Bug#1002826: rpc-svcgssd.service fails with "unable to obtain root (machine) credentials"
Control: tags -1 + moreinfo
Hi
On Wed, Dec 29, 2021 at 02:36:14PM +0100, Harald Dunkel wrote:
> Package: nfs-common
> Version: 1:1.3.4-6
>
> systemd moans about krb5.keytab at boot time
>
> ```
> # systemctl --failed
> UNIT LOAD ACTIVE SUB DESCRIPTION
> * rpc-svcgssd.service loaded failed failed RPC security service for NFS server
>
> LOAD = Reflects whether the unit definition was properly loaded.
> ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
> SUB = The low-level unit activation state, values depend on unit type.
> 1 loaded units listed.
>
> # systemctl status rpc-svcgssd
> * rpc-svcgssd.service - RPC security service for NFS server
> Loaded: loaded (/etc/systemd/system/rpc-svcgssd.service; static)
> Active: failed (Result: exit-code) since Wed 2021-12-29 14:00:51 CET; 8min ago
> Process: 301 ExecStart=/usr/sbin/rpc.svcgssd $SVCGSSDARGS (code=exited, status=1/FAILURE)
> CPU: 6ms
>
> Dec 29 14:00:50 nfs00.example.com systemd[1]: Starting RPC security service for NFS server...
> Dec 29 14:00:50 nfs00.example.com rpc.svcgssd[302]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No key table entry found matching nfs/@
> Dec 29 14:00:50 nfs00.example.com rpc.svcgssd[302]: unable to obtain root (machine) credentials
> Dec 29 14:00:50 nfs00.example.com rpc.svcgssd[302]: do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?
> Dec 29 14:00:51 nfs00.example.com systemd[1]: rpc-svcgssd.service: Control process exited, code=exited, status=1/FAILURE
> Dec 29 14:00:51 nfs00.example.com systemd[1]: rpc-svcgssd.service: Failed with result 'exit-code'.
> Dec 29 14:00:51 nfs00.example.com systemd[1]: Failed to start RPC security service for NFS server.
> ```
>
> Shouldn't svcgssd either exit silently with 0 or become optional? Looking at
> nfs(5) Kerberos authentication for NFS appears to be optional, regardless if
> there is a keytab file with or without NFS credentials.
The rpc-svcgssd.service already has some conditionals:
ConditionPathExists=|!/run/gssproxy.pid
ConditionPathExists=|!/proc/net/rpc/use-gss-proxy
ConditionPathExists=/etc/krb5.keytab
If no /etc/krb5.keytab exists in fact the status will be
○ rpc-svcgssd.service - RPC security service for NFS server
Loaded: loaded (/usr/lib/systemd/system/rpc-svcgssd.service; static)
Active: inactive (dead)
Condition: start condition failed at Tue 2021-12-21 10:28:53 CET; 1 week 1 day ago
If you have a /etc/krb5.keytab then the condition is met to try to start
rpc-svcgssd.
Regards,
Salvatore
Reply to: