Bug#985002: nfs-common: Degraded system state if nfs-common installed and /etc/krb5.keytab present
Package: nfs-common
Version: 1:1.3.4-4
Severity: normal
Tags: patch
X-Debbugs-Cc: felix.lechner@lease-up.com
The nfs-client.target requires the auth-rpcgss-module.service, which in
turn requires rpc-svcgssd.service. However, the rpc.svcgssd daemon is
not needed for an NFS client, even when using Kerberos security.
Moreover, starting this daemon with its default configuration will fail
when no nfs/<host>@REALM principal is in the kerberos keytab. Thus,
resulting in a degraded system state for NFS client configurations
without nfs/<host>@REALM principal in the kerberos keytab. However, this
is a perfectly valid NFS client configuration as the nfs/<host>@REALM
principal is not required for mounting NFS file systems. This is even
the case when Kerberos security is enabled for the mount!
Note that installing the gssproxy packed hides this problem as this
disables the rpc-svcgssd.service.
-- Package-specific info:
-- rpcinfo --
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
-- /etc/default/nfs-common --
SMNOTIFYARGS=""
RPCIDMAPDARGS=""
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=
NEED_GSSD=
RPCGSSDOPTS=
-- /etc/idmapd.conf --
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
Domain = jfalk.de
Local-Realms = JFAD.JFALK.DE
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
-- /etc/fstab --
nfs.jfalk.de:/home /home nfs4 sec=krb5p,nodev,nosuid,noatime,async 0 0
nfs.jfalk.de:/local /local nfs4 sec=krb5p,nodev,nosuid,noatime,async 0 0
nfs.jfalk.de:/opt /opt nfs4 sec=krb5p,nodev,nosuid,noatime,async 0 0
# the auto mounter map /etc/auto.nfs handles these
#nfs.jfalk.de:/bulk-data /bulk-data nfs4 sec=krb5p,nodev,nosuid,noatime,async 0 0
-- /proc/mounts --
nfs.jfalk.de:/local /local nfs4 rw,nosuid,nodev,noatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=192.168.192.128,local_lock=none,addr=192.168.194.37 0 0
nfs.jfalk.de:/opt /opt nfs4 rw,nosuid,nodev,noatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=192.168.192.128,local_lock=none,addr=192.168.194.37 0 0
nfs.jfalk.de:/home /home nfs4 rw,nosuid,nodev,noatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=192.168.192.128,local_lock=none,addr=192.168.194.37 0 0
/etc/auto.nfs /var/autofs/nfs autofs rw,relatime,fd=6,pgrp=1106,timeout=300,minproto=5,maxproto=5,indirect,pipe_ino=12280 0 0
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (520, 'testing'), (500, 'testing-security')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-4-amd64 (SMP w/8 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages nfs-common depends on:
ii adduser 3.118
ii keyutils 1.6.1-2
ii libc6 2.31-9
ii libcap2 1:2.44-1
ii libcom-err2 1.46.1-1
ii libdevmapper1.02.1 2:1.02.175-2.1
ii libevent-2.1-7 2.1.12-stable-1
ii libgssapi-krb5-2 1.18.3-4
ii libkeyutils1 1.6.1-2
ii libkrb5-3 1.18.3-4
ii libmount1 2.36.1-7
ii libnfsidmap2 0.25-6
ii libtirpc3 1.3.1-1
ii libwrap0 7.6.q-31
ii lsb-base 11.1.0
ii rpcbind 1.2.5-9
ii ucf 3.0043
Versions of packages nfs-common recommends:
pn python <none>
Versions of packages nfs-common suggests:
pn open-iscsi <none>
pn watchdog <none>
-- Configuration Files:
/etc/default/nfs-common changed:
SMNOTIFYARGS=""
RPCIDMAPDARGS=""
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=
NEED_GSSD=
RPCGSSDOPTS=
-- no debconf information
Description: The rpc.svcgssd daemon is not needed for an NFS client, even
when using Kerberos security. Moreover, starting this daemon with its
default configuration will fail when no nfs/<host>@REALM principal is in
the krb5.keytab. Furthermore, the nfs/<host>@REALM principal is unneeded
for an NFS client configuration. Thus, resulting in a degraded system
state for NFS client configurations without nfs/<host>@REALM principal
in the krb5.keytab.
Author: Joachim Falk <joachim.falk@gmx.de>
Index: pkg-nfs-utils/systemd/auth-rpcgss-module.service
===================================================================
--- pkg-nfs-utils.orig/systemd/auth-rpcgss-module.service 2020-09-04 10:04:07.018816047 +0200
+++ pkg-nfs-utils/systemd/auth-rpcgss-module.service 2020-09-04 10:04:25.586617690 +0200
@@ -8,7 +8,7 @@
Description=Kernel Module supporting RPCSEC_GSS
DefaultDependencies=no
Before=gssproxy.service rpc-svcgssd.service rpc-gssd.service
-Wants=gssproxy.service rpc-svcgssd.service rpc-gssd.service
+Wants=gssproxy.service rpc-gssd.service
[Service]
EnvironmentFile=-/run/sysconfig/nfs-utils
Index: pkg-nfs-utils/systemd/nfs-kernel-server.service
===================================================================
--- pkg-nfs-utils.orig/systemd/nfs-server.service 2020-09-04 10:03:18.051339115 +0200
+++ pkg-nfs-utils/systemd/nfs-server.service 2020-09-04 10:03:48.315015845 +0200
@@ -12,7 +12,7 @@
Before=rpc-statd-notify.service
# GSS services dependencies and ordering
-Wants=auth-rpcgss-module.service
+Wants=auth-rpcgss-module.service rpc-svcgssd.service
After=rpc-gssd.service gssproxy.service rpc-svcgssd.service
# start/stop server before/after client
Reply to: