linux-nfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Patrick Goetz <pgoetz@math.utexas.edu>
To: Linux NFS Mailing List <linux-nfs@vger.kernel.org>
Subject: Restricting UDP access triggers systemd dependency issues
Date: Wed, 1 Aug 2018 13:11:46 -0500	[thread overview]
Message-ID: <63d1365d-d178-0d4b-1755-51418fe9a438@math.utexas.edu> (raw)

Not sure if this list is an appropriate venue for this issue, but I 
can't think of where else to post.

On an Ubuntu 18.04 machine, with version 1:1.3.4-2.1ubuntu5 of the 
nfs-kernel-server package, I have the following strange issue.  The 
machine is joined to an AD domain, but the NFS service is completely 
independent from the directory service.

If I enable an rpc.nfsd environment variable restricting UPD access:

root@snakeskin:/lib/systemd/system# cat /run/sysconfig/nfs-utils
PIPEFS_MOUNTPOINT=/run/rpc_pipefs
RPCNFSDARGS=" 8"
RPCMOUNTDARGS="--manage-gids -N 2 -N 3 -U"
STATDARGS=""
RPCSVCGSSDARGS=""


The nfs-kernel-server service refuses to start. (I've experimented with 
all RPCMOUNTDARGS options, and the problem only occurs when -U is in the 
list.)

root@snakeskin:/lib/systemd/system# systemctl restart nfs-kernel-server
A dependency job for nfs-server.service failed. See 'journalctl -xe' for 
details.

The failed service is rpc.svcgssd:

================================================
Aug 01 12:58:21 snakeskin rpc.svcgssd[5635]: ERROR: GSS-API: error in 
gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code 
may provide more information) - No key table entry found matching nfs/@
Aug 01 12:58:21 snakeskin rpc.svcgssd[5635]: unable to obtain root 
(machine) credentials
Aug 01 12:58:21 snakeskin rpc.svcgssd[5635]: do you have a keytab entry 
for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?
Aug 01 12:58:21 snakeskin systemd[1]: rpc-svcgssd.service: Control 
process exited, code=exited status=1
Aug 01 12:58:21 snakeskin systemd[1]: rpc-svcgssd.service: Failed with 
result 'exit-code'.
Aug 01 12:58:21 snakeskin systemd[1]: Failed to start RPC security 
service for NFS server.
-- Subject: Unit rpc-svcgssd.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- Unit rpc-svcgssd.service has failed.
=====================================================

As indicated in the /etc/default/nfs-kernel-server file, this service 
shouldn't even be needed unless kerberos is managing exports:

# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
NEED_SVCGSSD=""

# Options for rpc.svcgssd.
RPCSVCGSSDOPTS=""


However, the "NEED_SVCGSSD" isn't processed by nfs-config.service, and 
setting it explicitly to "no" has no effect.  Also notice RPCSVCGSSDOPTS 
which is converted to RPCSVCGSSDARGS by the nfs-config.service script, 
/usr/lib/systemd/scripts/nfs-utils_env.sh:

   echo RPCSVCGSSDARGS=\"$RPCSVCGSSDOPTS\"

This isn't being picked up by the rpc-svcgssd service, which is looking 
for a differently named environment variable:

============================================================
root@snakeskin:/lib/systemd/system# cat rpc-svcgssd.service
[Unit]
Description=RPC security service for NFS server
DefaultDependencies=no
Requires=run-rpc_pipefs.mount
After=run-rpc_pipefs.mount local-fs.target
PartOf=nfs-server.service
PartOf=nfs-utils.service

ConditionPathExists=/etc/krb5.keytab

Wants=nfs-config.service
After=nfs-config.service

[Service]
EnvironmentFile=-/run/sysconfig/nfs-utils
Type=forking
ExecStart=/usr/sbin/rpc.svcgssd $SVCGSSDARGS
============================================================

It seems that someone clearly messed up the service files, but is it the 
Debian package maintainer or upstream?

Also, is there a solution to not allowing UDP service while still 
allowing rpc.nfsd to run?


                 reply	other threads:[~2018-08-01 20:08 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=63d1365d-d178-0d4b-1755-51418fe9a438@math.utexas.edu \
    --to=pgoetz@math.utexas.edu \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).