X2Go Bug report logs - #272
[X2Go-User] Session resume fails with AFS home directories

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Date: Fri, 26 Jul 2013 14:48:01 UTC

Severity: normal

Found in version 4.0.1.3

Full log


Report forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#272; Package x2goserver. (Fri, 26 Jul 2013 14:48:02 GMT) (full text, mbox, link).


Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Fri, 26 Jul 2013 14:48:02 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

Received: (at submit) by bugs.x2go.org; 26 Jul 2013 14:40:08 +0000
From mike.gabriel@das-netzwerkteam.de  Fri Jul 26 16:40:08 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED,
	URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199])
	by ymir (Postfix) with ESMTPS id EB11A5DB15
	for <submit@bugs.x2go.org>; Fri, 26 Jul 2013 16:40:07 +0200 (CEST)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98])
	by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 5803E2C9
	for <submit@bugs.x2go.org>; Fri, 26 Jul 2013 16:40:07 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 3E0FD3BD18
	for <submit@bugs.x2go.org>; Fri, 26 Jul 2013 16:40:07 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 9IUOt1F3aDUr for <submit@bugs.x2go.org>;
	Fri, 26 Jul 2013 16:40:07 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 06ABC3BD17
	for <submit@bugs.x2go.org>; Fri, 26 Jul 2013 16:40:07 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id D3D843BBF3
	for <submit@bugs.x2go.org>; Fri, 26 Jul 2013 16:40:06 +0200 (CEST)
Received: by grimnir.das-netzwerkteam.de (Postfix, from userid 33)
	id 609743BD16; Fri, 26 Jul 2013 16:40:06 +0200 (CEST)
Received: from m-047.informatik.uni-kiel.de (m-047.informatik.uni-kiel.de
 [134.245.254.47]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP;
 Fri, 26 Jul 2013 16:40:06 +0200
Message-ID: <20130726164006.17531y7k798urzgm@mail.das-netzwerkteam.de>
X-Priority: 3 (Normal)
Date: Fri, 26 Jul 2013 16:40:06 +0200
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: submit@bugs.x2go.org
Cc: x2go-user@lists.berlios.de
Subject: Re: [X2Go-User] Session resume fails with AFS home directories
References: <51F274E2.3070403@gip.com>
In-Reply-To: <51F274E2.3070403@gip.com>
MIME-Version: 1.0
Content-Type: multipart/signed;
 boundary="=_1vk5qk3dcdvq";
 protocol="application/pgp-signature";
 micalg="pgp-sha1"
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.3.4)
[Message part 1 (text/plain, inline)]
Package: x2goserver
Version: 4.0.1.3

Hi Sebastian,

(quoting your complete original mail, so we have it in the bug report  
I create with this/my reply)

On Fr 26 Jul 2013 15:08:50 CEST Sebastian Flothow wrote:

> I've just set up a Debian 7 box with X2Go. It does work in that it  
> is possible to start new sessions, however, resuming a previous  
> session does not work, it always results in this message: "The  
> remote proxy closed the connection while negotiating the session.  
> This may be due to the wrong authentication credentials passed to  
> the server."
>
> I suspect this is due to the fact that home directories are stored  
> in AFS (for regular users, that is; when logging in as root, whose  
> home directory is on a local ext4 FS, resume does work). Accessing  
> AFS requires an AFS token in the user's name, obtaining this in turn  
> requires a Kerberos ticket. PAM is set up to obtain both  
> automatically on login, but I guess something goes wrong there  
> during session resume.
>
> Is it possible to add custom commands to the X2Go login/resume  
> procedure? It would be quite helpful if the client could run klist  
> and tokens through the ssh session, and either log or display the  
> output.

Is there any environment variable that we have to set before we can  
access the home directory of the user?

My guess is that we have to set at least

  export KRB5CCNAME=???

Maybe any other env var for the AFS token?

We should get this issue fixed upstream, so I have switched over to  
x2go-dev and our bug tracker (done by sending my reply). Please reply  
to 272@bugs.x2go.org with your reply. Thanks.

Mike

-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#272; Package x2goserver. (Mon, 29 Jul 2013 11:18:01 GMT) (full text, mbox, link).


Acknowledgement sent to Sebastian Flothow <sebastian.flothow@gip.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Mon, 29 Jul 2013 11:18:01 GMT) (full text, mbox, link).


