From: Steve Dickson <steved@redhat.com>
To: Joachim Falk <joachim.falk@gmx.de>, linux-nfs@vger.kernel.org
Cc: Salvatore Bonaccorso <carnil@debian.org>
Subject: Re: [PATCH] systemd: Don't degrade system state for nfs-clients when krb5 keytab present but not containing the nfs/<FQDN> principal.
Date: Wed, 11 Jan 2023 10:54:51 -0500 [thread overview]
Message-ID: <158626f0-33ef-a458-26a5-2ab792b00b0c@redhat.com> (raw)
In-Reply-To: <20221207202841.525930-1-joachim.falk@gmx.de>
On 12/7/22 3:28 PM, Joachim Falk wrote:
> The nfs-client.target requires the auth-rpcgss-module.service, which in
> turn requires the rpc-svcgssd.service. However, the rpc.svcgssd daemon
> is unnecessary for an NFS client, even when using Kerberos security.
> Moreover, starting this daemon with its default configuration will fail
> when no nfs/<host>@REALM principal is in the Kerberos keytab. Thus,
> resulting in a degraded system state for NFS client configurations
> without nfs/<host>@REALM principal in the Kerberos keytab. However, this
> is a perfectly valid NFS client configuration as the nfs/<host>@REALM
> principal is not required for mounting NFS file systems. This is even
> the case when Kerberos security is enabled for the mount!
>
> Installing the gssproxy package hides this problem as this disables the
> rpc-svcgssd.service.
>
> Link: http://bugs.debian.org/985002
> Link: https://salsa.debian.org/kernel-team/nfs-utils/-/merge_requests/23
>
> Signed-off-by: Joachim Falk <joachim.falk@gmx.de>
Committed... (tag: nfs-utils-2-6-3-rc6)
steved
> ---
> systemd/auth-rpcgss-module.service | 2 +-
> systemd/nfs-server.service | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/systemd/auth-rpcgss-module.service b/systemd/auth-rpcgss-module.service
> index 25c9de80..4a69a7b7 100644
> --- a/systemd/auth-rpcgss-module.service
> +++ b/systemd/auth-rpcgss-module.service
> @@ -8,7 +8,7 @@
> Description=Kernel Module supporting RPCSEC_GSS
> DefaultDependencies=no
> Before=gssproxy.service rpc-svcgssd.service rpc-gssd.service
> -Wants=gssproxy.service rpc-svcgssd.service rpc-gssd.service
> +Wants=gssproxy.service rpc-gssd.service
> ConditionPathExists=/etc/krb5.keytab
> ConditionVirtualization=!container
>
> diff --git a/systemd/nfs-server.service b/systemd/nfs-server.service
> index b432f910..2cdd7868 100644
> --- a/systemd/nfs-server.service
> +++ b/systemd/nfs-server.service
> @@ -15,7 +15,7 @@ After=nfsdcld.service
> Before=rpc-statd-notify.service
>
> # GSS services dependencies and ordering
> -Wants=auth-rpcgss-module.service
> +Wants=auth-rpcgss-module.service rpc-svcgssd.service
> After=rpc-gssd.service gssproxy.service rpc-svcgssd.service
>
> [Service]
> --
> 2.35.1
>
prev parent reply other threads:[~2023-01-11 15:56 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-07 20:28 [PATCH] systemd: Don't degrade system state for nfs-clients when krb5 keytab present but not containing the nfs/<FQDN> principal Joachim Falk
2023-01-11 15:54 ` Steve Dickson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=158626f0-33ef-a458-26a5-2ab792b00b0c@redhat.com \
--to=steved@redhat.com \
--cc=carnil@debian.org \
--cc=joachim.falk@gmx.de \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox