[LU-8795] The user cannot access lustre even if they successfully authenticate by kinit Created: 03/Nov/16 Updated: 08/Nov/16 Resolved: 07/Nov/16 |
|
| Status: | Resolved |
| Project: | Lustre |
| Component/s: | None |
| Affects Version/s: | Lustre 2.9.0 |
| Fix Version/s: | Lustre 2.9.0 |
| Type: | Bug | Priority: | Minor |
| Reporter: | sebg-crd-pm (Inactive) | Assignee: | Jeremy Filizetti |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Environment: |
Centos7.2 3.10.0-327.el7.x86_64 |
||
| Issue Links: |
|
||||||||
| Epic/Theme: | kerberos | ||||||||
| Severity: | 3 | ||||||||
| Rank (Obsolete): | 9223372036854775807 | ||||||||
| Description |
|
1. I find one problem for Kerberos in Lustre. I do not know whether it is a setting error or bug. When we activate the Kerberos function in all servers (MGS, MDS, and OSS) and clients mount lustre with krb5 option, root can access the lustre file system. However, the normal users can not access the lustre even if they have authenticated through Kerberos (kinit). The following error logs are messages when normal user wants to access lustre. |
| Comments |
| Comment by Andreas Dilger [ 03/Nov/16 ] |
|
The 2.8.55 build of Lustre is a development version of the Lustre master branch, but we are happy that you are testing it. There have been recent changes to the GSSAPI code, which is closely tied to Kerberos. If you have been testing the master release frequently with Kerberos, do you know when this functionality was last working? That would help isolate the change(s) that are the source of the problem. |
| Comment by sebg-crd-pm (Inactive) [ 03/Nov/16 ] |
|
The version 2.8.55 has been my first version since I touch lustre, so I did not use any master branch. I will download the latest version and try it again. |
| Comment by sebg-crd-pm (Inactive) [ 03/Nov/16 ] |
|
I have tried the lustre 2.8.60. The problem still exists |
| Comment by Peter Jones [ 03/Nov/16 ] |
|
How about checking back to 2.8.50? This tag is functionally equivalent to the community 2.8 release and so this will give us an indication as to whether this has never worked or got broken during the 2.9 development cycle. |
| Comment by Oleg Drokin [ 03/Nov/16 ] |
|
I think Peter meant 2.8.50 which is equivalent to 2.8.0, because 2.7.50 is 2.7.0. |
| Comment by Peter Jones [ 03/Nov/16 ] |
|
Confirmed. Sorry for any confusion caused. |
| Comment by sebg-crd-pm (Inactive) [ 04/Nov/16 ] |
|
I found that the function is working in lustre 2.8.0, users can access the lustre file system after they executes kinit |
| Comment by Peter Jones [ 04/Nov/16 ] |
|
Are you able to assist in further narrowing down when this regression was introduced between the 2.8.50 and 2.8.55 tags? |
| Comment by Peter Jones [ 04/Nov/16 ] |
|
Jeremy Do you have any suggestions here? Could this have been related to any of the SSK changes? http://review.whamcloud.com/#/c/16728 perhaps? Peter |
| Comment by Gerrit Updater [ 05/Nov/16 ] |
|
Jeremy Filizetti (jeremy.filizetti@gmail.com) uploaded a new patch: http://review.whamcloud.com/23600 |
| Comment by Jeremy Filizetti [ 05/Nov/16 ] |
|
Looks like this is due to the SK changes for non-root users. sebg-crd-pm can you test the patch below to see if this fixes your issue: |
| Comment by sebg-crd-pm (Inactive) [ 07/Nov/16 ] |
|
I have tried the patch and It works now, Thanks for every one. |
| Comment by Gerrit Updater [ 07/Nov/16 ] |
|
Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/23600/ |
| Comment by Peter Jones [ 07/Nov/16 ] |
|
Landed for 2.9 |