Re: [Bug 275905] nfs client: mount becomes unresponsive

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 275905] nfs client: mount becomes unresponsive"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Rick Macklem <rick.macklem_at_gmail.com>
Date: Sun, 24 Dec 2023 23:00:17 UTC

On Sun, Dec 24, 2023 at 8:01 AM <bugzilla-noreply@freebsd.org> wrote:
>
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275905
>
> --- Comment #5 from Lexi <lexi.freebsd@le-fay.org> ---
> the client keytab should be fine, since i only created it about 2 days ago when
> i installed this host and there was no previous principal for this fqdn.
>
> 'kinit -k host/fqdn' on the client seems to work:
>
> # kinit -k host/ilythia.eden.le-fay.org
> # klist
> Credentials cache: FILE:/tmp/krb5cc_0
>         Principal: host/ilythia.eden.le-fay.org@EDEN.LE-FAY.ORG
>
>   Issued                Expires               Principal
> Dec 24 15:54:16 2023  Dec 25 01:54:16 2023
> krbtgt/EDEN.LE-FAY.ORG@EDEN.LE-FAY.ORG
>
> > Does this hang occur frequently or was this a "one time" hang on a mount that usually behaves ok?
>
> as i mentioned, i only installed this host 2 days ago, so i can't say for sure,
> but so far it has reliably occurred twice about 10 hours after booting so it
> seems to be 100% reproducible.  (iow, it never *hasn't* occurred at that time.)
>
> in the mean time, i've temporarily switched the mount from sec=krb5p to
> sec=krb5 to see if this fixes the issue; aiui, this means no GSS should be
> involved after the initial mount, so i expect it will, but i'm happy to do any
> other testing you need.
Not exactly. sec=krb5 says that a RPCSEC_GSS (think Kerberos) session
is used to identify the user for all RPCs. The difference w.r.t. krb5p is that
it does not encrypt the NFS payload.

I doubt it will make any difference, but it sounds like you'll know soon enough.

I now have a hunch w.r.t. what might be broken, but I need to look at the code
(and if my hunch seems correct) and maybe come up with a patch.

You could try the "syskrb5" mount option, which avoids use of the keytab and
allows "system operations that maintain the state" to use AUTH_SYS, while the
rest (all involving file data) use Kerberos.
(If my hunch is correct, this will not fix the problem, but might
cause it to behave
 better.)

rick

>
> --
> You are receiving this mail because:
> You are the assignee for the bug.