https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 https://jira.whamcloud.com/browse/LU-8795 Lustre <p>1. I find one problem for Kerberos in Lustre. I do not know whether it is a setting error or bug. When we activate the Kerberos function in all servers (MGS, MDS, and OSS) and clients mount lustre with krb5 option, root can access the lustre file system. However, the normal users can not access the lustre even if they have authenticated through Kerberos (kinit). The following error logs are messages when normal user wants to access lustre.<br/> lgss_keyring: <span class="error">&#91;21277&#93;</span>:TRACE:main(): start parsing parameters<br/> lgss_keyring: <span class="error">&#91;21277&#93;</span>:INFO:main(): key 698610133, desc 1002@2f, ugid 1002:1002, sring 44699816, coinfo 47:krb5:1002:1002::<br/> lgss_keyring: <span class="error">&#91;21277&#93;</span>:ERROR:parse_callout_info(): short of components<br/> lgss_keyring: <span class="error">&#91;21277&#93;</span>:ERROR:main(): can't extract callout info: 47:krb5:1002:1002::<br/> kernel: LustreError: 21275:0:(gss_keyring.c:846:gss_sec_lookup_ctx_kr()) failed request key: -126<br/> kernel: LustreError: 21275:0:(sec.c:452:sptlrpc_req_get_ctx()) req ffff881f4f703f00: fail to get context<br/> kernel: LustreError: 21275:0:(file.c:3332:ll_inode_revalidate_fini()) hpcfs: revalidate FID <span class="error">&#91;0x200000bd0:0x1:0x0&#93;</span> error: rc = -111</p> Centos7.2 3.10.0-327.el7.x86_64<br/> Lustre 2.8.55_19_ga84250b LU-8795

The user cannot access lustre even if they successfully authenticate by kinit

Bug Minor Resolved Fixed Jeremy Filizetti sebg-crd-pm Thu, 3 Nov 2016 06:02:48 +0000 Tue, 8 Nov 2016 22:13:51 +0000 Mon, 7 Nov 2016 20:16:17 +0000 Lustre 2.9.0 Lustre 2.9.0 0 9 <p>The 2.8.55 build of Lustre is a development version of the Lustre master branch, but we are happy that you are testing it. There have been recent changes to the GSSAPI code, which is closely tied to Kerberos.</p> <p>If you have been testing the master release frequently with Kerberos, do you know when this functionality was last working? That would help isolate the change(s) that are the source of the problem.</p> <p>The version 2.8.55 has been my first version since I touch lustre, so I did not use any master branch. I will download the latest version and try it again.</p> <p>I have tried the lustre 2.8.60. The problem still exists</p> <p>How about checking back to 2.8.50? This tag is functionally equivalent to the community 2.8 release and so this will give us an indication as to whether this has never worked or got broken during the 2.9 development cycle.</p> <p>I think Peter meant 2.8.50 which is equivalent to 2.8.0, because 2.7.50 is 2.7.0.</p> <p>Confirmed. Sorry for any confusion caused.</p> <p>I found that the function is working in lustre 2.8.0, users can access the lustre file system after they executes kinit <br/> Here is the log.<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28653&#93;</span>:TRACE:main(): start parsing parameters<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28653&#93;</span>:INFO:main(): key 605755931, desc 1000@8, ugid 1000:1000, sring 380314743, coinfo 8:krb5:1000:1000::1:0x9000000000000:hpcfs-MDT0000-mdc-ffff881987e72800:0x9000000000000<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28653&#93;</span>:TRACE:parse_callout_info(): components: 8,krb5,1000,1000,,1,0x9000000000000,hpcfs-MDT0000-mdc-ffff881987e72800,0x9000000000000<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28653&#93;</span>:DEBUG:parse_callout_info(): parse call out info: secid 8, mech krb5, ugid 1000:1000, is_root 0, is_mdt 0, is_ost 0, svc 1, nid 0x9000000000000, tgt hpcfs-MDT0000-mdc-ffff881987e72800, self nid 0x9000000000000<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28653&#93;</span>:TRACE:main(): parsing parameters OK<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28653&#93;</span>:TRACE:lgss_mech_initialize(): initialize mech krb5<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28653&#93;</span>:TRACE:lgss_create_cred(): create a krb5 cred at 0x23e1340<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28653&#93;</span>:TRACE:lgss_prepare_cred(): preparing krb5 cred 0x23e1340<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28653&#93;</span>:DEBUG:lkrb5_prepare_user_cred(): using krb5 cache name: FILE:/tmp/krb5cc_1000<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28653&#93;</span>:DEBUG:lgss_krb5_set_ccache_name(): set cc: FILE:/tmp/krb5cc_1000<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28653&#93;</span>:TRACE:main(): instantiated kernel key 241b1a1b<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28653&#93;</span>:TRACE:main(): forked