Bug#832609: rpc-gssd.service: fails to start when keytab exists (ActiveDirectory member) but rpcsec_gss_krb5 module is not loaded
Package: nfs-common
Version: 1:1.2.8-9.1
Severity: normal
File: /lib/systemd/system/rpc-gssd.service
Dear Maintainer,
I get:
systemd[1]: Starting RPC security service for NFS server...
rpc.svcgssd[4860]: libnfsidmap: using (default) domain: <my AD domain>
systemd[1]: Started RPC security service for NFS server.
rpc.svcgssd[4860]: libnfsidmap: Realms list: '< my realm >'
rpc.svcgssd[4860]: libnfsidmap: loaded plugin /lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so for method nsswitch
rpc.svcgssd[4860]: failed to open /proc/net/rpc/auth.rpcsec.init/channel: No such file or directory
If I do :
modprobe rpcsec_gss_krb5
then all is fine.
May you add a file in /usr/lib/modules-load.d/ per
http://0pointer.de/public/systemd-man/modules-load.d.html ?
Cheers
Alban
PS: side note but might help to reproduce :
this is on an nfs client box, which is also member in a Samba AD domain.
rpc-svcgssd find the /etc/krb5.keytab but find no nfs SPN.
The error is :
systemctl status rpc-svcgssd
● rpc-svcgssd.service - RPC security service for NFS server
Loaded: loaded (/lib/systemd/system/rpc-svcgssd.service; static; vendor preset: enabled)
Active: failed (Result: exit-code) since jeu. 2016-07-07 19:05:45 CEST; 5h 22min ago
systemd[1]: Starting RPC security service for NFS server...
systemd[1]: rpc-svcgssd.service: Control process exited, code=exited status=1
systemd[1]: Failed to start RPC security service for NFS server.
systemd[1]: rpc-svcgssd.service: Unit entered failed state.
systemd[1]: rpc-svcgssd.service: Failed with result 'exit-code'.
"
with debug I get:
ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No key table entry found matching nfs/@
I add the nfs SPN with:
" adcli join -N <my netbios client> -K /etc/krb5.keytab -V nfs <my AD domain> "
(mind I cannot use "net ads keytab add nfs" as I joind with realmd if done so without
--membership-software=samba flag , the latter fails to apply silently - if executed without -d<n> flag -
see :
https://bugzilla.redhat.com/show_bug.cgi?id=1271618 )
and then the issue at stack exhibits.
-- Package-specific info:
-- rpcinfo --
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
-- /etc/default/nfs-common --
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=
NEED_GSSD=
-- /etc/idmapd.conf --
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
-- /etc/fstab --
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.7.0-rc7prahal+ (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages nfs-common depends on:
ii adduser 3.115
ii init-system-helpers 1.39
ii libc6 2.23-2
ii libcap2 1:2.25-1
ii libcomerr2 1.43.1-1
ii libdevmapper1.02.1 2:1.02.130-1
ii libevent-2.0-5 2.0.21-stable-2+b1
ii libgssapi-krb5-2 1.14.2+dfsg-1
ii libk5crypto3 1.14.2+dfsg-1
ii libkeyutils1 1.5.9-9
ii libkrb5-3 1.14.2+dfsg-1
ii libmount1 2.28-6
ii libnfsidmap2 0.25-5
ii libtirpc1 0.2.5-1
ii libwrap0 7.6.q-25
ii lsb-base 9.20160629
ii rpcbind 0.2.3-0.5
ii ucf 3.0036
Versions of packages nfs-common recommends:
ii python 2.7.11-2
Versions of packages nfs-common suggests:
pn open-iscsi <none>
ii watchdog 5.15-1
-- no debconf information
Reply to: