rpc-svcgssd.service makes the system boot degraded

Status changed to 'Confirmed' because the bug affects multiple users.

Looking at my system, where I also do not have any nfs configured the service is inactive but not failed.

bdmurray@blacklightning:~$ sudo systemctl --failed
[sudo] password for bdmurray:
0 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
bdmurray@blacklightning:~$ locate rpc-svcgssd.service
/lib/systemd/system/rpc-svcgssd.service
bdmurray@blacklightning:~$ dpkg -S /lib/systemd/system/rpc-svcgssd.service
nfs-common: /lib/systemd/system/rpc-svcgssd.service
bdmurray@blacklightning:~$ systemctl status -l rpc-svcgssd.service
● rpc-svcgssd.service - RPC security service for NFS server
   Loaded: loaded (/lib/systemd/system/rpc-svcgssd.service; static; vendor preset: enabled)
   Active: inactive (dead)
Condition: start condition failed at Tue 2015-06-23 21:09:12 PDT; 12h ago

Jun 23 21:09:12 blacklightning systemd[1]: Started RPC security service for NFS server.

So there must be something different between our systems.

On Wed, Jun 24, 2015 at 04:49:17PM -0000, Brian Murray wrote:
> So there must be something different between our systems.

One of the conditions for starting rpc-svcgssd.service is:

ConditionPathExists=/etc/krb5.keytab

So Dimitri probably has Kerberos configured on his system, but not set up
for svcgssd?

On 24 June 2015 at 19:51, Steve Langasek <email address hidden> wrote:
> On Wed, Jun 24, 2015 at 04:49:17PM -0000, Brian Murray wrote:
>> So there must be something different between our systems.
>
> One of the conditions for starting rpc-svcgssd.service is:
>
> ConditionPathExists=/etc/krb5.keytab
>
> So Dimitri probably has Kerberos configured on his system, but not set up
> for svcgssd?

Yes, I have. I manually invoke kinit, when I need / want kerberos ticket.

--
Regards,

Dimitri.

Should svcgssd even be started on the NFS client?

In comparing to Fedora I found the significance difference.
We don't have a gssproxy.service and the rpc-svcgssd.service we got from upstream definitely depends on that to function correctly.

Disabling "ConditionPathExists=|!/run/gssproxy.pid" because we have nothing creating that file makes rpc-svcgssd not start on bootup so it doesn't fail on the client. Seems we should either package gssproxy or strip it from the service files.

Related bugs: Warning from gssproxy not existing - https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1446851

Removing it, I wasn't sure if I should also remove the -module part. Pastebining it because I haven't done enough testing to make sure it works in all situations.
http://pastebin.ubuntu.com/15126099/

I have test packages/debdiff here: http://people.canonical.com/~bryanquigley/nfs_bug/
Needs more testing on client, and no testing was done on server.

My test fix failed badly in an actual kerberos environment.

Here is a better working fix, please test the ppa https://launchpad.net/~bryanquigley/+archive/ubuntu/lp1452667/

Been tested so far:
Kerberos/NFS Client
and a plain nfs client and server.

The attachment "nfs-utils_1.2.8-9ubuntu12.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Just tested with a kerberoized NFS server/client setup using freeipa server. Worked perfectly.

This bug was fixed in the package nfs-utils - 1:1.2.8-9ubuntu12

---------------
nfs-utils (1:1.2.8-9ubuntu12) xenial; urgency=medium

  * Drop gssproxy as it's not in Ubuntu (LP: #1446851)
  * Fix no nfs doesn't show failed units on client (LP: #1452667)

 -- Bryan Quigley <email address hidden> Wed, 02 Mar 2016 15:01:29 -0500