[CentOS] kerberized-nfs - any experts out there?

Thu Mar 23 14:50:29 UTC 2017
Matt Garman <matthew.garman at gmail.com>

On Wed, Mar 22, 2017 at 3:19 PM,  <m.roth at 5-cent.us> wrote:
> Matt Garman wrote:
>>     (2) Permission denied issues.  I have user Kerberos tickets
>> configured for 70 days.  But there is clearly some kind of
>> undocumented kernel caching going on.  Looking at the Kerberos server
>> logs, it looks like it "could" be a performance issue, as I see 100s
>> of ticket requests within the same second when someone tries to launch
>> a lot of jobs.  Many of these will fail with "permission denied" but
>> if they immediately re-try, it works.  Related to this, I have been
>> unable to figure out what creates and deletes the
>> /tmp/krb5cc_uid_random files.
> Are they asking for *new* credentials each time? They should only be doing
> one kinit.

Well, that's what I don't understand.  In practice, I don't believe a
user should ever have to explicitly do kinit, as their
credentials/tickets are implicitly created (and forwarded) via ssh.
Despite that, I see the /tmp/krb5cc_uid files accumulating over time.
But I've tried testing this, and I haven't been able to determine
exactly what creates those files.  And I don't understand why new
krb5cc_uid files are created when there is an existing, valid file
already.  Clearly some programs ignore existing files, and some create
new ones.

> And there's nothing in the logs, correct? Have you tried attaching strace
> to one of those, and see if you can get a clue as to what's happening?

Actually, I get this in the log:

Mar 22 13:25:09 daemon.err lnxdev108 rpc.gssd[19329]: WARNING:
handle_gssd_upcall: failed to find uid in upcall string 'mech=krb5'