expired kerberos credentials cause significant syslog spam

Hi Andrew, thanks for the debdiff.

I've a question though...

This patch appears to be doing two things. First, it's altering the priority on some debug messages - this part I think is perfectly fine.

The other part is affecting the message printing logic:

+--- nfs-utils-1.1.2.orig/utils/gssd/err_util.c
++++ nfs-utils-1.1.2/utils/gssd/err_util.c
+@@ -49,6 +49,10 @@
+ {
+ va_list args;
+
++ /* Decrease verbosity so we don't log so much */
++ if ((priority - verbosity) > 1)
++ return;
++
+ /* Don't bother formatting a message we're never going to print! */
+ if (priority > verbosity)
+ return;

So this is changing the logic so it avoids printing messages unless the 'priority' is more than 'verbosity+1'. This part I think should not be included. I think it's unnecessary anyway, and just doubles up on your other fix.

Would you mind re-rolling the debdiff with this piece omitted? (Or explain why it's needed if I'm missing something.)

That patch was created with an earlier version of nfs-utils which did not have the subsequent "if (priority > verbosity)" check in it, so it's redundant now. Here's a debdiff without it.

Interesting, commit d1e7ccccd9153 in 1.1.2 already fixed it here. This should be upstreamed too.

This bug was fixed in the package nfs-utils - 1:1.1.2-4ubuntu2

---------------
nfs-utils (1:1.1.2-4ubuntu2) jaunty; urgency=low

  * Add patch to reduce verbosity (LP: #293705)

 -- Andrew Pollock <email address hidden> Tue, 04 Nov 2008 09:38:48 -0800

Andrew, can you also please follow up with upstream to include the patch there as well? Thanks in advance.

I will ensure the patch is submitted upstream. Do I need to do anything further in order to have this bug fixed in Hardy as well?

It looks like this was upstreamed:

commit 09c7ad1cd9c5ca2fc46631a0057d47309abc8706
Author: Kevin Coffman <email address hidden>
Date: Mon Jan 5 14:07:05 2009 -0500

    gssd: By default, don't spam syslog when users' credentials expire

    Change the priority of "common" log messages so that syslog doesn't get
    slammed/spammed when users' credentials expire, or there is another
    common
    problem which would cause error messages for all context creation
    requests.

    Note that this will now require that gssd or svcgssd option "-v" is used
    to
    debug these common cases.

    Original patch from Andrew Pollock <email address hidden>.

    Signed-off-by: Kevin Coffman <email address hidden>
    Signed-off-by: Steve Dickson <email address hidden>
    CC: Andrew Pollock <email address hidden>

If I'm reading things right, it was committed before the tag for the 1.2.0 release, so I'd have expected the Ubuntu patch to not apply, but it seems to still be being applied.

ACK from -sru for intrepid and hardy debdiffs. Wow, apologies for the pathetic delay here! Didn't see this bug on my radar until now :-/

Never mind, there's a couple of parts of the patch still outstanding, I'll try to upstream them.

Marking Won't fix for intrepid as EOL is a couple of weeks away.

Upload to hardy-proposed.

Accepted nfs-utils into hardy-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

I got a chance to test the proposed package today and there is good news and bad news.

The good news is that it installs cleanly and doesn't seem to introduce any regressions or other problems.

The bad news is that it doesn't actually fix the issue identified in the original bug description - specifically reducing the log level for the messages:
ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - No credentials cache found
WARNING: Failed to create krb5 context for user with uid xxxx for server yyyy

Looking at the patch, these messages don't seem to be addressed. The GSS-API error is in display_status_2() in gss_util.c and the krb5 context message is in handle_krb5_upcall() in gssd_proc.c.

I can't make any promises, but if I get some time to put a debdiff together that covers this along with Andrew's stuff, I will. If someone else has time to get to it first, though, I won't feel slighted. :-)

So here's what I figured out:

It looks like the logging verbosity of most messages was decreased as of nfs-utils 1.1.5 upstream. See commit 09c7ad1cd9c5ca2fc46631a0057d47309abc8706 in these release notes: https://sourceforge.net/project/shownotes.php?release_id=665939

So, I created a patch that basically back-ports these changes to the hardy version. This includes most of Andrew's work and some others, including the krb5 context warnings.

The change to the logging of the GSS-API message seems unnecessary. As far as I can tell, this function (display_status_1) isn't being called by anything. It's the message in display_status_2 that could be changed. However, in the case of expired credentials, the logging verbosity is already lowered in this function. In the case of missing credentials, the gss error is unspecified, so testing for it would mean some additional programming that seems a bit much for a simple patch.

I have tested my patch on our systems, and in the case of expired credentials, the logs are now silent. In the case of missing credentials, the GSS-API error still appears, but the krb5 context warning does not.

Please let me know if I'm missing something, but this seems like a better way to resolve this particular bug.

From my casual inspection of the patch, it looks good. Thanks for doing the detective work Matthew!

Looks good, thanks! Please upload with fixed target ("hardy-proposed") and version number ("1:1.1.2-2ubuntu2.4", on top of the current 1:1.1.2-2ubuntu2.3 in proposed).

Martin:

Hopefully, this is what you were after. I added my patch to the nfs-utils_1.1.2-2ubuntu2.3 version in proposed and fixed the changelog to reflect the correct version number and target. On our systems, this builds and installs properly and fixes the verbosity issues in this bug.

Thanks for your help - let me know if you have any questions or if I've messed anything up. :-)

Accepted nfs-utils into hardy-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

I have installed and run 1.1.2-2ubuntu2.4 from hardy-proposed on a test system for a couple of days. Everything is stable and this bug is now fixed.

As far as I'm concerned, this is good to go. :-)

This bug was fixed in the package nfs-utils - 1:1.1.2-2ubuntu2.4

---------------
nfs-utils (1:1.1.2-2ubuntu2.4) hardy-proposed; urgency=low

  * Another patch to reduce verbosity - backported from upstream version 1.1.5
    (LP: #293705)
 -- <email address hidden> (Matthew l. Dailey) Tue, 06 Apr 2010 15:30:21 -0400