[Bug 1999308] Re: Snap keeps uninstalling apt Firefox, and reinstalling snap Firefox
The same problem occurs on 24.04, but the workaround of setting the ubuntu priority to a negative number seems to be working. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1999308 Title: Snap keeps uninstalling apt Firefox, and reinstalling snap Firefox To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1999308/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884299] Re: Chromium snap won't run with nfs home drive
Matthieu, more recently a more likely problem has been characterized by Alberto Mardegan and found the line in question in https://bugs.launchpad.net/snapd/+bug/1973321 In particular, restarting snapd doesn't help at all for me, so having the directory mounted before snapd starts doesn't help, and the same problem occurs with other file systems. However _starting_ outside the home directory does help. This is the situation for me with Kerberos authenticated NFS, and others with sshfs. I don't know whether it is relevant for people using NFS without authentication. It is easy to test for yourself - restart snapd and see if that helps. So I think there is progress in understanding the problem, even if not working out how to fix it. FYI: I initially tried a work around where I used the debian repository for firefox instead of the snap version, but despite giving it a higher priority (confirmed via "sudo apt policy firefox") I found the debian package twice over a week uninstalled and replaced by the snap version that then would not start. I can manually revert it but it is inconvenient. Any suggestions on how to make that work reliably would be appreciated. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884299 Title: Chromium snap won't run with nfs home drive To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1884299/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1784774] Re: snapd is not autofs aware and fails with nfs home dir
Thanks Alberto. I tried running "hello" in a different directory, and you were correct: arc@andrewfairfield:~$ hello cannot open path of the current working directory: Permission denied arc@andrewfairfield:~$ cd / arc@andrewfairfield:/$ hello Hello, world! arc@andrewfairfield:/$ [ This is in 20.04, not 22.04 ] Yay! that is the first time I have seen a snap actually work with my normal user account. This feels like significant progress in working out what is going on! Of course firefox needs access to the home directory to load the profile and store downloads. Is the whole process run as some other user (a la sudo) or is there just some starting stub running as some other user doing something that returns to the actual user after doing something that thinks it needs access to the current directory but could get by without it? Actually, I can sort of answer that - I tried running "musescore" as a snap, starting from / It successfully ran. I tried saving something, and it sort of did... but in a new, empty "home" directory in a /home/arc/snap/musescore/216/ that the save file dialog went to when I pressed the home button. Is this normal behaviour for a snap? Regardless of the inconvenience of the subdirectory, that is running over nfs successfully. I can close Musescore and load it again. But not with cwd=/home/arc. So that is fairly strong evidence supporting your idea that it is the same root cause as https://bugs.launchpad.net/bugs/1973321 . I will add a comment there. Thanks for the insight Alberto! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784774 Title: snapd is not autofs aware and fails with nfs home dir To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1784774/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884299] Re: Chromium snap won't run with nfs home drive
I (using Kerberos) don't the get apparmor DENIED messages that Eric (not using Kerberos) did, but I get exactly the same "cannot open path of the current working directory: Permission denied" error. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884299 Title: Chromium snap won't run with nfs home drive To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1884299/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1784774] Re: snapd is not autofs aware and fails with nfs home dir
Using NVFv4, kerberos authenticated, mounted by autofs: arc@andrewshoreham:~$ hello cannot open path of the current working directory: Permission denied [ Then as user with sudo privs, sudo systemctl restart snapd ] arc@andrewshoreham:~$ hello cannot open path of the current working directory: Permission denied Logs since just before restarting snapd syslog -- May 15 14:54:09 andrewshoreham kernel: [12319.195323] audit: type=1400 audit(1652590449.676:183): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/proc/24886/cmdline" pid=910 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 May 15 14:54:09 andrewshoreham systemd[1]: Stopping Snap Daemon... May 15 14:54:09 andrewshoreham snapd[726]: main.go:155: Exiting on terminated signal. May 15 14:54:09 andrewshoreham snapd[726]: overlord.go:504: Released state lock file May 15 14:54:09 andrewshoreham systemd[1]: snapd.service: Deactivated successfully. May 15 14:54:09 andrewshoreham systemd[1]: Stopped