[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#985002: marked as done (nfs-common: Degraded system state if nfs-common installed and /etc/krb5.keytab present)

Your message dated Wed, 11 Jan 2023 21:07:27 +0000
with message-id <E1pFiJj-0085ca-NA@fasolo.debian.org>
and subject line Bug#985002: fixed in nfs-utils 1:2.6.2-4
has caused the Debian Bug report #985002,
regarding nfs-common: Degraded system state if nfs-common installed and /etc/krb5.keytab present
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
985002: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985002
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: nfs-common
Version: 1:1.3.4-4
Severity: normal
Tags: patch
X-Debbugs-Cc: felix.lechner@lease-up.com

The nfs-client.target requires the auth-rpcgss-module.service, which in
turn requires rpc-svcgssd.service. However, the rpc.svcgssd daemon is
not needed for an NFS client, even when using Kerberos security.
Moreover, starting this daemon with its default configuration will fail
when no nfs/<host>@REALM principal is in the kerberos keytab. Thus,
resulting in a degraded system state for NFS client configurations
without nfs/<host>@REALM principal in the kerberos keytab. However, this
is a perfectly valid NFS client configuration as the nfs/<host>@REALM
principal is not required for mounting NFS file systems. This is even
the case when Kerberos security is enabled for the mount!

Note that installing the gssproxy packed hides this problem as this
disables the rpc-svcgssd.service.

-- Package-specific info:
-- rpcinfo --
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
-- /etc/default/nfs-common --
SMNOTIFYARGS=""
RPCIDMAPDARGS=""
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=
NEED_GSSD=
RPCGSSDOPTS=
-- /etc/idmapd.conf --
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
Domain = jfalk.de
Local-Realms = JFAD.JFALK.DE
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
-- /etc/fstab --
nfs.jfalk.de:/home	/home			nfs4		sec=krb5p,nodev,nosuid,noatime,async	0	0
nfs.jfalk.de:/local	/local			nfs4		sec=krb5p,nodev,nosuid,noatime,async	0	0
nfs.jfalk.de:/opt	/opt			nfs4		sec=krb5p,nodev,nosuid,noatime,async	0	0
# the auto mounter map /etc/auto.nfs handles these
#nfs.jfalk.de:/bulk-data	/bulk-data	nfs4		sec=krb5p,nodev,nosuid,noatime,async	0	0
-- /proc/mounts --
nfs.jfalk.de:/local /local nfs4 rw,nosuid,nodev,noatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=192.168.192.128,local_lock=none,addr=192.168.194.37 0 0
nfs.jfalk.de:/opt /opt nfs4 rw,nosuid,nodev,noatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=192.168.192.128,local_lock=none,addr=192.168.194.37 0 0
nfs.jfalk.de:/home /home nfs4 rw,nosuid,nodev,noatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=192.168.192.128,local_lock=none,addr=192.168.194.37 0 0
/etc/auto.nfs /var/autofs/nfs autofs rw,relatime,fd=6,pgrp=1106,timeout=300,minproto=5,maxproto=5,indirect,pipe_ino=12280 0 0

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (520, 'testing'), (500, 'testing-security')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-4-amd64 (SMP w/8 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nfs-common depends on:
ii  adduser             3.118
ii  keyutils            1.6.1-2
ii  libc6               2.31-9
ii  libcap2             1:2.44-1
ii  libcom-err2         1.46.1-1
ii  libdevmapper1.02.1  2:1.02.175-2.1
ii  libevent-2.1-7      2.1.12-stable-1
ii  libgssapi-krb5-2    1.18.3-4
ii  libkeyutils1        1.6.1-2
ii  libkrb5-3           1.18.3-4
ii  libmount1           2.36.1-7
ii  libnfsidmap2        0.25-6
ii  libtirpc3           1.3.1-1
ii  libwrap0            7.6.q-31
ii  lsb-base            11.1.0
ii  rpcbind             1.2.5-9
ii  ucf                 3.0043

Versions of packages nfs-common recommends:
pn  python  <none>

Versions of packages nfs-common suggests:
pn  open-iscsi  <none>
pn  watchdog    <none>

-- Configuration Files:
/etc/default/nfs-common changed:
SMNOTIFYARGS=""
RPCIDMAPDARGS=""
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=
NEED_GSSD=
RPCGSSDOPTS=


-- no debconf information

Description: The rpc.svcgssd daemon is not needed for an NFS client, even
 when using Kerberos security. Moreover, starting this daemon with its
 default configuration will fail when no nfs/<host>@REALM principal is in
 the krb5.keytab. Furthermore, the nfs/<host>@REALM principal is unneeded
 for an NFS client configuration. Thus, resulting in a degraded system
 state for NFS client configurations without nfs/<host>@REALM principal
 in the krb5.keytab.
Author: Joachim Falk <joachim.falk@gmx.de>

Index: pkg-nfs-utils/systemd/auth-rpcgss-module.service
===================================================================
--- pkg-nfs-utils.orig/systemd/auth-rpcgss-module.service	2020-09-04 10:04:07.018816047 +0200
+++ pkg-nfs-utils/systemd/auth-rpcgss-module.service	2020-09-04 10:04:25.586617690 +0200
@@ -8,7 +8,7 @@
 Description=Kernel Module supporting RPCSEC_GSS
 DefaultDependencies=no
 Before=gssproxy.service rpc-svcgssd.service rpc-gssd.service
-Wants=gssproxy.service rpc-svcgssd.service rpc-gssd.service
+Wants=gssproxy.service rpc-gssd.service

 [Service]
 EnvironmentFile=-/run/sysconfig/nfs-utils
Index: pkg-nfs-utils/systemd/nfs-kernel-server.service
===================================================================
--- pkg-nfs-utils.orig/systemd/nfs-server.service	2020-09-04 10:03:18.051339115 +0200
+++ pkg-nfs-utils/systemd/nfs-server.service	2020-09-04 10:03:48.315015845 +0200
@@ -12,7 +12,7 @@
 Before=rpc-statd-notify.service

 # GSS services dependencies and ordering
-Wants=auth-rpcgss-module.service
+Wants=auth-rpcgss-module.service rpc-svcgssd.service
 After=rpc-gssd.service gssproxy.service rpc-svcgssd.service

 # start/stop server before/after client

--- End Message ---
--- Begin Message --- 
Source: nfs-utils
Source-Version: 1:2.6.2-4
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
nfs-utils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 985002@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated nfs-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 11 Jan 2023 21:41:40 +0100
Source: nfs-utils
Architecture: source
Version: 1:2.6.2-4
Distribution: unstable
Urgency: medium
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 939153 985002
Changes:
 nfs-utils (1:2.6.2-4) unstable; urgency=medium
 .
   [ Guillem Jover ]
   * Fix LSB init script output (Closes: #939153)
 .
   [ Salvatore Bonaccorso ]
   * systemd: Don't degrade system state for nfs-clients when krb5 keytab
     present but not containing the nfs/<FQDN> principal (Closes: #985002)
   * Declare compliance with Debian policy 4.6.2
Checksums-Sha1: 
 51b1871d8fc6595875db8167d276ff7bb1315916 2554 nfs-utils_2.6.2-4.dsc
 3e6c958ddf6b2136b5f10ea533cd1110a9b51066 53232 nfs-utils_2.6.2-4.debian.tar.xz
Checksums-Sha256: 
 6be761b8c935e5ec6859be6dad5089aefae14d5a9deb0ab3a77a46ee91ba9258 2554 nfs-utils_2.6.2-4.dsc
 98f0df962f3c43d8d1ac2721206ef5704b4e075d316a944ffba1768e291596cc 53232 nfs-utils_2.6.2-4.debian.tar.xz
Files: 
 12860eb3b6f9dcceb8ea3732eb360fa9 2554 net optional nfs-utils_2.6.2-4.dsc
 d9e6e78df61d5067b3a4f9e653f5cfcd 53232 net optional nfs-utils_2.6.2-4.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmO/H/lfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EGSYP/i0tDIjAKRwbL+dGa0lIHmFH5EqwO/W7
IGXB0JYedllVSIwiNtRzY7faEt/vjB+Ga9ZhNlxqur0MS7TE9QTi9pv8EeOf6ixr
A52eNYgL+AiCDv6t4Ufj4XYJC/AMNnoaFS3yVg5XS1WTHiqx8t45XIfOp8JmECCZ
Zorpo5Ibq1LDBOy4AFrQGZqq3dgSjGYUxRBXXRdup0D5DEQVGSF8/37+C0q/2WMb
RAWm5M1anALyuTcjKqa/AZgJnS4J8NEqBGLwZo+cF7zKCnKL5QHdCCFqyNcYq683
vnGf6XZMjB47GmtawNAcS3GT/ROehZjZ7RBZAwugVuIIGP2XaF2aWi/z2yqOQel4
ze1WaGALpRo3d1EDtuSbwaZoEsHgQ8t7dQAD9fHFW5pVzhmPupuSwjAkQjjPrMLm
Bu8/6IESvAMIqv9mmRSfyhjGUuYjh2HfcSoO8K22HPh5DrqKjdkcxL50bpv06k+X
TikZ1dZJXcoX2yn6WaoKdVb9/tRwdBypGeVYyJR/Z2ucZfvqUgSwz+uuCSoHHFdy
HCYZR3PqQ0rHyS4EsSZLPHS1rHnwGa1vXVAQ9JO1mZfzv42x2KR4XGXyzinCGLoK
xM8sLJA96H4+s6s8qytdJsb+gFvr63Cv/cl/4yFl2myR6wIssGD+yxfWJ8K8o1ha
mCLONiFtZsGc
=ONNB
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: