From unknown Thu Mar 28 10:07:52 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#272: [X2Go-User] Session resume fails with AFS home directories Reply-To: Mike Gabriel , 272@bugs.x2go.org Resent-From: Mike Gabriel Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Wed, 18 Sep 2013 21:29:10 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 272 X-X2Go-PR-Package: x2goserver X-X2Go-PR-Keywords: Received: via spool by 272-submit@bugs.x2go.org id=B272.137953948914382 (code B ref 272); Wed, 18 Sep 2013 21:29:10 +0000 Received: (at 272) by bugs.x2go.org; 18 Sep 2013 21:24:49 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id 2134F5DA79 for <272@bugs.x2go.org>; Wed, 18 Sep 2013 23:24:49 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id A27031320 for <272@bugs.x2go.org>; Wed, 18 Sep 2013 23:24:48 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 534B63BF37 for <272@bugs.x2go.org>; Wed, 18 Sep 2013 23:24:48 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z4U5izDEiPIH for <272@bugs.x2go.org>; Wed, 18 Sep 2013 23:24:47 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 6BDF43B95A for <272@bugs.x2go.org>; Wed, 18 Sep 2013 23:24:47 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 2429E3BF37 for <272@bugs.x2go.org>; Wed, 18 Sep 2013 23:24:47 +0200 (CEST) Received: by grimnir.das-netzwerkteam.de (Postfix, from userid 33) id 4001C3BFE5; Wed, 18 Sep 2013 23:24:38 +0200 (CEST) Received: from pD9E9EBD4.dip0.t-ipconnect.de (pD9E9EBD4.dip0.t-ipconnect.de [217.233.235.212]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Wed, 18 Sep 2013 23:24:38 +0200 Message-ID: <20130918232438.69352mqw8ozl1a1i@mail.das-netzwerkteam.de> X-Priority: 3 (Normal) Date: Wed, 18 Sep 2013 23:24:38 +0200 From: Mike Gabriel To: Sebastian Flothow Cc: 272@bugs.x2go.org, x2go-user@lists.berlios.de References: <523712FB.2060200@gip.com> In-Reply-To: <523712FB.2060200@gip.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=_78933vnzp639"; protocol="application/pgp-signature"; micalg="pgp-sha1" Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.3.4) This message is in MIME format and has been PGP signed. --=_78933vnzp639 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit Hi Sebastian, On Mo 16 Sep 2013 16:17:31 CEST Sebastian Flothow wrote: > I did some further testing, and the resume failures are indeed due > to missing AFS tokens. When suspending a session, the SSH connection > is closed, sshd will call pam_close_session(), which means that > pam_krb5 and pam_afs_session will delete the user's ticket/token > (resp.). The session therefore loses access to the home directory > and appears to freeze up, preventing it from being resumed. > > Both pam_krb5 and pam_afs_session accept retain_after_close as a > parameter, which disables the delete-on-close behavior. With this > parameter set, it becomes possible to resume sessions, unless the > AFS token has expired. Thanks for digging this out. Good work!!! > This solves at least the case where the user reconnects quickly (eg. > after a short network outage), but it still means sessions will > become unresumable when left unused for a few days. I get that. NFSv4 with Kerberos is very similar to the AFS token behaviour. > I guess the only way to avoid this is to not store session data in > the home directory. Can X2go be configured such that it uses eg. > /tmp or /var/lib for this purpose? In earlier versions of X2Go every session detail was in $HOME. Some of the session information has to be accessible by super-user root. Those bits, I have already moved out of the home (e.g. the session.log file). Normally, the AFS token should be immediately restored after SSH login (which is the first action taken when resuming a session). However, this AFS token does not re-awake the session so it can be resumed. The question is why... Does a session simply not resume (with an x2goagent still being present for this session)? Or does the x2goagent crash somewhere on the run (i.e. when the session is suspended and the AFS home freezes some time later)? When evoking x2golistsessions, the first field of each output line is the x2goagent PID that is associated to that session in the same line. With non-resumable sessions, please check if the x2goagent processes remain active on the X2Go server or if the x2goagent processes crash (disappear). I can only imagine that the x2goagent processes remain alive (frozen) until the AFS token gets reinstated by the X2Go resuming SSH login. If x2goagent crashes somewhere on the way, we have to find out why and how to prevent it. However, if x2goagent stays functional, we have to investigate, if there is anything AFS-critical in /usr/bin/x2goresume-session. If you look at the script /usr/bin/x2goresume-session, can you spot anything that might fail on AFS? Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_78933vnzp639 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Unterschrift Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAABAgAGBQJSOhoVAAoJEJr0azAldxsxwCsP/jopM6Tlg2RWWy1Ofge/8SaX 26fIHfb1BKQ15T45FsWkmG6FqElGNyy2IVLJWb5BT59JDlmiUO8ddS4MuqftTsR8 B/4ZVOVqC9Am/5wPVIlHryOXfKk91O0jDFPNiNyDI1eTpmw3auejjfBAiCAHRMd0 oCFC7STAbJCTcvZQJ4rl2x/y2OjaJHJzFO4dnYJUbATGpKb+W9sHNnWr1mSRPnLS R7FM5QQ0ZgalT3ztBhc2Y8Vc9CSKH1d8t8kw219GAcZf3vBPW+HBNj2Id2gA7MUg WzRRkDx1vSgZY6ZRynJHlnvDvGKb7haGObH8nX8Pi26ys+6QOv/VZMm1+21La0vU 7X1haCrx3lJzLk+yVToxV5Sz0JhMfFJjh8Ae7ZDIIXIXjnPsQubwqf5Vqz0cgnS8 kMYs1jpwe4MWVafKpTyN7erigcVHe5M5ldCOTD+d0iVhlOEgdIFrCUUp7AsD8Unt 4hrHsu2/fpItEcfMdjzLPCiLvohY4LOWpQ6MHuHFNXKRw5GAfq81/WoYtHpRgMBr m8u/fmvhbaCRRoFeN2+Bu2xPs0f9Pp5CqaL4H2i/2MYxN17FPFCtXMw4k89ZRixf eqkitMW6e8h/blQGn4+oU2Q9AJagQlSIGn/SFlvHN89566OonyBnQmrfyS9FJ0NE qBy4CcdcG9jb8oNfQIz6 =cdDT -----END PGP SIGNATURE----- --=_78933vnzp639--