Package: nfs-common 1:1.3.4-2.1, nfs-kernel-server 1:1.3.4-2.1 Debian-Version: 9.1, Kernel 4.9.0-3-amd64 Hardware: Dell PowerEdge R630, 2 Sockets, 2x8Cores, 265 GByte MemorySymptom: starting rpc-svcgssd.service fails with non-standard Kerberos principal
Involved packages: libnfs8:amd64 1.11.0-2 amd64 libnfsidmap2:amd64 0.25-5.1 amd64 nfs-common 1:1.3.4-2.1 amd64 nfs-kernel-server 1:1.3.4-2.1 amd64 libgssrpc4:amd64 1.15-1 amd64 libtirpc1:amd64 0.2.5-1.2 amd64 rpcbind 0.2.3-0.6 amd64 Bug Log:Jul 20 13:37:42 hiyo rpc.svcgssd[10625]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Jul 20 13:37:42 hiyo rpc.svcgssd[10625]: unable to obtain root (machine) credentials Jul 20 13:37:42 hiyo rpc.svcgssd[10625]: do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab? Jul 20 13:37:42 hiyo systemd[1]: rpc-svcgssd.service: Control process exited, code=exited status=1 Jul 20 13:37:42 hiyo systemd[1]: Failed to start RPC security service for NFS server.
-- Subject: Unit rpc-svcgssd.service has failedThis is perfectly correct, due to /etc/krb5.keytab has no principal nfs/hiyo.zit.biophys.mpg.de@BPCENTAL.BIOPHY.MPG.DE
A Solution would be to use the -p or -n options for the rpc.svcgssd daemon. These are the constraints:1.) If nfs-kernel-server is not installed, rpc.svcgssd should not be started - it's used by the nfs server only, not by nfs clients
2.) However: rpc.svcgssd is part of packet nfs-common (incl. nfs client). Why? shouldn't is be part of nfs-kernel-server?
3.) If everything is intended as currently distributed, why place
the configuration parameter RPCSVCGSSDOPTS in
/etc/default/nfs-kernel-server?
4.) Under these circumstances it should be placed in
/etc/default/nfs-common.
5.) The contents of the 2 /etc/default/nfs-* files are evaluated by the
service nfs-config.service into /run/sysconfig/nfs-utils, which result
the looks like:
PIPEFS_MOUNTPOINT=/run/rpc_pipefs
RPCNFSDARGS=" 8"
RPCMOUNTDARGS="--manage-gids"
STATDARGS=""
RPCSVCGSSDARGS="-n"
6.) However, the systemd unit file in
/lib/systemd/system/rpc-svcgssd.service imports a variable SVCGSSDARGS,
where /run/sysconfig/nfs-utils defines RPCSVCGSSDARGS (with RPC prefix).
This renders the config parameter useless because it never draws.
[Unit]
Description=RPC security service for NFS server
DefaultDependencies=no
Requires=run-rpc_pipefs.mount
After=run-rpc_pipefs.mount local-fs.target
PartOf=nfs-server.service
PartOf=nfs-utils.service
After=gssproxy.service
ConditionPathExists=|!/run/gssproxy.pid
ConditionPathExists=|!/proc/net/rpc/use-gss-proxy
ConditionPathExists=/etc/krb5.keytab
Wants=nfs-config.service
After=nfs-config.service
[Service]
EnvironmentFile=-/run/sysconfig/nfs-utils
Type=forking
ExecStart=/usr/sbin/rpc.svcgssd $SVCGSSDARGS
My suggestion for these issues:
- Move rpc.svcgssd service to the nfs-kernel-server package,
so it doesn't get started if the nfs server isn't installed
- Make sure /lib/systemd/system/rpc-svcgssd.service imports/uses
the correct variables from /run/sysconfig/nfs-utils
Best
Andreas Schindler
--
Dr.-Ing. Andreas Schindler
Leiter Zentrale IT
Max-Planck-Institut für Biophysik
Andreas.Schindler@biophys.mpg.de
Max-von-Laue-Str. 3, 60438 Frankfurt, Tel: +49 69 6303 4555
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature