Bug#846950: Merge request for nfs-utils to fix bugs #846950, #849942, #849608

Sat, 06 Mar 2021 02:15:15 -0800 

Hi Salvatore,

I have a merge request 
(https://salsa.debian.org/kernel-team/nfs-utils/-/merge_requests/5) open
on nfs-utils. This merge request was marked as WIP due to possible porting to 
nfs-utils 2.4.1.
However, as bullseye froze softly, a switch to nfs-utils 2.4.1 seems unlikely. 
I CCed all the
fixed bugs asking for feedback, unfortunately there was almost no response. 
However, the patched
nfs-utils 1:1.3.4-5~RC5 has run on my machines for half a year now without any 
issues.

Hence, would you consider applying the merge request as is to fix these bugs. 
Explanation and
fixed issues are described below:

  * debian/nfs-utils_env.sh: Correctly propagate RPCGSSDOPTS from
    /etc/default/nfs-common to rpc-gssd.service. Even though RPCGSSDOPTS
    was not documented or explicitly exposed in /etc/default/nfs-common,
    it’s used by the init script and there are people that have been
    relying on this for a while. (Closes: #846950)
  * Replace hardcoded keytab check in rpc-gssd.service with NEED_GSSD and
    auto detection of kerberized NFS mounts in /etc/fstab. Auto detection
    logic is in the nfs-utils_need_gssd_check.sh script. (Closes: #849608)
  * Fix kerberized NFS service inside Linux containers when the container
    host loads the auth_rpcgss kernel module to enable kerberized NFS
    service for its containers.
  * Replace hardcoded keytab check in rpc-svcgssd.service with NEED_SVCGSSD
    and auto detection of kerberized NFS exports in /etc/exports. Auto
    detection logic is in the nfs-utils_need_svcgssd_check.sh script.
    (Closes: #849942)
  * Replace hardcoded keytab check in auth-rpcgss-module.service with
    NEED_GSSD and auto detection of kerberized NFS mounts in /etc/fstab as
    well as NEED_SVCGSSD and auto detection of kerberized NFS exports in
    /etc/exports. Auto detection logic is in the scripts
    nfs-utils_need_gssd_check.sh and nfs-utils_need_svcgssd_check.sh.
    (Closes: #849942, #849608)
  * Only start the rpc-svcgssd.service when the nfs-kernel-server.service is
    requested. The rpc.svcgssd daemon is not needed for an NFS client, even
    when using Kerberos security. Moreover, starting this daemon with its
    default configuration will fail when no nfs/<host>@REALM principal is in
    the krb5.keytab. Furthermore, the nfs/<host>@REALM principal is unneeded
    for an NFS client configuration. Thus, resulting in a degraded system
    state for NFS client configurations without nfs/<host>@REALM principal in
    the krb5.keytab.

With kind Regards,

Joachim Falk

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply via email to