Bug#832609: rpc-gssd.service: fails to start when keytab exists (ActiveDirectory member) but rpcsec_gss_krb5 module is not loaded

[Alban Browaeys]

Package: nfs-common
Version: 1:1.2.8-9.1
Severity: normal
File: /lib/systemd/system/rpc-gssd.service

Dear Maintainer,
I get:
systemd[1]: Starting RPC security service for NFS server...
rpc.svcgssd[4860]: libnfsidmap: using (default) domain: <my AD domain>
systemd[1]: Started RPC security service for NFS server.
rpc.svcgssd[4860]: libnfsidmap: Realms list: '< my realm >'
rpc.svcgssd[4860]: libnfsidmap: loaded plugin /lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so for method nsswitch
rpc.svcgssd[4860]: failed to open /proc/net/rpc/auth.rpcsec.init/channel: No such file or directory

If I do :
modprobe rpcsec_gss_krb5
then all is fine.

May you add a file in /usr/lib/modules-load.d/ per
http://0pointer.de/public/systemd-man/modules-load.d.html ?

Cheers
Alban

PS: side note but might help to reproduce :
this is on an nfs client box, which is also member in a Samba AD domain.
rpc-svcgssd find the /etc/krb5.keytab but find no nfs SPN.
The error is :

systemctl status rpc-svcgssd
● rpc-svcgssd.service - RPC security service for NFS server
Loaded: loaded (/lib/systemd/system/rpc-svcgssd.service; static; vendor preset: enabled)
Active: failed (Result: exit-code) since jeu. 2016-07-07 19:05:45 CEST; 5h 22min ago

systemd[1]: Starting RPC security service for NFS server...
systemd[1]: rpc-svcgssd.service: Control process exited, code=exited status=1
systemd[1]: Failed to start RPC security service for NFS server.
systemd[1]: rpc-svcgssd.service: Unit entered failed state.
systemd[1]: rpc-svcgssd.service: Failed with result 'exit-code'.
"
with debug I get:
ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No key table entry found matching nfs/@

I add the nfs SPN with:
" adcli join -N <my netbios client> -K /etc/krb5.keytab -V nfs <my AD domain> "
(mind I cannot use "net ads keytab add nfs" as I joind with realmd if done so without
--membership-software=samba flag , the latter fails to apply silently - if executed without -d<n> flag -
see :
https://bugzilla.redhat.com/show_bug.cgi?id=1271618 )
and then the issue at stack exhibits.





-- Package-specific info:
-- rpcinfo --
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
-- /etc/default/nfs-common --
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=
NEED_GSSD=
-- /etc/idmapd.conf --
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
-- /etc/fstab --

-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.7.0-rc7prahal+ (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages nfs-common depends on:
ii adduser 3.115
ii init-system-helpers 1.39
ii libc6 2.23-2
ii libcap2 1:2.25-1
ii libcomerr2 1.43.1-1
ii libdevmapper1.02.1 2:1.02.130-1
ii libevent-2.0-5 2.0.21-stable-2+b1
ii libgssapi-krb5-2 1.14.2+dfsg-1
ii libk5crypto3 1.14.2+dfsg-1
ii libkeyutils1 1.5.9-9
ii libkrb5-3 1.14.2+dfsg-1
ii libmount1 2.28-6
ii libnfsidmap2 0.25-5
ii libtirpc1 0.2.5-1
ii libwrap0 7.6.q-25
ii lsb-base 9.20160629
ii rpcbind 0.2.3-0.5
ii ucf 3.0036

Versions of packages nfs-common recommends:
ii python 2.7.11-2

Versions of packages nfs-common suggests:
pn open-iscsi <none>
ii watchdog 5.15-1

-- no debconf information

[Harald Dunkel]

I cannot confirm the fix. Even when rpcsec_gss_krb5 *is* loaded,
rpc-svcgssd.service still fails for Buster:

root@srvl064:/etc# systemctl daemon-reload
root@srvl064:/etc# systemctl restart rpc-svcgssd
Job for rpc-svcgssd.service failed because the control process exited with error code.
See "systemctl status rpc-svcgssd.service" and "journalctl -xe" for details.
root@srvl064:/etc# systemctl status rpc-svcgssd
* rpc-svcgssd.service - RPC security service for NFS server

Loaded: loaded (/lib/systemd/system/rpc-svcgssd.service; static; vendor preset: enabled)

Active: failed (Result: exit-code) since Tue 2019-11-19 16:45:35 CET; 5s ago
Process: 1809 ExecStart=/usr/sbin/rpc.svcgssd $SVCGSSDARGS (code=exited, status=1/FAILURE)

Nov 19 16:45:35 srvl064.ac.aixigo.de systemd[1]: Starting RPC security service for NFS server...
Nov 19 16:45:35 srvl064.ac.aixigo.de rpc.svcgssd[1810]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No key table entry found matching nfs/@
Nov 19 16:45:35 srvl064.ac.aixigo.de rpc.svcgssd[1810]: unable to obtain root (machine) credentials
Nov 19 16:45:35 srvl064.ac.aixigo.de systemd[1]: rpc-svcgssd.service: Control process exited, code=exited, status=1/FAILURE
Nov 19 16:45:35 srvl064.ac.aixigo.de rpc.svcgssd[1810]: do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?
Nov 19 16:45:35 srvl064.ac.aixigo.de systemd[1]: rpc-svcgssd.service: Failed with result 'exit-code'.
Nov 19 16:45:35 srvl064.ac.aixigo.de systemd[1]: Failed to start RPC security service for NFS server.
root@srvl064:/etc# lsmod | grep rpcsec_gss_krb5
rpcsec_gss_krb5 45056 1
auth_rpcgss 73728 2 rpcsec_gss_krb5
sunrpc 425984 13 nfsv4,auth_rpcgss,lockd,rpcsec_gss_krb5,nfs


journalctl -xe showed:

ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No key table entry found matching nfs/@

Of course the nfs entry in the keytab has been omitted on purpose.


Regards
Harri