Re: [PATCH 1/2] nfs-service: Added the starting of gssproxy

[Simo Sorce <simo@redhat.com>]

On Tue, 23 Sep 2014 11:20:00 -0400
"J. Bruce Fields" <bfields@fieldses.org> wrote:

> On Tue, Sep 23, 2014 at 08:48:54AM -0400, Simo Sorce wrote:
> > On Tue, 23 Sep 2014 12:08:04 +1000
> > NeilBrown <neilb@suse.de> wrote:
> > > I don't think you want an install section.  That means the service
> > > has to be explicitly enabled, which is a pain.
> > > I think nfs-server.service should Want= this.
> > > I also think 
> > > 
> > >   ConditionPathExists=/etc/krb5.keytab
> > > 
> > > would be appropriate.
> > 
> > If GSS-Proxy is in use the administrator may choose to use a keytab
> > in a different location, so I am not entirely sure we should depend
> > on /etc/krb5.keytab, however it is also ok to decide that if the
> > admin wants to use a different place that they create a custom unit
> > file. Up to you.
> 
> Note we're already using the same line in rpc-gssd.service and
> rpc-svcgssd.service.
> 
> Can you suggest a better "does this host have krb5 configured?" test?
> 
> I think false positives are OK, but not false negatives.
> 
> (So, if we run those daemons unnecessarily it may annoy some people,
> but if we fail to run them when they're needed then things really
> don't work.)

I would simply not test for presence of a keytab if it were my call.

If the admin decided to start nfs-secure I assume he already got the
proper key material, ie I am not so sure that double-checking the admin
in the unit files is right for gssproxy, because gssproxy has
directives that allow the admin to put the keytab elsewhere.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York