[LU-13754] GSS-based authentication fails on CentOS/RHEL 7.8 Created: 07/Jul/20 Updated: 18/Mar/21 Resolved: 17/Jul/20 |
|
| Status: | Resolved |
| Project: | Lustre |
| Component/s: | None |
| Affects Version/s: | Lustre 2.14.0, Lustre 2.12.5 |
| Fix Version/s: | Lustre 2.14.0, Lustre 2.12.7 |
| Type: | Bug | Priority: | Major |
| Reporter: | Sebastien Buisson | Assignee: | Sebastien Buisson |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | gss, sec | ||
| Issue Links: |
|
||||||||
| Severity: | 3 | ||||||||
| Rank (Obsolete): | 9223372036854775807 | ||||||||
| Description |
|
With CentOS/RHEL 7.8, it seems impossible for clients to authenticate with servers when a Kerberos or SSK flavor is enforced. The client console shows: [ 1152.954776] Lustre: DEBUG MARKER: /usr/sbin/lctl mark -----============= acceptance-small: sanity ============----- Fri Jun 26 18:16:14 UTC 2020 [ 1153.535844] Lustre: DEBUG MARKER: -----============= acceptance-small: sanity ============----- Fri Jun 26 18:16:14 UTC 2020 [ 1154.279614] Lustre: DEBUG MARKER: /usr/sbin/lctl mark == sanity test complete, duration -o sec ============================================================= 18:16:15 \(1593195375\) [ 1154.866121] Lustre: DEBUG MARKER: == sanity test complete, duration -o sec ============================================================= 18:16:15 (1593195375) [ 1156.755955] Lustre: DEBUG MARKER: /usr/sbin/lctl get_param -n version 2>/dev/null [ 1157.639632] Lustre: DEBUG MARKER: /usr/sbin/lctl mark excepting tests: 42a 42b 42c 407 312 56ob 17n 60a 133g 300f [ 1158.222239] Lustre: DEBUG MARKER: excepting tests: 42a 42b 42c 407 312 56ob 17n 60a 133g 300f [ 1158.853766] Lustre: DEBUG MARKER: /usr/sbin/lctl mark skipping tests SLOW=no: 27m 64b 68 71 115 135 136 300o [ 1159.435119] Lustre: DEBUG MARKER: skipping tests SLOW=no: 27m 64b 68 71 115 135 136 300o [ 1163.400808] Lustre: 24745:0:(client.c:2261:ptlrpc_expire_one_request()) @@@ Request sent has timed out for slow reply: [sent 1593195377/real 1593195377] req@ffff912863195680 x1670585430065920/t0(0) o801->lustre-MDT0000-mdc-ffff91287754e000@10.2.5.166@tcp:12/10 lens 224/224 e 0 to 1 dl 1593195385 ref 2 fl Rpc:XQr/0/ffffffff rc 0/-1 job:'lgss_keyring.0' [ 1163.405873] Lustre: 24745:0:(client.c:2261:ptlrpc_expire_one_request()) Skipped 31 previous similar messages [ 1163.407582] LustreError: 24745:0:(gss_keyring.c:1435:gss_kt_update()) negotiation: rpc err -85, gss err 0 [ 1163.409156] LustreError: 24745:0:(gss_keyring.c:1435:gss_kt_update()) Skipped 31 previous similar messages [ 1163.411036] Lustre: 24745:0:(sec_gss.c:315:cli_ctx_expire()) ctx ffff912863eedd00(0->lustre-MDT0000_UUID) get expired: 1593195417(+32s) [ 1163.413059] Lustre: 24745:0:(sec_gss.c:315:cli_ctx_expire()) Skipped 30 previous similar messages So all authentication requests fail on timeout. |
| Comments |
| Comment by Gerrit Updater [ 07/Jul/20 ] |
|
Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/39297 |
| Comment by Jeremy Filizetti [ 08/Jul/20 ] |
|
It looks like this patch is sufficient, my build system kept leaving it out due to some stale cache not getting cleaned up. Sorry for the confusion earlier. This probably should get applied to 2.12.5 as well. |
| Comment by Sebastien Buisson [ 09/Jul/20 ] |
|
Thanks for the heads up Jeremy. Indeed, it will be needed to backport to b2_12 so that GSS-based authentication is fixed on CentOS 7.8 with this Lustre version as well. |
| Comment by Gerrit Updater [ 17/Jul/20 ] |
|
Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/39297/ |
| Comment by Peter Jones [ 17/Jul/20 ] |
|
Landed for 2.14 |
| Comment by Gerrit Updater [ 22/Oct/20 ] |
|
Jian Yu (yujian@whamcloud.com) uploaded a new patch: https://review.whamcloud.com/40367 |
| Comment by Gerrit Updater [ 17/Mar/21 ] |
|
Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/40367/ |