Message #10 received at 272@bugs.x2go.org (full text, mbox, reply):

Received: (at 272) by bugs.x2go.org; 29 Jul 2013 11:15:56 +0000
From sebastian.flothow@gip.com  Mon Jul 29 13:15:52 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,
	URIBL_BLOCKED autolearn=ham version=3.3.2
X-Greylist: delayed 556 seconds by postgrey-1.34 at ymir; Mon, 29 Jul 2013 13:15:51 CEST
Received: from hermes.gip.com (hermes.gip.com [213.139.134.71])
	by ymir (Postfix) with ESMTP id 5EE5B5DB17
	for <272@bugs.x2go.org>; Mon, 29 Jul 2013 13:15:51 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by hermes.gip.com (Postfix) with ESMTP id 5A9B517E8056;
	Mon, 29 Jul 2013 13:06:42 +0200 (CEST)
Received: from hermes.gip.com (localhost [127.0.0.1])
	by localhost (AvMailGate-3.2.1.26) id 8460-nJ1dK7;
	Mon, 29 Jul 2013 11:06:42 -0000
Received: from [10.0.9.42] (devlin042.gip.local [10.0.9.42])
	by hermes.gip.com (Postfix) with ESMTPSA id 296A017E8056;
	Mon, 29 Jul 2013 13:06:42 +0200 (CEST)
Message-ID: <51F64CBA.8020209@gip.com>
Date: Mon, 29 Jul 2013 13:06:34 +0200
From: Sebastian Flothow <sebastian.flothow@gip.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: 272@bugs.x2go.org, mike.gabriel@das-netzwerkteam.de, 
 x2go-user@lists.berlios.de
Subject: Re: [X2Go-User] Session resume fails with AFS home directories
References: <51F274E2.3070403@gip.com> <20130726164006.17531y7k798urzgm@mail.das-netzwerkteam.de>
In-Reply-To: <20130726164006.17531y7k798urzgm@mail.das-netzwerkteam.de>
Content-Type: multipart/mixed;
 boundary="------------010802030103080004030806"
X-AntiVirus: checked by Avira MailGate (version: 3.2.1.26; AVE: 8.2.12.94; VDF: 7.11.93.160; host: hermes); id=8460-nJ1dK7
[Message part 1 (text/plain, inline)]
Am 26.07.2013 16:40, schrieb Mike Gabriel:
> Package: x2goserver
> Version: 4.0.1.3

By now it's 4.0.1.6-0~x2go1+wheezy~main~712~build1, but the problem 
persists.


> Is there any environment variable that we have to set before we can
> access the home directory of the user?
>
> My guess is that we have to set at least
>
>    export KRB5CCNAME=???
>
> Maybe any other env var for the AFS token?

No, that should not be necessary. KRB5CCNAME is set by pam_krb5.so. 
pam_afs_session.so in turn uses this to obtain an AFS token, then 
associates it with a new Process Authentication Group. The PAG ID is 
stored in the group array for the session, i.e. "id" shows an additional 
artificial group id. In fact this all works flawlessly on initial login, 
it's only on resume where it fails.

It occurs to me now that both KRB5CCNAME and PAG are per-session rather 
than per-user, so that might be the cause for this problem (but I'm 
really just guessing here).

Is there a detailed description of the resume process? Does it involve 
any shell scripts or similar I could hook into in order to log 
additional information?


I'm attaching /var/log/user.log as well as the client output from a 
failed resume attempt, maybe this offers some clues.

Thanks,
Sebastian
[client.txt (text/plain, attachment)]
[user.log (text/x-log, attachment)]

Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#272; Package x2goserver. (Mon, 16 Sep 2013 14:33:01 GMT) (full text, mbox, link).


Acknowledgement sent to Sebastian Flothow <sebastian.flothow@gip.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Mon, 16 Sep 2013 14:33:01 GMT) (full text, mbox, link).


