> On Tue, Aug 10, 2021 at 5:02 PM Paulo Alcantara <pc@xxxxxx> wrote: > > Thomas Werschlein <thomas.werschlein@xxxxxxxxxx> writes: > >> Hi >> >> We are mounting SMB shares from Windows and FreeBSD servers to AD-joined (Ubuntu) Linux clients, using DFS and Kerberos. >> >> A sample /etc/fstab entry looks like this: >> //files.d.example.com/shared /files/shared cifs defaults,sec=krb5i,vers=3,seal,multiuser,noserverino,username=LINUXCLIENT$ 0 0 >> >> The machine account LINUXCLIENT$ is able to browse the DFS tree and mount the shares. >> The credentials for the principal LINUXCLIENT$@D.EXAMPLE.COM are stored in the default keytab (/etc/krb5.keytab). >> In order to access a share a user needs a personal KRB ticket (either through kinit or GSSAPI delegated credentials upon ssh login). >> >> This works fine on Ubuntu 18.04 (4.15.0-153-generic Kernel, 2.10 cifs.ko), but doesn't on Ubuntu 20.04 (5.4.0-80-generic, 2.23). >> To be precise: it works for the first 10 hours (the ticket lifetime) even on Ubuntu 20.04. >> >> My findings so far: >> - this lockup (after 10h) *only* occurs when DFS is involved. Mounting a target share directly "survives" the ticket expiry >> - this problem does *not* manifest with the newest kernel/cifs.ko combo (5.14.0-051400rc5-generic/2.33) >> >> Therefore: >> Could it be, that the DFS patches contributed by Paulo Alcantara on June 4 2021 (https://www.spinics.net/lists/linux-cifs/msg21999.html) >> fixed this problem? > > Yes, that is possible. We found out some deadlock and race scenarios > but couldn't remember if the above was one of them. Still worth having > those commits backported. Thanks for your (possible) confirmation. > >> >> Two of his comments point into that direction: >> [...] >> - keep SMB sessions alive as long as dfs mounts are actives in order >> to refresh cached entries by using IPC tcons. >> [...] >> - skip unnecessary tree disconnect of IPCs when shutting down SMB >> sessions (it didn't even work before). >> >> Am I on the right track here? And if so: are there any plans to backport Paulo's patches to current kernels? > > Yes. I don't know if there any plans, but the only tricky part is > changing the commits to work with the old mount api on <5.11 kernels. I wasn't aware of Ubuntu's "LTS enablement stack" (https://wiki.ubuntu.com/Kernel/LTSEnablementStack). A simple 'sudo apt install --install-recommends linux-generic-hwe-20.04' brings the latest LTS to Kernel 5.11.0-27 and cifs.ko to 2.30. Strange enough (but gratefully so) this did solve my problem - the lockups don't manifest anymore. I wouldn't have expected this, since your patches from June 4 brought cifs.ko to 2.31. Must be some earlier change then? Anyway, our problem is gone. Thanks again. Best regards Thomas
