Your message dated Wed, 29 Apr 2026 08:05:30 +0200
with message-id <[email protected]>
and subject line Re: Bug#1134846: nfs-kernel-server: NFS server fails to start
without Kerberos on Debian 13 (Trixie) — hard dependency chain prevents NFSv3
and NFSv4
has caused the Debian Bug report #1134846,
regarding nfs-kernel-server: NFS server fails to start without Kerberos on
Debian 13 (Trixie) — hard dependency chain prevents NFSv3 and NFSv4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1134846: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134846
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: nfs-kernel-server
Version: 1:2.8.3-1
Severity: important
Tags: trixie
Dear Maintainer,
I am reporting a regression in Debian 13 (Trixie) that prevents the NFS
server from starting unless Kerberos is configured. This affects both
NFSv4 and NFSv3, even when Kerberos is explicitly disabled and NFSv3 is
forced.
This behavior breaks long-standing compatibility and makes NFS unusable
in common environments where Kerberos is not required.
----------------------------------------------------------------------
STEPS TO REPRODUCE (Minimal Reproducible Test Case)
----------------------------------------------------------------------
1. Install Debian 13 (Trixie) fully updated.
2. Install NFS server:
apt install nfs-kernel-server nfs-common rpcbind
3. Disable Kerberos:
echo "NEED_IDMAPD=no" >> /etc/default/nfs-common
echo "NEED_GSSD=no" >> /etc/default/nfs-common
4. Force NFSv3:
echo 'RPCNFSDOPTS="--nfs-version 3"' >> /etc/default/nfs-kernel-server
5. Mask Kerberos services:
systemctl mask rpc-gssd
systemctl mask rpc-svcgssd
6. Reload systemd:
systemctl daemon-reload
systemctl reset-failed
7. Start NFS:
systemctl restart nfs-kernel-server
----------------------------------------------------------------------
ACTUAL RESULT
----------------------------------------------------------------------
NFS fails to start:
A dependency job for nfs-server.service failed.
----------------------------------------------------------------------
LOGS (systemctl, journalctl, exportfs)
----------------------------------------------------------------------
systemctl status nfs-server.service:
------------------------------------
nfs-server.service: Job nfs-server.service/start failed with result
'dependency'.
Dependency failed for nfs-server.service - NFS server and services.
systemctl status rpc-svcgssd:
-----------------------------
ConditionPathExists=/etc/krb5.keytab was not met
systemctl status rpc-gssd:
--------------------------
Job rpc-gssd.service/start failed with result 'dependency'
systemctl status nfs-idmapd:
----------------------------
Job nfs-idmapd.service/start failed with result 'dependency'
journalctl -xeu nfs-idmapd:
---------------------------
nfs-idmapd.service: Job nfs-idmapd.service/start failed with result 'dependency'
exportfs -v:
------------
(no exports shown because nfs-server never starts)
----------------------------------------------------------------------
EXPECTED RESULT
----------------------------------------------------------------------
NFS should start normally when:
- Kerberos is not configured
- NFSv3 is explicitly selected
- gssd/idmapd are disabled
- Kerberos services are masked
This has been the expected behavior in Debian for decades.
----------------------------------------------------------------------
IMPACT
----------------------------------------------------------------------
This regression:
- makes NFS unusable without Kerberos
- breaks NFSv3 entirely
- breaks NFSv4 without security
- affects homelabs, small servers, educational environments
- breaks compatibility with Debian 11/12
- prevents NFS usage in Proxmox VMs and containers
- forces Kerberos even when not desired or configured
----------------------------------------------------------------------
POSSIBLE CAUSE
----------------------------------------------------------------------
The systemd unit `nfs-server.service` appears to enforce hard
dependencies on:
- rpc-gssd.service
- rpc-svcgssd.service
- nfs-idmapd.service
- nfs-mountd.service
even when:
- NEED_GSSD=no
- NEED_IDMAPD=no
- NFSv3 is forced
- Kerberos is not configured
- the services are masked
This suggests a regression in the unit dependency structure.
