Bug#985002: nfs-common: Degraded system state if nfs-common installed and /etc/krb5.keytab present

Thu, 11 Mar 2021 11:27:27 -0800 

Package: nfs-common
Version: 1:1.3.4-4
Severity: normal
Tags: patch
X-Debbugs-Cc: felix.lech...@lease-up.com

The nfs-client.target requires the auth-rpcgss-module.service, which in
turn requires rpc-svcgssd.service. However, the rpc.svcgssd daemon is
not needed for an NFS client, even when using Kerberos security.
Moreover, starting this daemon with its default configuration will fail
when no nfs/<host>@REALM principal is in the kerberos keytab. Thus,
resulting in a degraded system state for NFS client configurations
without nfs/<host>@REALM principal in the kerberos keytab. However, this
is a perfectly valid NFS client configuration as the nfs/<host>@REALM
principal is not required for mounting NFS file systems. This is even
the case when Kerberos security is enabled for the mount!

Note that installing the gssproxy packed hides this problem as this
disables the rpc-svcgssd.service.

-- Package-specific info:
-- rpcinfo --
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
-- /etc/default/nfs-common --
SMNOTIFYARGS=""
RPCIDMAPDARGS=""
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=
NEED_GSSD=
RPCGSSDOPTS=
-- /etc/idmapd.conf --
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
Domain = jfalk.de
Local-Realms = JFAD.JFALK.DE
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
-- /etc/fstab --
nfs.jfalk.de:/home      /home                   nfs4            
sec=krb5p,nodev,nosuid,noatime,async    0       0
nfs.jfalk.de:/local     /local                  nfs4            
sec=krb5p,nodev,nosuid,noatime,async    0       0
nfs.jfalk.de:/opt       /opt                    nfs4            
sec=krb5p,nodev,nosuid,noatime,async    0       0
# the auto mounter map /etc/auto.nfs handles these
#nfs.jfalk.de:/bulk-data        /bulk-data      nfs4            
sec=krb5p,nodev,nosuid,noatime,async    0       0
-- /proc/mounts --
nfs.jfalk.de:/local /local nfs4 
rw,nosuid,nodev,noatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=192.168.192.128,local_lock=none,addr=192.168.194.37
 0 0
nfs.jfalk.de:/opt /opt nfs4 
rw,nosuid,nodev,noatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=192.168.192.128,local_lock=none,addr=192.168.194.37
 0 0
nfs.jfalk.de:/home /home nfs4 
rw,nosuid,nodev,noatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=192.168.192.128,local_lock=none,addr=192.168.194.37
 0 0
/etc/auto.nfs /var/autofs/nfs autofs 
rw,relatime,fd=6,pgrp=1106,timeout=300,minproto=5,maxproto=5,indirect,pipe_ino=12280
 0 0

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (520, 'testing'), (500, 'testing-security')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-4-amd64 (SMP w/8 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nfs-common depends on:
ii  adduser             3.118
ii  keyutils            1.6.1-2
ii  libc6               2.31-9
ii  libcap2             1:2.44-1
ii  libcom-err2         1.46.1-1
ii  libdevmapper1.02.1  2:1.02.175-2.1
ii  libevent-2.1-7      2.1.12-stable-1
ii  libgssapi-krb5-2    1.18.3-4
ii  libkeyutils1        1.6.1-2
ii  libkrb5-3           1.18.3-4
ii  libmount1           2.36.1-7
ii  libnfsidmap2        0.25-6
ii  libtirpc3           1.3.1-1
ii  libwrap0            7.6.q-31
ii  lsb-base            11.1.0
ii  rpcbind             1.2.5-9
ii  ucf                 3.0043

Versions of packages nfs-common recommends:
pn  python  <none>

Versions of packages nfs-common suggests:
pn  open-iscsi  <none>
pn  watchdog    <none>

-- Configuration Files:
/etc/default/nfs-common changed:
SMNOTIFYARGS=""
RPCIDMAPDARGS=""
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=
NEED_GSSD=
RPCGSSDOPTS=


-- no debconf information

Description: The rpc.svcgssd daemon is not needed for an NFS client, even
 when using Kerberos security. Moreover, starting this daemon with its
 default configuration will fail when no nfs/<host>@REALM principal is in
 the krb5.keytab. Furthermore, the nfs/<host>@REALM principal is unneeded
 for an NFS client configuration. Thus, resulting in a degraded system
 state for NFS client configurations without nfs/<host>@REALM principal
 in the krb5.keytab.
Author: Joachim Falk <joachim.f...@gmx.de>

Index: pkg-nfs-utils/systemd/auth-rpcgss-module.service
===================================================================
--- pkg-nfs-utils.orig/systemd/auth-rpcgss-module.service       2020-09-04 
10:04:07.018816047 +0200
+++ pkg-nfs-utils/systemd/auth-rpcgss-module.service    2020-09-04 
10:04:25.586617690 +0200
@@ -8,7 +8,7 @@
 Description=Kernel Module supporting RPCSEC_GSS
 DefaultDependencies=no
 Before=gssproxy.service rpc-svcgssd.service rpc-gssd.service
-Wants=gssproxy.service rpc-svcgssd.service rpc-gssd.service
+Wants=gssproxy.service rpc-gssd.service

 [Service]
 EnvironmentFile=-/run/sysconfig/nfs-utils
Index: pkg-nfs-utils/systemd/nfs-kernel-server.service
===================================================================
--- pkg-nfs-utils.orig/systemd/nfs-server.service       2020-09-04 
10:03:18.051339115 +0200
+++ pkg-nfs-utils/systemd/nfs-server.service    2020-09-04 10:03:48.315015845 
+0200
@@ -12,7 +12,7 @@
 Before=rpc-statd-notify.service

 # GSS services dependencies and ordering
-Wants=auth-rpcgss-module.service
+Wants=auth-rpcgss-module.service rpc-svcgssd.service
 After=rpc-gssd.service gssproxy.service rpc-svcgssd.service

 # start/stop server before/after client

Reply via email to