Bug#651558: NFS client initscripts for rpc.svcgssd?

[Nicolas Bourdaud]

merge 651558 684416
tags 651558 patch
thanks

Hi all!

I have prepared a patch that should fix this bug. It actually moves the
init part of rpc.svcgssd from nfs-kernel-server into nfs-common.

I have not added any break/replace field to debian/control but it
should be necessary (as well a notice of the change).

Now a small comment about the patch. Since the default configuration of
rpc.svcgssd is moved from /etc/default/nfs-kernel-server into
/etc/default/nfs-common, to avoid breaking server at upgrade, I have
implemented a small hack that sources /etc/default/nfs-kernel-server
when starting nfs-common if the case of:
 1- statement about rpc.svcgssd are untouched in /etc/default/nfs-common
AND
 2- there is a file /etc/default/nfs-kernel-server that contains
statement about rpc.svcgssd

Maybe this is really too hackish but I could not think of a better solution.

Please review/comment

Cheers,

Nicolas Bourdaud
From 2e4c1cdecb575857bb32ae57d2d918de6de9d127 Mon Sep 17 00:00:00 2001
From: Nicolas Bourdaud nicolas.bourd...@gmail.com
Date: Sat, 29 Sep 2012 00:08:24 +0200
Subject: [PATCH] Move init script for rpc.svcgssd into nfs-common

---
 debian/nfs-common.default |8 +
 debian/nfs-common.init|   64 +
 debian/nfs-common.manpages|1 +
 debian/nfs-kernel-server.default  |7 
 debian/nfs-kernel-server.init |   25 ---
 debian/nfs-kernel-server.manpages |1 -
 6 files changed, 73 insertions(+), 33 deletions(-)

diff --git a/debian/nfs-common.default b/debian/nfs-common.default
index 0e373e6..0abaf03 100644
--- a/debian/nfs-common.default
+++ b/debian/nfs-common.default
@@ -16,4 +16,12 @@ STATDOPTS=
 NEED_IDMAPD=
 
 # Do you want to start the gssd daemon? It is required for Kerberos mounts.
+# It is also necessary for a server exporting Kerberos mounts of NFSv4.
 NEED_GSSD=
+
+# Do you want to start the svcgssd daemon? It is required for NFSv4 delegations
+# with Kerberos mounts or by a server exporting Kerberos mounts.
+NEED_SVCGSSD=
+
+# Options for rpc.svcgssd
+#RPCSVCGSSDOPTS=
diff --git a/debian/nfs-common.init b/debian/nfs-common.init
index 4076e31..fe5e238 100644
--- a/debian/nfs-common.init
+++ b/debian/nfs-common.init
@@ -17,16 +17,27 @@ DESC=NFS common utilities
 
 # Read config
 DEFAULTFILE=/etc/default/nfs-common
+DEFAULTSERVERFILE=/etc/default/nfs-kernel-server
 PREFIX=
 NEED_STATD=
 NEED_IDMAPD=
 NEED_GSSD=
+NEED_SVCGSSD=
 PIPEFS_MOUNTPOINT=/var/lib/nfs/rpc_pipefs
 RPCGSSDOPTS=
+RPCSVCGSSDOPTS=
 if [ -f $DEFAULTFILE ]; then
 . $DEFAULTFILE
 fi
 
+# Search default configuration of svcgssd in server configuration if none is
+# specified. Since svcgssd configuration has moved from nfs-kernel-server into
+# nfs-common, we can this way propagate the configuration and avoid breaking
+# at upgrade systems that use it.
+if [ -z $NEED_SVCGSSD ]  [ -f $DEFAULTSERVERFILE ] ; then
+. $DEFAULTSERVERFILE
+fi
+
 . /lib/lsb/init-functions
 