----------------------------------------------------------------------
SUGGESTED FIX (systemd unit diff)
----------------------------------------------------------------------
Proposed change to /usr/lib/systemd/system/nfs-server.service:
--- nfs-server.service.orig
+++ nfs-server.service
-[Unit]
-Requires=rpc-gssd.service rpc-svcgssd.service nfs-idmapd.service
nfs-mountd.service
-After=rpc-gssd.service rpc-svcgssd.service nfs-idmapd.service
nfs-mountd.service
+[Unit]
+ConditionPathExists=!/etc/krb5.keytab
+Wants=nfs-mountd.service
+After=nfs-mountd.service
+# Kerberos services should only be required when Kerberos is configured
+ConditionPathExists=/etc/krb5.keytab
This would restore historical behavior and allow NFSv3 to function
without Kerberos.
----------------------------------------------------------------------
Thank you for your work maintaining Debian.
Please let me know if you need additional logs or testing.
--- End Message ---
--- Begin Message ---
Hi,
On Sat, Apr 25, 2026 at 02:43:30AM +0000, William Manzanares wrote:
> Package: nfs-kernel-server
> Version: 1:2.8.3-1
> Severity: important
> Tags: trixie
>
> Dear Maintainer,
>
> I am reporting a regression in Debian 13 (Trixie) that prevents the NFS
> server from starting unless Kerberos is configured. This affects both
> NFSv4 and NFSv3, even when Kerberos is explicitly disabled and NFSv3 is
> forced.
>
> This behavior breaks long-standing compatibility and makes NFS unusable
> in common environments where Kerberos is not required.
>
> ----------------------------------------------------------------------
> STEPS TO REPRODUCE (Minimal Reproducible Test Case)
> ----------------------------------------------------------------------
>
> 1. Install Debian 13 (Trixie) fully updated.
> 2. Install NFS server:
> apt install nfs-kernel-server nfs-common rpcbind
> 3. Disable Kerberos:
> echo "NEED_IDMAPD=no" >> /etc/default/nfs-common
> echo "NEED_GSSD=no" >> /etc/default/nfs-common
> 4. Force NFSv3:
> echo 'RPCNFSDOPTS="--nfs-version 3"' >> /etc/default/nfs-kernel-server
> 5. Mask Kerberos services:
> systemctl mask rpc-gssd
> systemctl mask rpc-svcgssd
> 6. Reload systemd:
> systemctl daemon-reload
> systemctl reset-failed
> 7. Start NFS:
> systemctl restart nfs-kernel-server
This is actually not a bug. I believe you missed the documented
change:
nfs-utils (1:2.6.1-1) unstable; urgency=medium
On systems running systemd, changes to command-line options in
/etc/default/nfs-common or /etc/default/nfs-kernel-server will now
be ignored. All those options can instead be set in /etc/nfs.conf
or /etc/nfs.conf.d/; see nfs.conf(5).
If either of the files in /etc/default has been changed, the
command-line options will be converted on upgrade to the file
/etc/nfs.conf.d/local.conf.
A future update to nfs-utils will remove the command-line options
in /etc/default entirely, so even on systems not using systemd
you should make changes in /etc/nfs.conf.d/ instead.
-- Ben Hutchings <[email protected]> Sun, 13 Mar 2022 19:55:09 +0100
Your changes thus have no effect in /etc/default/nfs-common and
/et/default/nfs-kernel-server.
You can do:
# cat /etc/nfs.conf.d/only-v3.conf
[nfsd]
vers3=y
vers4=n
if you do not want NFSv4 and only v3. If you want v4 as well without
kerberos, rpc-gssd.service and rpc-svcgssd.service are such that they
only would start if kerberos' /etc/krb5.keytab is configured.
Hope this helps,
Regards,
Salvatore
--- End Message ---