child 28654<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28654&#93;</span>:TRACE:lgssc_kr_negotiate(): child start on behalf of key 241b1a1b: cred 0x23e1340, uid 1000, svc 1, nid 9000000000000, uids: 1000:1000/1000:1000<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28654&#93;</span>:DEBUG:lolnd_nid2hostname(): LOLND: addr 0x0 =&gt; Blustre1<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28654&#93;</span>:DEBUG:lgss_get_service_str(): constructed service string: lustre_mds@Blustre1<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28654&#93;</span>:TRACE:lgss_using_cred(): using krb5 cred 0x23e1340<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28654&#93;</span>:TRACE:lgssc_negotiation(): start gss negotiation<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28654&#93;</span>:TRACE:do_nego_rpc(): start negotiation rpc<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28654&#93;</span>:TRACE:do_nego_rpc(): to open /proc/fs/lustre/sptlrpc/gss/init_channel<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28654&#93;</span>:TRACE:do_nego_rpc(): to down-write<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28654&#93;</span>:TRACE:do_nego_rpc(): do_nego_rpc: to parse reply<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28654&#93;</span>:DEBUG:do_nego_rpc(): do_nego_rpc: receive handle len 8, token len 156, res 0<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28654&#93;</span>:DEBUG:lgssc_negotiation(): successfully negotiated a context<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28654&#93;</span>:DEBUG:serialize_krb5_ctx(): lucid version!<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28654&#93;</span>:DEBUG:prepare_krb5_rfc4121_buffer(): protocol 1<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28654&#93;</span>:DEBUG:prepare_krb5_rfc4121_buffer(): serializing 3 keys with enctype 18 and size 32<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28654&#93;</span>:TRACE:update_kernel_key(): updating kernel key 241b1a1b<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28654&#93;</span>:DEBUG:update_kernel_key(): key 241b1a1b: updated<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28654&#93;</span>:INFO:lgssc_kr_negotiate(): key 241b1a1b for user 1000 is updated OK!<br/> Nov 4 13:44:04 Blustre1 lgss_keyring: <span class="error">&#91;28654&#93;</span>:TRACE:lgss_release_cred(): releasing krb5 cred 0x23e1340<br/> Nov 4 13:44:04 Blustre1 kernel: Lustre: 28195:0:(sec_gss.c:2088:gss_svc_handle_init()) create svc ctx ffff881fce617a40: accept user 1000 from 0@lo<br/> Nov 4 13:44:04 Blustre1 kernel: Lustre: 28654:0:(sec_gss.c:399:gss_cli_ctx_uptodate()) client refreshed ctx ffff881363c76780 idx 0xd2a00e187c2d0251 (1000-&gt;hpcfs-MDT0000_UUID), expiry 1478324471(+86227s)</p> <p>Are you able to assist in further narrowing down when this regression was introduced between the 2.8.50 and 2.8.55 tags?</p> <p>Jeremy</p> <p>Do you have any suggestions here? Could this have been related to any of the SSK changes? <a href="http://review.whamcloud.com/#/c/16728" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/#/c/16728</a> perhaps?</p> <p>Peter</p> <p>Jeremy Filizetti (jeremy.filizetti@gmail.com) uploaded a new patch: <a href="http://review.whamcloud.com/23600" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/23600</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-8795" title="The user cannot access lustre even if they successfully authenticate by kinit" class="issue-link" data-issue-key="LU-8795"><del>LU-8795</del></a> gss: Prevent callout truncation with non-root users<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: 1<br/> Commit: 35d09c71e7e8ce98561eb92e6f07d6d8dd166120</p> <p>Looks like this is due to the SK changes for non-root users. sebg-crd-pm can you test the patch below to see if this fixes your issue: </p> <p><a href="http://review.whamcloud.com/23600" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/23600</a></p> <p>I have tried the patch and It works now, Thanks for every one.</p> <p>Oleg Drokin (oleg.drokin@intel.com) merged in patch <a href="http://review.whamcloud.com/23600/" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/23600/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-8795" title="The user cannot access lustre even if they successfully authenticate by kinit" class="issue-link" data-issue-key="LU-8795"><del>LU-8795</del></a> gss: Prevent callout truncation with non-root users<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: <br/> Commit: cc5601dfbe58ee8b0a024e2f9448a6a4f53c02a8</p> <p>Landed for 2.9</p> Related LU-8813 Development Epic/Theme kerberos Rank 1|hzyuaf: Rank (Obsolete) 9223372036854775807 Severity