Bug#985002: nfs-common: Degraded system state if nfs-common installed and /etc/krb5.keytab present

2021-03-12 Thread Felix Lechner 
Hi,

On Thu, Mar 11, 2021 at 11:27 AM Joachim Falk  wrote:
>
> gssproxy ... hides this problem

Should we recommend, or even require, the use of gssproxy with
Kerberos? Then we could keep all keytabs in the single file
/etc/krb5.keytab. It would sidestep a huge class of bugs, among them
Bug#848306, Bug#849608 and Bug#849942?

I added a remark about gssproxy to the Wiki for NFS/Kerberos [1] .

Kind regards
Felix Lechner

[1] https://wiki.debian.org/NFS/Kerberos

Bug#985002: nfs-common: Degraded system state if nfs-common installed and /etc/krb5.keytab present

2021-03-11 Thread Joachim Falk 
Package: nfs-common
Version: 1:1.3.4-4
Severity: normal
Tags: patch
X-Debbugs-Cc: felix.lech...@lease-up.com

The nfs-client.target requires the auth-rpcgss-module.service, which in
turn requires rpc-svcgssd.service. However, the rpc.svcgssd daemon is
not needed for an NFS client, even when using Kerberos security.
Moreover, starting this daemon with its default configuration will fail
when no nfs/@REALM principal is in the kerberos keytab. Thus,
resulting in a degraded system state for NFS client configurations
without nfs/@REALM principal in the kerberos keytab. However, this
is a perfectly valid NFS client configuration as the nfs/@REALM
principal is not required for mounting NFS file systems. This is even
the case when Kerberos security is enabled for the mount!

Note that installing the gssproxy packed hides this problem as this
disables the rpc-svcgssd.service.

-- Package-specific info:
-- rpcinfo --
   program vers proto   port  service
104   tcp111  portmapper
103   tcp111  portmapper
102   tcp111  portmapper
104   udp111  portmapper
103   udp111  portmapper
102   udp111  portmapper
-- /etc/default/nfs-common --
SMNOTIFYARGS=""
RPCIDMAPDARGS=""
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=
NEED_GSSD=
RPCGSSDOPTS=
-- /etc/idmapd.conf --
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
Domain = jfalk.de
Local-Realms = JFAD.JFALK.DE
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
-- /etc/fstab --
nfs.jfalk.de:/home  /home   nfs4
sec=krb5p,nodev,nosuid,noatime,async0   0
nfs.jfalk.de:/local /local  nfs4
sec=krb5p,nodev,nosuid,noatime,async0   0
nfs.jfalk.de:/opt   /optnfs4
sec=krb5p,nodev,nosuid,noatime,async0   0
# the auto mounter map /etc/auto.nfs handles these
#nfs.jfalk.de:/bulk-data/bulk-data  nfs4
sec=krb5p,nodev,nosuid,noatime,async0   0
-- /proc/mounts --
nfs.jfalk.de:/local /local nfs4 
rw,nosuid,nodev,noatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=192.168.192.128,local_lock=none,addr=192.168.194.37
 0 0
nfs.jfalk.de:/opt /opt nfs4 
rw,nosuid,nodev,noatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=192.168.192.128,local_lock=none,addr=192.168.194.37
 0 0
nfs.jfalk.de:/home /home nfs4 
rw,nosuid,nodev,noatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=192.168.192.128,local_lock=none,addr=192.168.194.37
 0 0
/etc/auto.nfs /var/autofs/nfs autofs 
rw,relatime,fd=6,pgrp=1106,timeout=300,minproto=5,maxproto=5,indirect,pipe_ino=12280
 0 0

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (520, 'testing'), (500, 'testing-security')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-4-amd64 (SMP w/8 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nfs-common depends on:
ii  adduser 3.118
ii  keyutils1.6.1-2
ii  libc6   2.31-9
ii  libcap2 1:2.44-1
ii  libcom-err2 1.46.1-1
ii  libdevmapper1.02.1  2:1.02.175-2.1
ii  libevent-2.1-7  2.1.12-stable-1
ii  libgssapi-krb5-21.18.3-4
ii  libkeyutils11.6.1-2
ii  libkrb5-3   1.18.3-4
ii  libmount1   2.36.1-7
ii  libnfsidmap20.25-6
ii  libtirpc3   1.3.1-1
ii  libwrap07.6.q-31
ii  lsb-base11.1.0
ii  rpcbind 1.2.5-9
ii  ucf 3.0043

Versions of packages nfs-common recommends:
pn  python  

Versions of packages nfs-common suggests:
pn  open-iscsi  
pn  watchdog

-- Configuration Files:
/etc/default/nfs-common changed:
SMNOTIFYARGS=""
RPCIDMAPDARGS=""
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=
NEED_GSSD=
RPCGSSDOPTS=


-- no debconf information
Description: The rpc.svcgssd daemon is not needed for an NFS client, even
 when using Kerberos security. Moreover, starting this daemon with its
 default configuration will fail when no nfs/@REALM principal is in
 the krb5.keytab. Furthermore, the nfs/@REALM principal is unneeded
 for an NFS client configuration. Thus, resulting in a degraded system
 state for NFS client configurations without nfs/@REALM principal
 in the krb5.keytab.
Author: Joachim Falk 

Index: pkg-nfs-utils/systemd/auth-rpcgss-module.service
===
--- pkg-nfs-utils.orig/systemd/auth-rpcgss-module.service   2020-09-04 
10:04:07.018816047 +0200
+++ pkg-nfs-utils/systemd/auth-rpcgss-module.service2020-09-04 
10:04:25.586617690 +0200
@@ -8,7 +8,7 @@
 Description=Kernel Module