Snap Daemon. May 15 14:54:09 andrewshoreham systemd[1]: snapd.service: Consumed 2.753s CPU time. May 15 14:54:09 andrewshoreham systemd[1]: Starting Snap Daemon... May 15 14:54:09 andrewshoreham snapd[24890]: AppArmor status: apparmor is enabled and all features are available May 15 14:54:09 andrewshoreham snapd[24890]: overlord.go:263: Acquiring state lock file May 15 14:54:09 andrewshoreham snapd[24890]: overlord.go:268: Acquired state lock file May 15 14:54:09 andrewshoreham snapd[24890]: daemon.go:247: started snapd/2.55.3+22.04 (series 16; classic) ubuntu/22.04 (amd64) linux/5.15.0-25-generic. May 15 14:54:09 andrewshoreham kernel: [12319.270748] loop11: detected capacity change from 0 to 8 May 15 14:54:09 andrewshoreham snapd[24890]: daemon.go:340: adjusting startup timeout by 1m10s (pessimistic estimate of 30s plus 5s per snap) May 15 14:54:09 andrewshoreham systemd[1]: tmp-sanity\x2dmountpoint\x2d2760788470.mount: Deactivated successfully. May 15 14:54:09 andrewshoreham snapd[24890]: backend.go:133: snapd enabled NFS support, additional implicit network permissions granted May 15 14:54:10 andrewshoreham kernel: [12319.549118] audit: type=1400 audit(1652590450.028:184): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/snapd/snap-confine" pid=24926 comm="apparmor_parser" May 15 14:54:10 andrewshoreham kernel: [12319.578896] audit: type=1400 audit(1652590450.060:185): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=24926 comm="apparmor_parser" May 15 14:54:10 andrewshoreham kernel: [12319.969313] audit: type=1400 audit(1652590450.448:186): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/snap/snapd/15534/usr/lib/snapd/snap-confine" pid=24946 comm="apparmor_parser" May 15 14:54:10 andrewshoreham kernel: [12319.983029] audit: type=1400 audit(1652590450.464:187): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/snap/snapd/15534/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=24946 comm="apparmor_parser" May 15 14:54:10 andrewshoreham kernel: [12320.165228] audit: type=1400 audit(1652590450.644:188): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.snapd-desktop-integration.hook.configure" pid=24950 comm="apparmor_parser" May 15 14:54:10 andrewshoreham kernel: [12320.341043] audit: type=1400 audit(1652590450.820:189): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.snapd-desktop-integration.snapd-desktop-integration" pid=24951 comm="apparmor_parser" May 15 14:54:11 andrewshoreham kernel: [12320.633250] audit: type=1400 audit(1652590451.112:190): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.snap-store" pid=24948 comm="apparmor_parser" May 15 14:54:11 andrewshoreham kernel: [12320.721431] audit: type=1400 audit(1652590451.200:191): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.snapd-desktop-integration" pid=24949 comm="apparmor_parser" May 15 14:54:11 andrewshoreham kernel: [12320.727129] audit: type=1400 audit(1652590451.208:192): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.hello" pid=24954 comm="apparmor_parser" May 15 14:54:11 andrewshoreham systemd[1]: Started Snap Daemon. May 15 14:54:11 andrewshoreham dbus-daemon[693]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service' requested by ':1.166' (uid=0 pid=24890 comm="/usr/lib/snapd/snapd " label="unconfined") May 15 14:54:11 andrewshoreham systemd[1]: Starting Time & Date Service... May 15 14:54:11 andrewshoreham dbus-daemon[693]: [system] Successfully
[Bug 1784774] Re: snapd is not autofs aware and fails with nfs home dir
I got exactly the same errors as Miles above; a simple permission denied error stopping things before AppArmor got involved. I.e., the answer to Markus Kuhn's question is no, in fact even in enforce mode there are no denied apparmor complaints. I don't know whether this is because the gating problem is not being able to read the ticket in /tmp, or whether being in the kernel solves some of the apparmor issues, but the greater pickiness of kerberos user definition is an issue. Do snaps run as a different uid? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784774 Title: snapd is not autofs aware and fails with nfs home dir To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1784774/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884299] Re: Chromium snap won't run with nfs home drive
Firefox also doesn't work now it is a snap in 22.04. I think there are still multiple issues here. The original poster seems to be using NVSv3 I believe based on the RPC errors (NFSv3 uses multiple ports, one of which is called something like RPC, but I am not an expert in this as I have only used NFSv4, which uses a single port). Is this correct tylerecouture? NFSv3 has no user authentication; NFSv4 uses Kerberos for authentication (and privacy and tamper resistance). I think this brings in additional problems as snaps don't appear to work with Kerberos e.g. https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1849346 https://bugzilla.mozilla.org/show_bug.cgi?id=1734791 I get a very different error - a simple permission denied error rather than an AppArmor problem. ** Bug watch added: Mozilla Bugzilla #1734791 https://bugzilla.mozilla.org/show_bug.cgi?id=1734791 ** Also affects: firefox (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884299 Title: Chromium snap won't run with nfs home drive To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1884299/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1662552] Re: snaps don't work with NFS home
I am pretty sure this is at least partly a problem with snaps not working with Kerberos, which is the authentication mechanism for NFS. The Kerberos credentials are (with good reason) not stored in the home directory. I described this in more detail in bug 1784774. This means that firefox and lxd don't work in 22.04 with authenticated NFS home directories. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1662552 Title: snaps don't work with NFS home To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1662552/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1784774] Re: snapd is not autofs aware and fails with nfs home dir
I did some more investigating, and I think there are two independent problems here: (1) The problem as believed so far, network access permissions (2) New insight: Kerberos doesn't work with snaps. This explains why fixing (1) didn't help me (or Adam). Background: Kerberos is the authentication mechanism used for NFS. Assuming you are using authentication (as almost everyone does), then when you access NFS contents, you need to provide kerberos credentials. These are stored outside of your home directory (after all, home directories are one of the most common reasons to use NFS, so you can't store them there). I believe snaps restrict access to just your home directory, so you can't access the Kerberos key and therefore can't access your home directory. This is supported by various bugs like https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1849346 (unresolved) which is a different but relevant issue - people who don't use NFS but do use Kerberos features in Firefox found they don't work post snap conversion. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784774 Title: snapd is not autofs aware and fails with nfs home dir To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1784774/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1662552] Re: snaps don't work with NFS home
This still doesn't work with 22.04, which is a problem for firefox, which is now installed as a snap. This seems somewhat strange as firefox obviously needs network access, so it is not just the network access that causes problems. Running firefox from the command line produces an error complaining that it doesn't have read access to the current working directory (which would be true if it were as a different user as a different user doesn't have access to the kerberos ticket). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1662552 Title: snaps don't work with NFS home To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1662552/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1784774] Re: snapd is not autofs aware and fails with nfs home dir
I never got it to work in 20.04, so I don't know whether your fix ever made it in. I have just installed Jammy Jellyfish (22.04), and can confirm snaps don't work in it when using autofs and nfs mounted home directories. The prior work around was just never use any snap applications, which was OK as nothing important was in snaps prior to 22.04. This is harder in 22.04 as firefox is distributed as a snap, and so firefox doesn't work in 22.04 if you have autofs NFS home directories. Work around is to use a different source for firefox, https://ubuntuhandbook.org/index.php/2022/04/install-firefox-deb- ubuntu-22-04/ but I don't know whether that will get security updates as quickly, so this is a serious problem. ** Also affects: firefox (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784774 Title: snapd is not autofs aware and fails with nfs home dir To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1784774/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1886277] Re: Regression on NFS: unable to handle page fault in mempool_alloc_slab
5.4.0-48-generic seems to have fixed this problem for me, thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1886277 Title: Regression on NFS: unable to handle page fault in mempool_alloc_slab To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886277/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1886277] Re: Regression on NFS: unable to handle page fault in mempool_alloc_slab
For what it is worth, I also have the same enncryption aes256-cts-hmac- sha1-96 (and same problem). The tickets come from MIT Kerberos on Ubuntu 18.04; the NFS servers are Ubuntu 18.04 using krb5p security option. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1886277 Title: Regression on NFS: unable to handle page fault in mempool_alloc_slab To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886277/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1886775] Re: kernel 5.4.0-40 hangs system when using nfs home directories
#3: Agreed that it is a duplicate of lp: #1886277 . Sorry, I looked for similar bugs but did a lousy job it appears. I just made a comment to this effect in #1886277. #2: I believe the apport files are attached in comment #1, though it is the first time I have used it and may be confusing it. ** Changed in: linux (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1886775 Title: kernel 5.4.0-40 hangs system when using nfs home directories To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886775/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1886277] Re: unable to handle page fault in mempool_alloc_slab