Message #15 received at 272@bugs.x2go.org (full text, mbox, reply):

Received: (at 272) by bugs.x2go.org; 16 Sep 2013 14:26:01 +0000
From sebastian.flothow@gip.com  Mon Sep 16 16:26:00 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	version=3.3.2
X-Greylist: delayed 508 seconds by postgrey-1.34 at ymir; Mon, 16 Sep 2013 16:26:00 CEST
Received: from hermes.gip.com (hermes.gip.com [213.139.134.71])
	by ymir (Postfix) with ESMTP id 915EA5DA79
	for <272@bugs.x2go.org>; Mon, 16 Sep 2013 16:26:00 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by hermes.gip.com (Postfix) with ESMTP id 1BAAE17E8056;
	Mon, 16 Sep 2013 16:17:32 +0200 (CEST)
Received: from hermes.gip.com (localhost [127.0.0.1])
	by localhost (AvMailGate-3.2.1.26) id 19177-WvIBVe;
	Mon, 16 Sep 2013 14:17:32 -0000
Received: from [10.0.9.42] (devlin042.gip.local [10.0.9.42])
	by hermes.gip.com (Postfix) with ESMTPSA id 154FD17E8056;
	Mon, 16 Sep 2013 16:17:32 +0200 (CEST)
Message-ID: <523712FB.2060200@gip.com>
Date: Mon, 16 Sep 2013 16:17:31 +0200
From: Sebastian Flothow <sebastian.flothow@gip.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: 272@bugs.x2go.org
CC: x2go-user@lists.berlios.de
Subject: Re: [X2Go-User] Session resume fails with AFS home directories
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-AntiVirus: checked by Avira MailGate (version: 3.2.1.26; AVE: 8.2.12.120; VDF: 7.11.102.198; host: hermes); id=19177-WvIBVe
I did some further testing, and the resume failures are indeed due to 
missing AFS tokens. When suspending a session, the SSH connection is 
closed, sshd will call pam_close_session(), which means that pam_krb5 
and pam_afs_session will delete the user's ticket/token (resp.). The 
session therefore loses access to the home directory and appears to 
freeze up, preventing it from being resumed.

Both pam_krb5 and pam_afs_session accept retain_after_close as a 
parameter, which disables the delete-on-close behavior. With this 
parameter set, it becomes possible to resume sessions, unless the AFS 
token has expired.

This solves at least the case where the user reconnects quickly (eg. 
after a short network outage), but it still means sessions will become 
unresumable when left unused for a few days. I guess the only way to 
avoid this is to not store session data in the home directory. Can X2go 
be configured such that it uses eg. /tmp or /var/lib for this purpose?


Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#272; Package x2goserver. (Wed, 18 Sep 2013 21:29:10 GMT) (full text, mbox, link).


Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Wed, 18 Sep 2013 21:29:10 GMT) (full text, mbox, link).


Message #20 received at 272@bugs.x2go.org (full text, mbox, reply):

Received: (at 272) by bugs.x2go.org; 18 Sep 2013 21:24:49 +0000
From mike.gabriel@das-netzwerkteam.de  Wed Sep 18 23:24:49 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED
	autolearn=ham version=3.3.2
Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199])
	by ymir (Postfix) with ESMTPS id 2134F5DA79
	for <272@bugs.x2go.org>; Wed, 18 Sep 2013 23:24:49 +0200 (CEST)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98])
	by freya.das-netzwerkteam.de (Postfix) with ESMTPS id A27031320
	for <272@bugs.x2go.org>; Wed, 18 Sep 2013 23:24:48 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 534B63BF37
	for <272@bugs.x2go.org>; Wed, 18 Sep 2013 23:24:48 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id Z4U5izDEiPIH for <272@bugs.x2go.org>;
	Wed, 18 Sep 2013 23:24:47 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 6BDF43B95A
	for <272@bugs.x2go.org>; Wed, 18 Sep 2013 23:24:47 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 2429E3BF37
	for <272@bugs.x2go.org>; Wed, 18 Sep 2013 23:24:47 +0200 (CEST)
Received: by grimnir.das-netzwerkteam.de (Postfix, from userid 33)
	id 4001C3BFE5; Wed, 18 Sep 2013 23:24:38 +0200 (CEST)
Received: from pD9E9EBD4.dip0.t-ipconnect.de (pD9E9EBD4.dip0.t-ipconnect.de
 [217.233.235.212]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP;
 Wed, 18 Sep 2013 23:24:38 +0200
Message-ID: <20130918232438.69352mqw8ozl1a1i@mail.das-netzwerkteam.de>
X-Priority: 3 (Normal)
Date: Wed, 18 Sep 2013 23:24:38 +0200
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Sebastian Flothow <sebastian.flothow@gip.com>
Cc: 272@bugs.x2go.org, x2go-user@lists.berlios.de
Subject: Re: [X2Go-User] Session resume fails with AFS home directories
References: <523712FB.2060200@gip.com>
In-Reply-To: <523712FB.2060200@gip.com>
MIME-Version: 1.0
Content-Type: multipart/signed;
 boundary="=_78933vnzp639";
 protocol="application/pgp-signature";
 micalg="pgp-sha1"
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.3.4)
[Message part 1 (text/plain, inline)]
Hi Sebastian,

