Bug#1002826: rpc-svcgssd.service fails with "unable to obtain root (machine) credentials"

To: Harald Dunkel <harri@afaics.de>, 1002826@bugs.debian.org
Subject: Bug#1002826: rpc-svcgssd.service fails with "unable to obtain root (machine) credentials"
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 29 Dec 2021 17:36:20 +0100
Message-id: <[🔎] YcyOhJ6awFgP0zEW@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1002826@bugs.debian.org
In-reply-to: <[🔎] 340e4a6b-fbf3-dbac-ab80-6d4785388f01@afaics.de>
References: <[🔎] 340e4a6b-fbf3-dbac-ab80-6d4785388f01@afaics.de> <[🔎] 340e4a6b-fbf3-dbac-ab80-6d4785388f01@afaics.de>

Control: tags -1 + moreinfo

Hi

On Wed, Dec 29, 2021 at 02:36:14PM +0100, Harald Dunkel wrote:
> Package: nfs-common
> Version: 1:1.3.4-6
> 
> systemd moans about krb5.keytab at boot time
> 
> ```
> # systemctl --failed
>   UNIT                LOAD   ACTIVE SUB    DESCRIPTION
> * rpc-svcgssd.service loaded failed failed RPC security service for NFS server
> 
> LOAD   = Reflects whether the unit definition was properly loaded.
> ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
> SUB    = The low-level unit activation state, values depend on unit type.
> 1 loaded units listed.
> 
> # systemctl status rpc-svcgssd
> * rpc-svcgssd.service - RPC security service for NFS server
>      Loaded: loaded (/etc/systemd/system/rpc-svcgssd.service; static)
>      Active: failed (Result: exit-code) since Wed 2021-12-29 14:00:51 CET; 8min ago
>     Process: 301 ExecStart=/usr/sbin/rpc.svcgssd $SVCGSSDARGS (code=exited, status=1/FAILURE)
>         CPU: 6ms
> 
> Dec 29 14:00:50 nfs00.example.com systemd[1]: Starting RPC security service for NFS server...
> Dec 29 14:00:50 nfs00.example.com rpc.svcgssd[302]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - No key table entry found matching nfs/@
> Dec 29 14:00:50 nfs00.example.com rpc.svcgssd[302]: unable to obtain root (machine) credentials
> Dec 29 14:00:50 nfs00.example.com rpc.svcgssd[302]: do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?
> Dec 29 14:00:51 nfs00.example.com systemd[1]: rpc-svcgssd.service: Control process exited, code=exited, status=1/FAILURE
> Dec 29 14:00:51 nfs00.example.com systemd[1]: rpc-svcgssd.service: Failed with result 'exit-code'.
> Dec 29 14:00:51 nfs00.example.com systemd[1]: Failed to start RPC security service for NFS server.
> ```
> 
> Shouldn't svcgssd either exit silently with 0 or become optional? Looking at
> nfs(5) Kerberos authentication for NFS appears to be optional, regardless if
> there is a keytab file with or without NFS credentials.

The rpc-svcgssd.service already has some conditionals:

ConditionPathExists=|!/run/gssproxy.pid
ConditionPathExists=|!/proc/net/rpc/use-gss-proxy
ConditionPathExists=/etc/krb5.keytab

If no /etc/krb5.keytab exists in fact the status will be

○ rpc-svcgssd.service - RPC security service for NFS server
     Loaded: loaded (/usr/lib/systemd/system/rpc-svcgssd.service; static)
     Active: inactive (dead)
  Condition: start condition failed at Tue 2021-12-21 10:28:53 CET; 1 week 1 day ago

If you have a /etc/krb5.keytab then the condition is met to try to start
rpc-svcgssd.

Regards,
Salvatore

Reply to:

References:
- Bug#1002826: rpc-svcgssd.service fails with "unable to obtain root (machine) credentials"
  - From: Harald Dunkel <harri@afaics.de>

Prev by Date: Bug#1002829: please document how to set nfsv4gracetime and nfsv4leasetime
Next by Date: Processed: Re: Bug#1002826: rpc-svcgssd.service fails with "unable to obtain root (machine) credentials"
Previous by thread: Bug#1002826: rpc-svcgssd.service fails with "unable to obtain root (machine) credentials"
Next by thread: Processed: Re: Bug#1002826: rpc-svcgssd.service fails with "unable to obtain root (machine) credentials"
Index(es):
- Date
- Thread