 # Exit if required binaries are missing.
@@ -39,6 +50,7 @@ fi
 #
 AUTO_NEED_IDMAPD=no
 AUTO_NEED_GSSD=no
+AUTO_NEED_SVCGSSD=no
 
 if [ -f /etc/fstab ]; then
 exec 90 /etc/fstab
@@ -58,6 +70,8 @@ if [ -f /etc/fstab ]; then
 
 sec=krb5|*,sec=krb5|sec=krb5,*|*,sec=krb5i,*|sec=krb5i|*,sec=krb5i|sec=krb5i,*|*,sec=krb5i,*|sec=krb5p|*,sec=krb5p|sec=krb5p,*|*,sec=krb5p,*)
 	AUTO_NEED_GSSD=yes
+	# rpc.svcgssd necessary for NFSv4 delegation with kerberos
+AUTO_NEED_SVCGSSD=yes
 ;;
 esac
 done
@@ -78,6 +92,16 @@ if [ -f /etc/exports ]  grep -q '^[[:space:]]*[^#]*/' /etc/exports; then
 AUTO_NEED_IDMAPD=yes
 fi
 
+# Both svcgssd and gssd are necessary if we run an NFSv4 server using
+# kerberos. We detect the NFSv4 using the same trick as before. The guess on
+# whether it is using Kerberos or not is based on whether find a krb5 string
+# in a uncommented line.
+if [ -f /etc/exports ]  grep -q -E '^[[:space:]]*[^#].*krb5/' /etc/exports; then
+AUTO_NEED_GSSD=yes
+AUTO_NEED_SVCGSSD=yes
+fi
+
+
 case $NEED_STATD in
 yes|no)
 ;;
@@ -102,6 +126,14 @@ case $NEED_GSSD in
 	;;
 esac
 
+case $NEED_SVCGSSD in
+yes|no)
+;;
+*)
+NEED_SVCGSSD=$AUTO_NEED_SVCGSSD
+	;;
+esac
+
 do_modprobe() {
 if [ -x /sbin/modprobe -a -f /proc/modules ]
 then
@@ -206,6 +238,18 @@ case $1 in
 	exit $RET
 fi
 		fi
+if [ $NEED_SVCGSSD = yes ]
+then
+do_modprobe rpcsec_gss_krb5
+log_progress_msg svcgssd
+start-stop-daemon --start --oknodo --quiet \
+--exec /usr/sbin/rpc.svcgssd -- $RPCSVCGSSDOPTS
+RET=$?
+if [ $RET != 0 ]; then
+log_end_msg $RET
+exit $RET
+fi
+fi
 	fi
 	fi
 	log_end_msg 0
@@ -214,6

Bug#682709: NFS4 krb5 mounts hang under nfs-utils 1.2.6-3

[Nicolas Bourdaud]

On 26/07/2012 18:58, Luk Claes wrote:
 Even if that was not the case, NFS is not only about NFS4 or use with
 krb5, so anything above important is wrong as long as these other use
 cases still work.

Sorry, maybe I have a little bit overrated the severity.

 Btw, there are quite some NFS4+krb5 bugs open as none of its maintainers
 use it that way, would you be willing to help out?

I am quite busy these days. However I will try to review the old bug
reports and check whether the new version have fixed them. I will also
try to investigate the remaining ones. I am not a super expert in
NFS+krb5 (just setup few systems with it) but I will try my best.

Cheers,

Nicolas




signature.asc
Description: OpenPGP digital signature

Bug#682709: NFS4 krb5 mounts hang under nfs-utils 1.2.6-3

[Nicolas Bourdaud]

severity 682709 grave
thanks

Hi,

I am affected by the same bug. I have raised the severity of the bug to
grave because it makes NFSv4 mount with kerberos unusable.

Cheers,

Nicolas



signature.asc
Description: OpenPGP digital signature

Bug#682709: NFS4 krb5 mounts hang under nfs-utils 1.2.6-3

[Nicolas Bourdaud]

severity 682709 important
thanks

For a reason I don't understand, after the last reboot of the server and
client, everything works again. I suspect the last configuration changes
(before my previous email) did not propagate correctly because of some
caching (or some other reason that would go beyond my understanding).

Since the bug does not seem to be as systematic as I originally thought,
I set the severity back to the one set by the bug reporter.

Sorry for the noise.

Nicolas



signature.asc
Description: OpenPGP digital signature