Bug#869640: starting rpc-svcgssd.service fails

Tue, 25 Jul 2017 01:48:37 -0700 

Package: nfs-common 1:1.3.4-2.1, nfs-kernel-server 1:1.3.4-2.1
Debian-Version: 9.1, Kernel 4.9.0-3-amd64
Hardware: Dell PowerEdge R630, 2 Sockets, 2x8Cores, 265 GByte Memory
Symptom: starting rpc-svcgssd.service fails with non-standard Kerberos principal 

Involved packages:
libnfs8:amd64        1.11.0-2    amd64
libnfsidmap2:amd64   0.25-5.1    amd64
nfs-common           1:1.3.4-2.1 amd64
nfs-kernel-server    1:1.3.4-2.1 amd64
libgssrpc4:amd64     1.15-1      amd64
libtirpc1:amd64      0.2.5-1.2   amd64
rpcbind              0.2.3-0.6   amd64

Bug Log:
Jul 20 13:37:42 hiyo rpc.svcgssd[10625]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Jul 20 13:37:42 hiyo rpc.svcgssd[10625]: unable to obtain root (machine) credentials Jul 20 13:37:42 hiyo rpc.svcgssd[10625]: do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab? Jul 20 13:37:42 hiyo systemd[1]: rpc-svcgssd.service: Control process exited, code=exited status=1 Jul 20 13:37:42 hiyo systemd[1]: Failed to start RPC security service for NFS server. 
-- Subject: Unit rpc-svcgssd.service has failed
This is perfectly correct, due to /etc/krb5.keytab has no principal nfs/hiyo.zit.biophys.mpg...@bpcental.biophy.mpg.de 

A Solution would be to use the -p or -n options for the rpc.svcgssd daemon.

These are the constraints:
1.) If nfs-kernel-server is not installed, rpc.svcgssd should not be started - it's used by the nfs server only, not by nfs clients
2.) However: rpc.svcgssd is part of packet nfs-common (incl. nfs client). Why? shouldn't is be part of nfs-kernel-server? 

3.) If everything is intended as currently distributed, why place
     the configuration parameter RPCSVCGSSDOPTS in
     /etc/default/nfs-kernel-server?

4.) Under these circumstances it should be placed in
     /etc/default/nfs-common.
5.) The contents of the 2 /etc/default/nfs-* files are evaluated by the service nfs-config.service into /run/sysconfig/nfs-utils, which result the looks like: 

     PIPEFS_MOUNTPOINT=/run/rpc_pipefs
     RPCNFSDARGS=" 8"
     RPCMOUNTDARGS="--manage-gids"
     STATDARGS=""
     RPCSVCGSSDARGS="-n"
6.) However, the systemd unit file in /lib/systemd/system/rpc-svcgssd.service imports a variable SVCGSSDARGS, where /run/sysconfig/nfs-utils defines RPCSVCGSSDARGS (with RPC prefix). 
This renders the config parameter useless because it never draws.

     [Unit]
     Description=RPC security service for NFS server
     DefaultDependencies=no
     Requires=run-rpc_pipefs.mount
     After=run-rpc_pipefs.mount local-fs.target
     PartOf=nfs-server.service
     PartOf=nfs-utils.service

     After=gssproxy.service
     ConditionPathExists=|!/run/gssproxy.pid
     ConditionPathExists=|!/proc/net/rpc/use-gss-proxy
     ConditionPathExists=/etc/krb5.keytab

     Wants=nfs-config.service
     After=nfs-config.service

     [Service]
     EnvironmentFile=-/run/sysconfig/nfs-utils
     Type=forking
     ExecStart=/usr/sbin/rpc.svcgssd $SVCGSSDARGS

My suggestion for these issues:

- Move rpc.svcgssd service  to the nfs-kernel-server package,
   so it doesn't get started if the nfs server isn't installed
- Make sure /lib/systemd/system/rpc-svcgssd.service imports/uses
   the correct variables from /run/sysconfig/nfs-utils

Best
Andreas Schindler
--
Dr.-Ing. Andreas Schindler
Leiter Zentrale IT
Max-Planck-Institut für Biophysik
andreas.schind...@biophys.mpg.de
Max-von-Laue-Str. 3, 60438 Frankfurt, Tel: +49 69 6303 4555

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to