I also have this problem, which I reported as a new bug 1886775 which is probably just a duplicate of this bug. Same issue, -40 dies with NFS with similar stack trace and similar timing, -39 is fine, and multiple hardware has the identical issues. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1886277 Title: unable to handle page fault in mempool_alloc_slab To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886277/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1784774] Re: snapd is not autofs aware and fails with nfs home dir
Thanks for fixing this! Much appreciated. I tried to check that it worked, but possibly it has not gotten into updates yet. How would I check? [ running snap-store from the command line in home dir causes the error "cannot open path of the current working directory: Permission denied". Running from the GUI has no effect. ] While I am here, this is probably unrelated, but a couple of days after the above commit, nfs home directories on the current kernel caused the machine to freeze shortly after logging in. I have put a link to that report below on the off chance you can think of a reason that this change could cause it. https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886775 Thanks, Andrew. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784774 Title: snapd is not autofs aware and fails with nfs home dir To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1784774/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1886775] [NEW] kernel 5.4.0-40 hangs system when using nfs home directories
Public bug reported: We use nfs mounted (using autofs), kerberos authenticated home directories for most users. Booting with kernel 5.4.0-40, users with nfs mounted home directories find the system freezes not long after use, somewhat randomly. Power off is then the only thing to do. Some specific things that caused crashes - opening a second tab on firefox; opening a terminal and running "cat" on log files, and running ubuntu-bug linux to try to generate this report :-( Sometimes before the crash just one window freezes, and the rest of the GUI is responsive. A full freeze usually occurs within several seconds. No such crashes were observed using an account without nfs mounted home directories (and the output from "ubuntu-bug linux" for one of these working users is at the end of this report). Reverting to 5.4.0-39, everything is good. Exactly the same behaviour is observed on a modern AMD Zen2 processor with a graphics card, and a several year old Intel processor with integrated graphics. Looking at /var/log/syslog there are several suspicious messages like the one below. The general protection fault occurs always just before the freeze, and occasionally some times before. Jul 4 16:23:37 emu kernel: [ 350.263903] [ cut here ] Jul 4 16:23:37 emu kernel: [ 350.263904] virt_to_cache: Object is not a Slab page! Jul 4 16:23:37 emu kernel: [ 350.263917] WARNING: CPU: 13 PID: 4009 at mm/slab.h:473 kmem_cache_free+0x237/0x2b0 Jul 4 16:23:37 emu kernel: [ 350.263917] Modules linked in: rfcomm rpcsec_gss_krb5 nfsv4 nfs fscache vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) edac_mce_amd kvm_amd xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp ip6table_mangle ip6table_nat iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c nf_tables nfnetlink ip6table_filter ip6_tables iptable_filter bpfilter cmac algif_hash algif_skcipher af_alg bnep snd_hda_codec_hdmi binfmt_misc nvidia_uvm(OE) kvm nvidia_drm(POE) nvidia_modeset(POE) iwlmvm snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_hda_codec nls_iso8859_1 snd_hda_core snd_hwdep snd_pcm btusb btrtl btbcm btintel snd_seq_midi mac80211 bluetooth snd_seq_midi_event crct10dif_pclmul snd_rawmidi bridge ecdh_generic stp ghash_clmulni_intel llc libarc4 input_leds joydev ecc nvidia(POE) snd_seq iwlwifi aesni_intel crypto_simd cryptd glue_helper drm_kms_helper snd_seq_device cfg80211 snd_timer ipmi_devintf Jul 4 16:23:37 emu kernel: [ 350.263952] wmi_bmof ipmi_msghandler snd fb_sys_fops syscopyarea sysfillrect sysimgblt soundcore k10temp ccp mac_hid sch_fq_codel parport_pc ppdev lp parport drm nfsd nfs_acl auth_rpcgss lockd grace sunrpc ip_tables x_tables autofs4 hid_generic usbhid hid crc32_pclmul igb i2c_piix4 ahci i2c_algo_bit nvme libahci dca nvme_core wmi Jul 4 16:23:37 emu kernel: [ 350.263971] CPU: 13 PID: 4009 Comm: kworker/u64:4 Tainted: P OE 5.4.0-40-generic #44-Ubuntu Jul 4 16:23:37 emu kernel: [ 350.263972] Hardware name: Gigabyte Technology Co., Ltd. X570 I AORUS PRO WIFI/X570 I AORUS PRO WIFI, BIOS F4h 07/17/2019 Jul 4 16:23:37 emu kernel: [ 350.263986] Workqueue: rpciod rpc_async_schedule [sunrpc] Jul 4 16:23:37 emu kernel: [ 350.263989] RIP: 0010:kmem_cache_free+0x237/0x2b0 Jul 4 16:23:37 emu kernel: [ 350.263990] Code: ff ff ff 80 3d 16 4f 56 01 00 0f 85 39 ff ff ff 48 c7 c6 20 44 67 86 48 c7 c7 08 25 98 86 c6 05 fb 4e 56 01 01 e8 64 8a df ff <0f> 0b e9 18 ff ff ff 48 8b 57 58 49 8b 4f 58 48 c7 c6 30 44 67 86 Jul 4 16:23:37 emu kernel: [ 350.263991] RSP: 0018:c1ebc3077d20 EFLAGS: 00010282 Jul 4 16:23:37 emu kernel: [ 350.263993] RAX: RBX: a040c01358e2 RCX: 0006 Jul 4 16:23:37 emu kernel: [ 350.263993] RDX: 0007 RSI: 0092 RDI: a040beb578c0 Jul 4 16:23:37 emu kernel: [ 350.263994] RBP: c1ebc3077d48 R08: 0506 R09: 0004 Jul 4 16:23:37 emu kernel: [ 350.263995] R10: R11: 0001 R12: a041401358e2 Jul 4 16:23:37 emu kernel: [ 350.263995] R13: R14: a040a7e47600 R15: a04065a99cb0 Jul 4 16:23:37 emu kernel: [ 350.263997] FS: () GS:a040beb4() knlGS: Jul 4 16:23:37 emu kernel: [ 350.263997] CS: 0010 DS: ES: CR0: 80050033 Jul 4 16:23:37 emu kernel: [ 350.263998] CR2: 7fe66802dfe0 CR3: 000717722000 CR4: 00340ee0 Jul 4 16:23:37 emu kernel: [ 350.263999] Call Trace: Jul 4 16:23:37 emu kernel: [ 350.264005] mempool_free_slab+0x17/0x20 Jul 4 16:23:37 emu kernel: [ 350.264007] mempool_free+0x2f/0x80 Jul 4 16:23:37 emu kernel: [ 350.264018] rpc_free+0x47/0x60 [sunrpc] Jul 4 16:23:37 emu kernel: [ 350.264028] xprt_release+0x91/0x1a0 [sunrpc] Jul 4 16:23:37 emu kernel: [ 350.264037] rpc_release_resources_task+0x13/0x50
[Bug 1723350] Re: sssd offline on boot, stays offline forever
It has been a constant problem for me in 18.04 but seems to work fine in 20.04 on the couple of computers I have tried it on. However I have had reliability issues with it in 20.04 on one computer with multiple ethernet adapters with only one plugged in and bridging set up (for VMs). That may be just my misconfiguration though. Disabling one adapter made it work fine. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1723350 Title: sssd offline on boot, stays offline forever To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1723350/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1777776] Re: Ubuntu documentation for sssd/kerberos does not authenticate authentication server
Thanks Andreas, I am not an expert either on kerberos or on security - I know enough to be able to spot and verify a problem, but not enough to verify a sufficient solution, so take what I way with that caveat in mind. The section you have written seems reasonable, and that is indeed the main attack model I had in mind, although I think that not including the krb5_validate flag in the example configurations above is dangerous. I presume (but don't have the setup to test) that AD setups have the same problem, and it is not obvious to someone doing the AD setup that this section applies to them too. I don't think there is any scenario where someone would want to use kerberos, but would not want this flag set. One could say that it requires more setup because you have to have the keytab file, but there is no point in using kerberos in the first place if you are not going to use it for something other than local authentication (e.g. nfs), for which you will need the keytab file anyway (as far as I understand). So you remove a trivial to exploit vulnerability at basically no effort by including this flag. Also, somewhat off-topic but probably very relavent for this sssd guide - bug 1723350 mentioned above means that the described configurations won't reliably survive rebooting the computer, so a reference to the workaround in that bug description could save people lots of time and frustration. Also slightly off topic, in the section "SSL support is recommended, but not strictly necessary because authentication in this setup is being done via Kerberos, and not LDAP." I think ssl is needed as while user authentication is done through kerberos, group authentication is done based on what groups the user is in, which comes from LDAP, so an attacker on the local network could give themselves group permission for any group if the LDAP traffic is unencrypted. Or change the group for some other user to write as by default to some world readable group. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/176 Title: Ubuntu documentation for sssd/kerberos does not authenticate authentication server To manage notifications about this bug go to: https://bugs.launchpad.net/serverguide/+bug/176/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1784774] Re: snapd is not autofs aware and fails with nfs home dir
I just tested restartung snapd while I am logged in via kerberos with an autofs home directlry. It doesn't seem to help. In particular, I tried launching system monitor (which uses snap) unsuccessfully. Using 18.04 with kerberos, and /home/ mounted via autofs. Checking that /home is autofs will not solve the problem, if /home/user is autofs, which is useful in the case of having a local user that has a home directory in the standard place. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784774 Title: snapd is not autofs aware and fails with nfs home dir To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1784774/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1777776] Re: Ubuntu documentation for sssd/kerberos does not authenticate authentication server
I don't know why krb5_validate is false by default. I thought it was
historical or to (dubiously) to make setting up easier, but I did some
tests and found, to my surprise, that even with it not set, I could not
log in without an /etc/krb5.keytab file.
In particular, I tried all 6 combinations of krb5_validate {set or not
set} and /etc/krb5.keytab being { empty, valid, valid but for a
different kdc }. I found that I could never log in without some
/etc/krb5.keytab. With a valid (but inconsistent with the actual
responding kerberos server) key, it required the flag be not set in
order to log in (this is the scenario for an attacker). With the correct
/etc/krb5.keytab you could log in regardless of krb5_validate.
So it sounds as if sssd overrides verify_ap_req_nofail to true even if
krb5_validate is false, which is surprising.
So the only breaking case I see of having krb5_validate default on would
be if the system has an /etc/krb5.conf from a different kerberos system,
which seems unlikely.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/176
Title:
Ubuntu documentation for sssd/kerberos does not authenticate
authentication server
To manage notifications about this bug go to:
https://bugs.launchpad.net/serverguide/+bug/176/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1784774] [NEW] snapd is not autofs aware and fails with nfs home dir
Public bug reported: This is similar to bugs 1662552 and 1782873. In 1782873, jdstrand asked me to open a new bug for this specific issue. In 1662552, snapd fails for nfs mounted home directories as network permissions are not enabled. A work around was implemented that works if the mount is done via a /home mount at boot. However this does not work if people mount home directories via autofs. This is probably the fundamental problem for 1782873 although there may be other issues. [ Why use autofs? If some but not all of users want to use nfs homes. In particular, I have a local user on all my accounts that does not require the nfs server to be up or the kerberos server to be up, or kerberos working on the client machines, etc. It is very useful when something goes wrong. It means I mount /home/user rather than /home (for several users). ] ** Affects: snapd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784774 Title: snapd is not autofs aware and fails with nfs home dir To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1784774/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782873] Re: Snap apps don't start, when /home is provided by a remote NFS server
*** This bug is a duplicate of bug 1662552 *** https://bugs.launchpad.net/bugs/1662552 Jamie, I filed a new bug 1784774 as you requested. It feels like a duplicate of this bug. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782873 Title: Snap apps don't start, when /home is provided by a remote NFS server To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1782873/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1662552] Re: snaps don't work with NFS home
I have the same problem. The fix does not help. I use autofs to mount particular users rather than all of /home, which I think the fix requires. Someone else doing the same thing as me opened a new bug 1782873 with details of setup, but I think the issue is the autofs rather than boot mounting of /home. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1662552 Title: snaps don't work with NFS home To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1662552/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782873] Re: Snap apps don't start, when /home is provided by a remote NFS server
This seems similar to https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1662552 The "fix" there is I believe only activated if you nfs mount /home at boot, not by using autofs. I have the same problem - I also use autofs to mount particular users rather than all users (I want one local user who can log in in case of network problems) My workaround is not to use any snap applications :-( -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782873 Title: Snap apps don't start, when /home is provided by a remote NFS server To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1782873/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1723350] Re: sssd offline on boot, stays offline forever
I also have observed this problem on bionic for several different computers. The workaround always solves the problem; without the workaround I cannot log in. What the computers had in common: * Using bionic (either the version from the DVD or with network updates) * Using networkd rather than NetworkManager with a static ipv4 address * sssd.conf uses fqdn to refer to the name servers * A backup ldap and kerberos server were both provided. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1723350 Title: sssd offline on boot, stays offline forever To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1723350/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