On Mo 16 Sep 2013 16:17:31 CEST Sebastian Flothow wrote:

> I did some further testing, and the resume failures are indeed due  
> to missing AFS tokens. When suspending a session, the SSH connection  
> is closed, sshd will call pam_close_session(), which means that  
> pam_krb5 and pam_afs_session will delete the user's ticket/token  
> (resp.). The session therefore loses access to the home directory  
> and appears to freeze up, preventing it from being resumed.
>
> Both pam_krb5 and pam_afs_session accept retain_after_close as a  
> parameter, which disables the delete-on-close behavior. With this  
> parameter set, it becomes possible to resume sessions, unless the  
> AFS token has expired.

Thanks for digging this out. Good work!!!

> This solves at least the case where the user reconnects quickly (eg.  
> after a short network outage), but it still means sessions will  
> become unresumable when left unused for a few days.

I get that. NFSv4 with Kerberos is very similar to the AFS token behaviour.

> I guess the only way to avoid this is to not store session data in  
> the home directory. Can X2go be configured such that it uses eg.  
> /tmp or /var/lib for this purpose?

In earlier versions of X2Go every session detail was in $HOME. Some of  
the session information has to be accessible by super-user root. Those  
bits, I have already moved out of the home (e.g. the session.log file).

Normally, the AFS token should be immediately restored after SSH login  
(which is the first action taken when resuming a session). However,  
this AFS token does not re-awake the session so it can be resumed. The  
question is why...

Does a session simply not resume (with an x2goagent still being  
present for this session)? Or does the x2goagent crash somewhere on  
the run (i.e. when the session is suspended and the AFS home freezes  
some time later)?

When evoking x2golistsessions, the first field of each output line is  
the x2goagent PID that is associated to that session in the same line.  
With non-resumable sessions, please check if the x2goagent processes  
remain active on the X2Go server or if the x2goagent processes crash  
(disappear). I can only imagine that the x2goagent processes remain  
alive (frozen) until the AFS token gets reinstated by the X2Go  
resuming SSH login. If x2goagent crashes somewhere on the way, we have  
to find out why and how to prevent it.

However, if x2goagent stays functional, we have to investigate, if  
there is anything AFS-critical in /usr/bin/x2goresume-session. If you  
look at the script /usr/bin/x2goresume-session, can you spot anything  
that might fail on AFS?


Greets,
Mike

-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#272; Package x2goserver. (Mon, 30 Sep 2013 15:33:02 GMT) (full text, mbox, link).


Acknowledgement sent to Sebastian Flothow <sebastian.flothow@gip.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Mon, 30 Sep 2013 15:33:02 GMT) (full text, mbox, link).


Message #25 received at 272@bugs.x2go.org (full text, mbox, reply):

Received: (at 272) by bugs.x2go.org; 30 Sep 2013 15:21:19 +0000
From sebastian.flothow@gip.com  Mon Sep 30 17:21:18 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	version=3.3.2
Received: from hermes.gip.com (hermes.gip.com [213.139.134.71])
	by ymir (Postfix) with ESMTP id C4AE85DB11
	for <272@bugs.x2go.org>; Mon, 30 Sep 2013 17:21:18 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by hermes.gip.com (Postfix) with ESMTP id 5449A17E805E;
	Mon, 30 Sep 2013 17:21:18 +0200 (CEST)
Received: from hermes.gip.com (localhost [127.0.0.1])
	by localhost (AvMailGate-3.2.1.26) id 23707-VQh6xZ;
	Mon, 30 Sep 2013 15:21:18 -0000
Received: from [10.0.9.56] (devlin056.gip.local [10.0.9.56])
	by hermes.gip.com (Postfix) with ESMTPSA id 4BDD017E805E;
	Mon, 30 Sep 2013 17:21:18 +0200 (CEST)
Message-ID: <524996ED.2010401@gip.com>
Date: Mon, 30 Sep 2013 17:21:17 +0200
From: Sebastian Flothow <sebastian.flothow@gip.com>
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:17.0) Gecko/20130911 Thunderbird/17.0.9
MIME-Version: 1.0
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 272@bugs.x2go.org
Subject: Re: [X2Go-User] Session resume fails with AFS home directories
References: <523712FB.2060200@gip.com> <20130918232438.69352mqw8ozl1a1i@mail.das-netzwerkteam.de>
In-Reply-To: <20130918232438.69352mqw8ozl1a1i@mail.das-netzwerkteam.de>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-AntiVirus: checked by Avira MailGate (version: 3.2.1.26; AVE: 8.2.12.124; VDF: 7.11.105.64; host: hermes); id=23707-VQh6xZ
Hi,

Am 18.09.2013 23:24, schrieb Mike Gabriel:
> Does a session simply not resume (with an x2goagent still being present
> for this session)? Or does the x2goagent crash somewhere on the run
> (i.e. when the session is suspended and the AFS home freezes some time
> later)?

I did a quick test (note that I removed retain_after_close from the PAM 
config again, so that I can create broken sessions quickly without 
waiting for AFS token expiry). Right after starting a new session, 
things look like this:

giplin101:~# x2golistsessions_root
26521|flothow-50-1380548308_stDXFCE_dp32|50|giplin101|R|2013-09-30T15:38:28|da9be4183a9c7d711f325742963c691e|10.0.0.105|30001|30002|2013-09-30T15:38:31|flothow|112|30003|
giplin101:~# ps 26521
  PID TTY      STAT   TIME COMMAND
26521 ?        S      0:00 /usr/lib/nx/../x2go/bin/x2goagent -extension 
XFIXES -extension GLX -nolisten tcp -D -auth /afs/gip.l


Then, after suspending the session:

giplin101:~# x2golistsessions_root
26521|flothow-50-1380548308_stDXFCE_dp32|50|giplin101|S|2013-09-30T15:38:28|da9be4183a9c7d711f325742963c691e|10.0.0.105|30001|30002|2013-09-30T15:41:32|flothow|186|30003|
giplin101:~# ps 26521
  PID TTY      STAT   TIME COMMAND
26521 ?        S      0:00 /usr/lib/nx/../x2go/bin/x2goagent -extension 
XFIXES -extension GLX -nolisten tcp -D -auth /afs/gip.l


After attempting to resume it:

giplin101:~# x2golistsessions_root
26521|flothow-50-1380548308_stDXFCE_dp32|50|giplin101|R|2013-09-30T15:38:28|da9be4183a9c7d711f325742963c691e|10.0.0.105|30001|30002|2013-09-30T15:43:20|flothow|315|30003|
giplin101:~# ps 26521
  PID TTY      STAT   TIME COMMAND
26521 ?        S      0:00 /usr/lib/nx/../x2go/bin/x2goagent -extension 
XFIXES -extension GLX -nolisten tcp -D -auth /afs/gip.l


It is still in this state now, more than half an hour later.


> If you look at
> the script /usr/bin/x2goresume-session, can you spot anything that might
> fail on AFS?

I already looked at this script a few weeks ago and added a bunch of 
debug statements which log various things to /var/log/x2godebug. When 
the script executes, there is a valid AFS token, $SESSION_DIR and 
${SESSION_DIR}/options are readable, and the script completes successfully.


However, I think that this is not meaningful. What happens is presumably 
this:

When first logging in (before an X2Go session exists), a new SSH session 
is created, which I'll refer to as the first SSH session. This session 
obtains a Kerberos ticket and an AFS token through PAM, and then spawns 
an X2Go sessions which inherits these. The Kerberos ticket is stored in 
a file pointed to by $KRB5CCNAME, while the AFS token is tied to the PAG 
(Process Authentication Group).

When suspending the X2Go session, this first SSH session is terminated. 
Depending on the PAM configuration, the ticket and token are either 
removed immediately, or expire some time later.

Now, when attempting to resume the X2Go session, a new, second SSH 
session is created. This session again obtains a ticket and a token, and 
it seems to be this session in which x2goresume-session is executed; 
however, this ticket/token is in a different file/PAG (resp.) than those 
from the first session, so the X2Go session can't use them.


After figuring this out, I remembered that pam_afs_session recognizes 
the parameter nopag, which inhibits PAG creation. Absent a PAG, AFS 
tokens are tied to user IDs instead, and indeed, when this option is 
set, sessions can be resumed even after their initial token expired - 
without PAGs, the new token from the second session propagates to the 
first session, since the user ID is identical. After resuming, the X2Go 
session still doesn't have a valid Kerberos ticket (because there are 
still two different ticket files), but it does have an AFS token, which 
is all that matters for filesystem access. Obtaining a new Kerberos 
ticket can then be done manually if necessary.

