins before >>> the actual timeout (Ganesha is already timing the ticket 5 seconds >>> earlier). >>> So far, the issue hasn't got reproduced but I will continue running >>> the test for a day or two before confirming if the fix works. Do you >>> see any issue with this fix ? >>> >>> Thanks, >>> Satya. >>> ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Nfs-ganesha-devel mailing list Nfs-ganesha-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel
