Package: nfs-kernel-server Version: 1:2.8.3-1 Severity: important Tags: trixie
Dear Maintainer, I am reporting a regression in Debian 13 (Trixie) that prevents the NFS server from starting unless Kerberos is configured. This affects both NFSv4 and NFSv3, even when Kerberos is explicitly disabled and NFSv3 is forced. This behavior breaks long-standing compatibility and makes NFS unusable in common environments where Kerberos is not required. ---------------------------------------------------------------------- STEPS TO REPRODUCE (Minimal Reproducible Test Case) ---------------------------------------------------------------------- 1. Install Debian 13 (Trixie) fully updated. 2. Install NFS server: apt install nfs-kernel-server nfs-common rpcbind 3. Disable Kerberos: echo "NEED_IDMAPD=no" >> /etc/default/nfs-common echo "NEED_GSSD=no" >> /etc/default/nfs-common 4. Force NFSv3: echo 'RPCNFSDOPTS="--nfs-version 3"' >> /etc/default/nfs-kernel-server 5. Mask Kerberos services: systemctl mask rpc-gssd systemctl mask rpc-svcgssd 6. Reload systemd: systemctl daemon-reload systemctl reset-failed 7. Start NFS: systemctl restart nfs-kernel-server ---------------------------------------------------------------------- ACTUAL RESULT ---------------------------------------------------------------------- NFS fails to start: A dependency job for nfs-server.service failed. ---------------------------------------------------------------------- LOGS (systemctl, journalctl, exportfs) ---------------------------------------------------------------------- systemctl status nfs-server.service: ------------------------------------ nfs-server.service: Job nfs-server.service/start failed with result 'dependency'. Dependency failed for nfs-server.service - NFS server and services. systemctl status rpc-svcgssd: ----------------------------- ConditionPathExists=/etc/krb5.keytab was not met systemctl status rpc-gssd: -------------------------- Job rpc-gssd.service/start failed with result 'dependency' systemctl status nfs-idmapd: ---------------------------- Job nfs-idmapd.service/start failed with result 'dependency' journalctl -xeu nfs-idmapd: --------------------------- nfs-idmapd.service: Job nfs-idmapd.service/start failed with result 'dependency' exportfs -v: ------------ (no exports shown because nfs-server never starts) ---------------------------------------------------------------------- EXPECTED RESULT ---------------------------------------------------------------------- NFS should start normally when: - Kerberos is not configured - NFSv3 is explicitly selected - gssd/idmapd are disabled - Kerberos services are masked This has been the expected behavior in Debian for decades. ---------------------------------------------------------------------- IMPACT ---------------------------------------------------------------------- This regression: - makes NFS unusable without Kerberos - breaks NFSv3 entirely - breaks NFSv4 without security - affects homelabs, small servers, educational environments - breaks compatibility with Debian 11/12 - prevents NFS usage in Proxmox VMs and containers - forces Kerberos even when not desired or configured ---------------------------------------------------------------------- POSSIBLE CAUSE ---------------------------------------------------------------------- The systemd unit `nfs-server.service` appears to enforce hard dependencies on: - rpc-gssd.service - rpc-svcgssd.service - nfs-idmapd.service - nfs-mountd.service even when: - NEED_GSSD=no - NEED_IDMAPD=no - NFSv3 is forced - Kerberos is not configured - the services are masked This suggests a regression in the unit dependency structure. ---------------------------------------------------------------------- SUGGESTED FIX (systemd unit diff) ---------------------------------------------------------------------- Proposed change to /usr/lib/systemd/system/nfs-server.service: --- nfs-server.service.orig +++ nfs-server.service -[Unit] -Requires=rpc-gssd.service rpc-svcgssd.service nfs-idmapd.service nfs-mountd.service -After=rpc-gssd.service rpc-svcgssd.service nfs-idmapd.service nfs-mountd.service +[Unit] +ConditionPathExists=!/etc/krb5.keytab +Wants=nfs-mountd.service +After=nfs-mountd.service +# Kerberos services should only be required when Kerberos is configured +ConditionPathExists=/etc/krb5.keytab This would restore historical behavior and allow NFSv3 to function without Kerberos. ---------------------------------------------------------------------- Thank you for your work maintaining Debian. Please let me know if you need additional logs or testing.