However, I'm a bit wary of using nopag in a production environment, 
because the man page also warns: "Be careful when using this option, 
since it means that the user will inherit a PAG from the process 
managing the login.  If sshd, for instance, is started in a PAG, every 
user who logs in via ssh will be put in the same PAG and will share 
tokens if this option is used."


To fix this so that it works without nopag, we'd need to move an AFS 
token from one PAG to another. I'm not aware of any way to do this 
directly, but it might be possible to copy the Kerberos ticket from the 
new ticket file to the old one, and then call aklog within the old 
session before attempting any file system access.


- Sebastian


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#272; Package x2goserver. (Tue, 13 Jan 2015 14:15:02 GMT) (full text, mbox, link).


Acknowledgement sent to Roy Williams <fang64@gmail.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Tue, 13 Jan 2015 14:15:02 GMT) (full text, mbox, link).


Message #30 received at 272@bugs.x2go.org (full text, mbox, reply):

Received: (at 272) by bugs.x2go.org; 13 Jan 2015 14:11:29 +0000
From fang64@gmail.com  Tue Jan 13 15:11:28 2015
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM,
	HTML_MESSAGE,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from mail-ie0-f181.google.com (mail-ie0-f181.google.com [209.85.223.181])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 03D025DA2C
	for <272@bugs.x2go.org>; Tue, 13 Jan 2015 15:11:28 +0100 (CET)
Received: by mail-ie0-f181.google.com with SMTP id rl12so2840033iec.12
        for <272@bugs.x2go.org>; Tue, 13 Jan 2015 06:11:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=Zp/cWOPRvl9sm33YhWolvGfqp5E0cYEd94V6JoV3U9o=;
        b=I7zmV/3y5+dErq29m6hwQmYBqjEBnR900OFlzj+0FMlwgJBC1GrYUSOSgCAjMxLp92
         /1lUp8q2bmxr3rLzQ139pzHUf7HQkZC2TfezlNh0vMoO0RWwDN4ve/nvYE8d1ukAJ9iy
         bjauaROfkf0BopRrnUsUwP9WqbyQ1GwfQZkyRV8XcknFodeckW/Q48KC9CVFpXHaaesK
         /krXnqtHTmsEmPKkQGv0Q27HaAbPuT2Cs8A0igQNny5ioNVGdCmucwWymd7OOOTXeCJi
         KOg3mEqMbhndb8N2KkpV5L8LU8szOLQM1c89uuDlS6jdplF63tbdQOoSBDlLb077Nlpy
         OMnA==
MIME-Version: 1.0
X-Received: by 10.50.79.228 with SMTP id m4mr21275439igx.43.1421158286292;
 Tue, 13 Jan 2015 06:11:26 -0800 (PST)
Received: by 10.64.55.129 with HTTP; Tue, 13 Jan 2015 06:11:26 -0800 (PST)
Date: Tue, 13 Jan 2015 09:11:26 -0500
Message-ID: <CAEQEHWYPcX3KqoRWjLNbUj5hMbLStdbZ-P+FHnwc7Sz1DTnCBg@mail.gmail.com>
Subject: Regarding x2go and afs interaction
From: Roy Williams <fang64@gmail.com>
To: 272@bugs.x2go.org
Content-Type: multipart/alternative; boundary=089e013a1f16d2fe2b050c893221
[Message part 1 (text/plain, inline)]
Hello Everyone,

I have a suggestion that basically involves using k5start from Russ Albury
which I suspect will no longer be as maintained in the future. Available at
http://www.eyrie.org/~eagle/software/kstart/k5start.html and having that
maintain credentials in the session, then copying the KRB5CCNAME into a new
session and having it renew the Kerberos tickets, so when k5start runs
aklog it'll renew the tokens in the suspended session. It's not ideal but
it does allow you to have session resuming.

I am not sure what the security implications would be doing this since I
suspect this would be frowned on by the Kerberos community. This k5start
tool was intended to keep long running processes from losing their file
system access on a host.

Roy Williams (fang64@gmail.com)
[Message part 2 (text/html, inline)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#272; Package x2goserver. (Mon, 28 Sep 2015 08:55:02 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Mar 28 21:31:36 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.