[CentOS] kerberized-nfs - any experts out there?
Matt Garman
matthew.garman at gmail.com
Thu Mar 23 14:50:29 UTC 2017
On Wed, Mar 22, 2017 at 3:19 PM, <m.roth at 5-cent.us> wrote:
> Matt Garman wrote:
>> (2) Permission denied issues. I have user Kerberos tickets
>> configured for 70 days. But there is clearly some kind of
>> undocumented kernel caching going on. Looking at the Kerberos server
>> logs, it looks like it "could" be a performance issue, as I see 100s
>> of ticket requests within the same second when someone tries to launch
>> a lot of jobs. Many of these will fail with "permission denied" but
>> if they immediately re-try, it works. Related to this, I have been
>> unable to figure out what creates and deletes the
>> /tmp/krb5cc_uid_random files.
>
> Are they asking for *new* credentials each time? They should only be doing
> one kinit.
Well, that's what I don't understand. In practice, I don't believe a
user should ever have to explicitly do kinit, as their
credentials/tickets are implicitly created (and forwarded) via ssh.
Despite that, I see the /tmp/krb5cc_uid files accumulating over time.
But I've tried testing this, and I haven't been able to determine
exactly what creates those files. And I don't understand why new
krb5cc_uid files are created when there is an existing, valid file
already. Clearly some programs ignore existing files, and some create
new ones.
> And there's nothing in the logs, correct? Have you tried attaching strace
> to one of those, and see if you can get a clue as to what's happening?
Actually, I get this in the log:
Mar 22 13:25:09 daemon.err lnxdev108 rpc.gssd[19329]: WARNING:
handle_gssd_upcall: failed to find uid in upcall string 'mech=krb5'
Thanks,
Matt
More information about the CentOS
mailing list