Bug#832609: rpc-gssd.service: fails to start when keytab exists (ActiveDirectory member) but rpcsec_gss_krb5 module is not loaded

To: 832609@bugs.debian.org
Subject: Bug#832609: rpc-gssd.service: fails to start when keytab exists (ActiveDirectory member) but rpcsec_gss_krb5 module is not loaded
From: Harald Dunkel <harald.dunkel@aixigo.com>
Date: Tue, 19 Nov 2019 16:52:44 +0100
Message-id: <[🔎] cb4ce4fa-c882-1d56-2f83-410ddbc3404a@aixigo.com>
Reply-to: Harald Dunkel <harald.dunkel@aixigo.com>, 832609@bugs.debian.org
References: <146946964416.5119.12245903100416617526.reportbug@cyclope.prahal.homelinux.net>

I cannot confirm the fix. Even when rpcsec_gss_krb5 *is* loaded,
rpc-svcgssd.service still fails for Buster:

root@srvl064:/etc# systemctl daemon-reload
root@srvl064:/etc# systemctl restart rpc-svcgssd
Job for rpc-svcgssd.service failed because the control process exited with error code.
See "systemctl status rpc-svcgssd.service" and "journalctl -xe" for details.
root@srvl064:/etc# systemctl status rpc-svcgssd
* rpc-svcgssd.service - RPC security service for NFS server
   Loaded: loaded (/lib/systemd/system/rpc-svcgssd.service; static; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2019-11-19 16:45:35 CET; 5s ago
  Process: 1809 ExecStart=/usr/sbin/rpc.svcgssd $SVCGSSDARGS (code=exited, status=1/FAILURE)

Nov 19 16:45:35 srvl064.ac.aixigo.de systemd[1]: Starting RPC security service for NFS server...
Nov 19 16:45:35 srvl064.ac.aixigo.de rpc.svcgssd[1810]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - No key table entry found matching nfs/@
Nov 19 16:45:35 srvl064.ac.aixigo.de rpc.svcgssd[1810]: unable to obtain root (machine) credentials
Nov 19 16:45:35 srvl064.ac.aixigo.de systemd[1]: rpc-svcgssd.service: Control process exited, code=exited, status=1/FAILURE
Nov 19 16:45:35 srvl064.ac.aixigo.de rpc.svcgssd[1810]: do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?
Nov 19 16:45:35 srvl064.ac.aixigo.de systemd[1]: rpc-svcgssd.service: Failed with result 'exit-code'.
Nov 19 16:45:35 srvl064.ac.aixigo.de systemd[1]: Failed to start RPC security service for NFS server.
root@srvl064:/etc# lsmod | grep rpcsec_gss_krb5
rpcsec_gss_krb5        45056  1
auth_rpcgss            73728  2 rpcsec_gss_krb5
sunrpc                425984  13 nfsv4,auth_rpcgss,lockd,rpcsec_gss_krb5,nfs


journalctl -xe showed:

ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - No key table entry found matching nfs/@

Of course the nfs entry in the keytab has been omitted on purpose.


Regards
Harri

Reply to:

Prev by Date: Bug#945077: firmware-linux: Missing firmware for Intel bluetooth device 22560 makes adapter not available
Next by Date: linux_4.19.67-2+deb10u2_source.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
Previous by thread: Bug#945077: firmware-linux: Missing firmware for Intel bluetooth device 22560 makes adapter not available
Next by thread: linux_4.19.67-2+deb10u2_source.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
Index(es):
- Date
- Thread