samba - Nov 2018 - Again NFSv4 and Kerberos at the 'samba way'...

Hai Marco, 
> 
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > Sofar, until tomorrow, 
> 
> Done some tests, metoo.
> 
> 1) seems that nfs-common is disabled 'by design'. Looking at debian
> changelog:
> 
>  nfs-utils (1:1.2.8-9.1) unstable; urgency=medium
> 
>   Partial sync from ubuntu, included changes:
> 
>   [ Martin Pitt ]
>   [...]
>   * 27-systemd-enable-with-systemctl-statd.patch: let the admin
>     enable/disable statd via systemd tools. (LP: #1428486)
> 
>   [...]
>   [ Andreas Henriksson ]
>   * Restore anything related to nfs-common.init and nfs-common.default
>   * debian/nfs-common.links: Mask nfs-common init script with 
> a symlink
>     to /dev/null to avoid using it under systemd.
> 
> so seems you have to enable/disable/mask single services. Note that
> still there are some troubles, eg on client:
> 
> 	root at vdmpp2:~# systemctl start nfs-idmapd
> 	Failed to start nfs-idmapd.service: Unit 
> nfs-server.service not found.
> 
> (but probably idmap is a server-only service, so it is normal?)
> and also seems that /etc/default/nfs-common are *totally* ignored (eg,
> there's no way to pass options to services).
> 
> Anyway, now i'm able to restart nfs/rpc services. ;-)
Ok, thats at least better. 

And no, /etc/default/nfs-common is not ignored. Its just harder to see it. 

systemctl cat nfs-config  
contains :  ExecStart=/usr/lib/systemd/scripts/nfs-utils_env.sh
And the nfs-utils_env.sh contains : 
[ -r /etc/default/nfs-common ] && . /etc/default/nfs-common
[ -r /etc/default/nfs-kernel-server ] && .
/etc/default/nfs-kernel-server

;-) 

And 
/lib/systemd/system/rpc-svcgssd.service
Contains:  ConditionPathExists=/etc/krb5.keytab

Thats all ok. 

All i did for the server was systemctl enable nfs-server
And for the client systemctl enable nfs-client
After the setup, all other servers start if needed based on the settings in 
/etc/default/nfs-common and/or /etc/default/nfs-kernel-server 

> 
> 
> 2) doing some mounts on the same host, with verbose output, i get:
> 
>  Oct 30 15:13:33 vdmpp1 rpc.gssd[6448]: Success getting 
> keytab entry for 'nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT'
>  Oct 30 15:13:33 vdmpp1 rpc.gssd[6448]: WARNING: 
> Preauthentication failed while getting initial ticket for 
> principal 'nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT' using 
> keytab 'FILE:/etc/krb5.keytab'
>  Oct 30 15:13:33 vdmpp1 rpc.gssd[6448]: ERROR: No credentials 
> found for connection to server vdmpp1.ad.fvg.lnf.it
> 
> 'Preauthentication'?
Hmm, that is strange, it looks like this computer account is acting like a real
user.
If i look in ADUC, Tab Account, only a user has the option to "disable
preauthentication"
So this might help in solving the problem. 
Can you check in ADUC of you see the Account tab or not. 
If its really a computer, you should not see the Account tab. 


Your are getting closer at least to what is causing this problem. 

Greetz, 

Louis

On Wed, 31 Oct 2018 08:31:17 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai Marco, 
> 
> > 
> > Mandi! L.P.H. van Belle via samba
> >   In chel di` si favelave...
> > 
> > > Sofar, until tomorrow, 
> > 
> > Done some tests, metoo.
> > 
> > 1) seems that nfs-common is disabled 'by design'. Looking at
debian
> > changelog:
> > 
> >  nfs-utils (1:1.2.8-9.1) unstable; urgency=medium
> > 
> >   Partial sync from ubuntu, included changes:
> > 
> >   [ Martin Pitt ]
> >   [...]
> >   * 27-systemd-enable-with-systemctl-statd.patch: let the admin
> >     enable/disable statd via systemd tools. (LP: #1428486)
> > 
> >   [...]
> >   [ Andreas Henriksson ]
> >   * Restore anything related to nfs-common.init and
> > nfs-common.default
> >   * debian/nfs-common.links: Mask nfs-common init script with 
> > a symlink
> >     to /dev/null to avoid using it under systemd.
> > 
> > so seems you have to enable/disable/mask single services. Note that
> > still there are some troubles, eg on client:
> > 
> > 	root at vdmpp2:~# systemctl start nfs-idmapd
> > 	Failed to start nfs-idmapd.service: Unit 
> > nfs-server.service not found.
> > 
> > (but probably idmap is a server-only service, so it is normal?)
> > and also seems that /etc/default/nfs-common are *totally* ignored
> > (eg, there's no way to pass options to services).
> > 
> > Anyway, now i'm able to restart nfs/rpc services. ;-)
> 
> Ok, thats at least better. 
> 
> And no, /etc/default/nfs-common is not ignored. Its just harder to
> see it. 
> 
> systemctl cat nfs-config  
> contains :  ExecStart=/usr/lib/systemd/scripts/nfs-utils_env.sh
> And the nfs-utils_env.sh contains : 
> [ -r /etc/default/nfs-common ] && . /etc/default/nfs-common
> [ -r /etc/default/nfs-kernel-server ]
> && . /etc/default/nfs-kernel-server
> 
> ;-) 
> 
> And 
> /lib/systemd/system/rpc-svcgssd.service
> Contains:  ConditionPathExists=/etc/krb5.keytab
> 
> Thats all ok. 
> 
> All i did for the server was systemctl enable nfs-server
> And for the client systemctl enable nfs-client
> After the setup, all other servers start if needed based on the
> settings in /etc/default/nfs-common
> and/or /etc/default/nfs-kernel-server 
Hmm, I wonder if 'nfsidmap' is now being used instead of nfs-common ?
> 
> 
> > 
> > 
> > 2) doing some mounts on the same host, with verbose output, i get:
> > 
> >  Oct 30 15:13:33 vdmpp1 rpc.gssd[6448]: Success getting 
> > keytab entry for 'nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT'
> >  Oct 30 15:13:33 vdmpp1 rpc.gssd[6448]: WARNING: 
> > Preauthentication failed while getting initial ticket for 
> > principal 'nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT' using 
> > keytab 'FILE:/etc/krb5.keytab'
> >  Oct 30 15:13:33 vdmpp1 rpc.gssd[6448]: ERROR: No credentials 
> > found for connection to server vdmpp1.ad.fvg.lnf.it
> > 
> > 'Preauthentication'?
> Hmm, that is strange, it looks like this computer account is acting
> like a real user. If i look in ADUC, Tab Account, only a user has the
> option to "disable preauthentication" So this might help in
solving
> the problem. Can you check in ADUC of you see the Account tab or not. 
> If its really a computer, you should not see the Account tab. 
> 
A computer is a user, it just has an extra objectclass and a '$' on the
end of the samAccountName

Rowland

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: woensdag 31 oktober 2018 9:51
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Again NFSv4 and Kerberos at the 'samba
way'...
> 
> On Wed, 31 Oct 2018 08:31:17 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
> 
> > Hai Marco, 
> > 
> > > 
> > > Mandi! L.P.H. van Belle via samba
> > >   In chel di` si favelave...
> > > 
> > > > Sofar, until tomorrow, 
> > > 
> > > Done some tests, metoo.
> > > 
> > > 1) seems that nfs-common is disabled 'by design'. Looking
> at debian
> > > changelog:
> > > 
> > >  nfs-utils (1:1.2.8-9.1) unstable; urgency=medium
> > > 
> > >   Partial sync from ubuntu, included changes:
> > > 
> > >   [ Martin Pitt ]
> > >   [...]
> > >   * 27-systemd-enable-with-systemctl-statd.patch: let the admin
> > >     enable/disable statd via systemd tools. (LP: #1428486)
> > > 
> > >   [...]
> > >   [ Andreas Henriksson ]
> > >   * Restore anything related to nfs-common.init and
> > > nfs-common.default
> > >   * debian/nfs-common.links: Mask nfs-common init script with 
> > > a symlink
> > >     to /dev/null to avoid using it under systemd.
> > > 
> > > so seems you have to enable/disable/mask single services. 
> Note that
> > > still there are some troubles, eg on client:
> > > 
> > > 	root at vdmpp2:~# systemctl start nfs-idmapd
> > > 	Failed to start nfs-idmapd.service: Unit 
> > > nfs-server.service not found.
> > > 
> > > (but probably idmap is a server-only service, so it is normal?)
> > > and also seems that /etc/default/nfs-common are *totally* ignored
> > > (eg, there's no way to pass options to services).
> > > 
> > > Anyway, now i'm able to restart nfs/rpc services. ;-)
> > 
> > Ok, thats at least better. 
> > 
> > And no, /etc/default/nfs-common is not ignored. Its just harder to
> > see it. 
> > 
> > systemctl cat nfs-config  
> > contains :  ExecStart=/usr/lib/systemd/scripts/nfs-utils_env.sh
> > And the nfs-utils_env.sh contains : 
> > [ -r /etc/default/nfs-common ] && . /etc/default/nfs-common
> > [ -r /etc/default/nfs-kernel-server ]
> > && . /etc/default/nfs-kernel-server
> > 
> > ;-) 
> > 
> > And 
> > /lib/systemd/system/rpc-svcgssd.service
> > Contains:  ConditionPathExists=/etc/krb5.keytab
> > 
> > Thats all ok. 
> > 
> > All i did for the server was systemctl enable nfs-server
> > And for the client systemctl enable nfs-client
> > After the setup, all other servers start if needed based on the
> > settings in /etc/default/nfs-common
> > and/or /etc/default/nfs-kernel-server 
> 
> Hmm, I wonder if 'nfsidmap' is now being used instead of nfs-common
?
Yes, nfsidmap also used, but all settings are loaded through the
/etc/defaults/nfs-.... Files

See the complete path of things that are getting loaded. Install these. 
dpkg -l | grep nfs
ii  libnfsidmap2:amd64                    0.25-5.1                       amd64  
NFS idmapping library
ii  nfs-common                            1:1.3.4-2.1                    amd64  
NFS support files common to client and server
ii  nfs-kernel-server                     1:1.3.4-2.1                    amd64  
support for NFS kernel server
ii  nfs4-acl-tools                        0.3.3-3                        amd64  
Commandline and GUI ACL utilities for the NFSv4 client

And see this service file output : systemctl cat nfs-server.service
> 
> > 
> > 
> > > 
> > > 
> > > 2) doing some mounts on the same host, with verbose output, i
get:
> > > 
> > >  Oct 30 15:13:33 vdmpp1 rpc.gssd[6448]: Success getting 
> > > keytab entry for 'nfs/vdmpp1.ad.fvg.lnf.it at
AD.FVG.LNF.IT'
> > >  Oct 30 15:13:33 vdmpp1 rpc.gssd[6448]: WARNING: 
> > > Preauthentication failed while getting initial ticket for 
> > > principal 'nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT'
using
> > > keytab 'FILE:/etc/krb5.keytab'
> > >  Oct 30 15:13:33 vdmpp1 rpc.gssd[6448]: ERROR: No credentials 
> > > found for connection to server vdmpp1.ad.fvg.lnf.it
> > > 
> > > 'Preauthentication'?
> > Hmm, that is strange, it looks like this computer account is acting
> > like a real user. If i look in ADUC, Tab Account, only a 
> user has the
> > option to "disable preauthentication" So this might help in
solving
> > the problem. Can you check in ADUC of you see the Account 
> tab or not. 
> > If its really a computer, you should not see the Account tab. 
> > 
> 
> A computer is a user, it just has an extra objectclass and a '$' on
the end of the samAccountName
There is a difference at least in what we "see" in ADUC. 
And based on what i did see here, it might help Marco to fix the problem of
finding the problem.
This computer account is behaving like a user account. 
> A computer is a user, it just has an extra objectclass and a '$' on
the end of the samAccountName
Yes, totaly agree, but why is his "computer" account is complaining
about : Preauthentication
Which is normaly only available in a user account. Due to ( if im correct here )
the values :
sAMAccountType 805306368 ( user_account ) 
userAccountControl 0x200 ( 512 ) 

And for the computer 
sAMAccountType 805306369 ( computer_account ) 
userAccountControl 0x19000 ( 593920 )  Workstation trust account. 

This is why i also check in ADUC to "see" what is there. 

Because of this old statement i made long time a go, in the win95 time and this
still applies.

In computer terms, It's a 0 or 1, always.. Yes, i say no..  ( sort off.. ) 

A door is open or closed, yes, .... No...  ;-) 

What if i open the door a very little bit, so its open, but you cannot go
through it, now is it open or closed?
If you say open, i say then go throug it, but you cant, its not open enough, so
its closed, No.. Its open..

What if i can prove the it can be both.  :-) sort of, at least in windows, i
havent seen it in linux yet.
And when its both, it's a really a bug or corruption in the
registry/database.

In windows, you can "see" a setting, but in the backend (registry)
this setting can be different.
Thats what i'm saying here, you see something is turned on in windows, but
in the registry its not.

I think, something like this is happening in Marco's AD at least for that
computer account.

An ldap export of a correct computer account and the failing one will show what
changed.
I'm  still working on it howto detect and check all settings..


Greetz, 

Louis

Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...
> And no, /etc/default/nfs-common is not ignored. Its just harder to see it. 
Ok. Good. But...

> All i did for the server was systemctl enable nfs-server
> And for the client systemctl enable nfs-client
> After the setup, all other servers start if needed based on the settings in
> /etc/default/nfs-common and/or /etc/default/nfs-kernel-server 
...but 'nfs-client' is not a .service, but a .target, so there's no
way
to enable or start it:

	root at vdmpp2:~# systemctl enable nfs-client
	Failed to enable unit: File nfs-client.service: No such file or directory
	root at vdmpp2:~# systemctl restart nfs-client
	Failed to restart nfs-client.service: Unit nfs-client.service not found.

but... AHA! i need to explicitly run with '.target'!

Anyway seems there's no way to restart it:

 root at vdmpp2:~# systemctl stop nfs-client.target
 root at vdmpp2:~# systemctl status nfs-client.target
 ● nfs-client.target - NFS client services
    Loaded: loaded (/lib/systemd/system/nfs-client.target; enabled; vendor
preset: enabled)
    Active: inactive (dead) since Wed 2018-10-31 10:57:58 CET; 4s ago
 
 ott 31 10:57:46 vdmpp2 systemd[1]: Reached target NFS client services.
 ott 31 10:57:58 vdmpp2 systemd[1]: Stopped target NFS client services.
 root at vdmpp2:~# ps aux | grep rpc
 root       491  0.0  0.0      0     0 ?        S<   ott24   0:00 [rpciod]
 root      1327  0.0  0.0  49872  3372 ?        Ss   10:52   0:00 /sbin/rpcbind
-f -w
 root      1339  0.0  0.0  37012  3180 ?        Ss   10:52   0:00
/usr/sbin/rpc.svcgssd
 root      1340  0.0  0.0  33180  2604 ?        Ss   10:52   0:00
/usr/sbin/rpc.gssd
 root      1400  0.0  0.0  12784   940 pts/0    S+   10:58   0:00 grep rpc


And killing by hand and try to start it again seems does not read the
/etc/default/nfs-commonf files,  where i've set some options for gssd:

 root at vdmpp2:~# kill 1339
 root at vdmpp2:~# kill 1340
 root at vdmpp2:~# ps aux | grep rpc
 root       491  0.0  0.0      0     0 ?        S<   ott24   0:00 [rpciod]
 root      1327  0.0  0.0  49872  3372 ?        Ss   10:52   0:00 /sbin/rpcbind
-f -w
 root      1404  0.0  0.0  12784   960 pts/0    S+   10:58   0:00 grep rpc
 root at vdmpp2:~# systemctl start nfs-client.target
 root at vdmpp2:~# systemctl status nfs-client.target
 ● nfs-client.target - NFS client services
    Loaded: loaded (/lib/systemd/system/nfs-client.target; enabled; vendor
preset: enabled)
    Active: active since Wed 2018-10-31 10:58:47 CET; 3s ago
 
 ott 31 10:58:47 vdmpp2 systemd[1]: Reached target NFS client services.
 root at vdmpp2:~# ps aux | grep rpc
 root       491  0.0  0.0      0     0 ?        S<   ott24   0:00 [rpciod]
 root      1327  0.0  0.0  49872  3372 ?        Ss   10:52   0:00 /sbin/rpcbind
-f -w
 root      1414  0.0  0.0  33180  2460 ?        Ss   10:58   0:00
/usr/sbin/rpc.gssd
 root      1415  0.0  0.0  37012  3376 ?        Ss   10:58   0:00
/usr/sbin/rpc.svcgssd
 root      1420  0.0  0.0  12784   936 pts/0    S+   10:58   0:00 grep rpc
 root at vdmpp2:~# grep ^RPCGSSDOPTS= /etc/default/nfs-common
 RPCGSSDOPTS="-vvvvvvvvvv"

So 'nfs-client.target' is probably the right way to start/check nfs
client services are run on startup, but still seems not usable to
restart nfs client on a just booted system.

> If its really a computer, you should not see the Account tab. 
No, there's no 'Account' TAB. Seeems a computer. ;-)

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Wed, 31 Oct 2018 10:48:09 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
 
> > Hmm, I wonder if 'nfsidmap' is now being used instead of
> > nfs-common ?
> 
> Yes, nfsidmap also used, but all settings are loaded through
> the /etc/defaults/nfs-.... Files
> 
No, I was trying to say that nfsidmap is used instead of starting
mfs-common.
 
> 
> And see this service file output : systemctl cat nfs-server.service
Bit hard that on Devuan ;-)
> > A computer is a user, it just has an extra objectclass and a
'$' on
> > the end of the samAccountName
> 
> There is a difference at least in what we "see" in ADUC. 
> And based on what i did see here, it might help Marco to fix the
> problem of finding the problem. This computer account is behaving
> like a user account. 
> 
> > A computer is a user, it just has an extra objectclass and a
'$' on
> > the end of the samAccountName  
> Yes, totaly agree, but why is his "computer" account is
complaining
> about : Preauthentication Which is normaly only available in a user
> account. Due to ( if im correct here ) the values : sAMAccountType
> 805306368 ( user_account ) userAccountControl 0x200 ( 512 ) 
Well yes, there are other differences, but a computer has a password
etc, just like a user.
> 
> Because of this old statement i made long time a go, in the win95
> time and this still applies.  
> 
> In computer terms, It's a 0 or 1, always.. Yes, i say no..  ( sort
> off.. ) 
> 
> A door is open or closed, yes, .... No...  ;-) 
Well it could be a glass object as well, what is it called ?? Oh I
know, a jar LOL

Rowland

Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...
> I think, something like this is happening in Marco's AD at least for
that computer account.
This seems OK:

 root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
"DC=ad,DC=fvg,DC=lnf,DC=it" "(sAMAccountName=VDMPP1$)" |
egrep "(sAMAccountType|userAccountControl)"
 sAMAccountType: 805306369
 userAccountControl: 593920
 root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
"DC=ad,DC=fvg,DC=lnf,DC=it" "(sAMAccountName=VDMPP2$)" |
egrep "(sAMAccountType|userAccountControl)"
 sAMAccountType: 805306369
 userAccountControl: 593920

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

> > In computer terms, It's a 0 or 1, always.. Yes, i say no..  ( sort
> > off.. ) 
> > 
> > A door is open or closed, yes, .... No...  ;-) 
> 
> Well it could be a glass object as well, what is it called ?? Oh I
> know, a jar LOL
> 
> Rowland
>  
So for you a door is the same as a glass object, hmm , then try going throug
that glass object...  :-p

I just hope you understanded why im saying this. 
You "see" something is set to ON, but its TURNED OFF in the backgrond.

! Until you enable - apply , disable - apply and enable - apply it. 
That fixes it in windows 99.9999% of all times. 
A common but understated problem in windows. 

Greetz, 

Louis

Marco, 

New idea.. 

For the server part:  man rpc.svcgssd 
Option :  -n 
Use the system default credentials (host/FQDN at REALM) rather than the default
nfs/FQDN at REALM.

And the host spn is correct everywhere as far i've seen. 

Add  in /etc/default/nfs-kernel-server 
RPCSVCGSSDOPTS=" -n"


Client Part. 
In conjuction with see: man rpc.gssd 

rpc.gssd searches in the following order for a principal to use.  
The first matching credential is used.  

For the search, <hostname> and <REALM> are replaced with the local
system's hostname and Kerberos realm.

          <HOSTNAME>$@<REALM>
          root/<hostname>@<REALM>
          nfs/<hostname>@<REALM>
          host/<hostname>@<REALM>
          root/<anyname>@<REALM>
          nfs/<anyname>@<REALM>
          host/<anyname>@<REALM>


So this should work also. 
Im testing this after my lunch. 


Greetz, 

Louis

Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...
> And no, /etc/default/nfs-common is not ignored. Its just harder to see it. 
Only a note: i've restarted the nfs server, but seems that
/etc/default/nfs-common
and /etc/default/nfs-kernel-server are ignored, /usr/sbin/rpc.svcgssd
and /usr/sbin/rpc.gssd get started without option setted in
/etc/default/nfs-* files:

 root at vdmpp1:~# ps aux | grep [g]ssd
 root       736  0.0  0.0  37012  3224 ?        Ss   nov05   0:00
/usr/sbin/rpc.svcgssd
 root       738  0.0  0.0 111044  3468 ?        Ss   nov05   0:00
/usr/sbin/rpc.gssd
 root at vdmpp1:~# grep GSSDOPTS /etc/default/nfs-*
 /etc/default/nfs-common:RPCGSSDOPTS="-vvvvv"
 /etc/default/nfs-kernel-server:RPCSVCGSSDOPTS="-vvvvv -n"

FYI.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Hai Marco, 

Hmm, yes, that is strange.
This did work. 
Im checked some things, but im still not sure share this is going wrong. 

nfs-config.service is called for server and client nfs. 
That one usese
/lib/systemd/system/nfs-config.service
ExecStart=/usr/lib/systemd/scripts/nfs-utils_env.sh
And the script executes. 

nfs_config=/etc/sysconfig/nfs		<< does not exist. 
mkdir -p /run/sysconfig
{
echo PIPEFS_MOUNTPOINT=/run/rpc_pipefs
echo RPCNFSDARGS=\"$RPCNFSDOPTS ${RPCNFSDCOUNT:-8}\"
echo RPCMOUNTDARGS=\"$RPCMOUNTDOPTS\"
echo STATDARGS=\"$STATDOPTS\"
echo RPCSVCGSSDARGS=\"$RPCSVCGSSDOPTS\"
} > /run/sysconfig/nfs-utils

Im thinking.. 
Should nfs_config=  not be /run/sysconfig/nfs-utils ? 

Im not really sure here. 

What you can try/do also 

systemctl edit --full rpc-gssd.service
A copy is made of  rpc-gssd.service and placed in /etc/systemd 
And edit that file then change. 

ExecStart=/usr/sbin/rpc.gssd $GSSDARGS
To 
ExecStart=/usr/sbin/rpc.gssd -vvv -n


Do the same for :  rpc-svcgssd.service

Greetz, 

Louis





> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: dinsdag 6 november 2018 11:43
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Again NFSv4 and Kerberos at the 'samba
way'...
> 
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > And no, /etc/default/nfs-common is not ignored. Its just 
> harder to see it. 
> 
> Only a note: i've restarted the nfs server, but seems that 
> /etc/default/nfs-common
> and /etc/default/nfs-kernel-server are ignored, /usr/sbin/rpc.svcgssd
> and /usr/sbin/rpc.gssd get started without option setted in
> /etc/default/nfs-* files:
> 
>  root at vdmpp1:~# ps aux | grep [g]ssd
>  root       736  0.0  0.0  37012  3224 ?        Ss   nov05   
> 0:00 /usr/sbin/rpc.svcgssd
>  root       738  0.0  0.0 111044  3468 ?        Ss   nov05   
> 0:00 /usr/sbin/rpc.gssd
>  root at vdmpp1:~# grep GSSDOPTS /etc/default/nfs-*
>  /etc/default/nfs-common:RPCGSSDOPTS="-vvvvv"
>  /etc/default/nfs-kernel-server:RPCSVCGSSDOPTS="-vvvvv -n"
> 
> FYI.
> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On Tue, 6 Nov 2018 16:20:07 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai Marco, 
> 
> Hmm, yes, that is strange.
> This did work. 
> Im checked some things, but im still not sure share this is going
> wrong. 
> 
> nfs-config.service is called for server and client nfs. 
> That one usese
> /lib/systemd/system/nfs-config.service
> ExecStart=/usr/lib/systemd/scripts/nfs-utils_env.sh
Sorry to butt in here, but is that 'ExecStart' line a default systemd
line ?

Rowland

Hai Rowland, 

Yes, that correct. 
If you use this in override.conf then its. ( so not a copy of the service file
to /etc/systemd )

systemctl edit rpc-gssd.service
[Service]
ExecStartExecStart=/Your/Own/Script/script.sh

Note the empty line, without that won the override is NOT working. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: Rowland Penny [mailto:rpenny at samba.org] 
> Verzonden: dinsdag 6 november 2018 16:32
> Aan: samba at lists.samba.org
> CC: L.P.H. van Belle
> Onderwerp: Re: [Samba] Again NFSv4 and Kerberos at the 'samba
way'...
> 
> On Tue, 6 Nov 2018 16:20:07 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
> 
> > Hai Marco, 
> > 
> > Hmm, yes, that is strange.
> > This did work. 
> > Im checked some things, but im still not sure share this is going
> > wrong. 
> > 
> > nfs-config.service is called for server and client nfs. 
> > That one usese
> > /lib/systemd/system/nfs-config.service
> > ExecStart=/usr/lib/systemd/scripts/nfs-utils_env.sh
> 
> Sorry to butt in here, but is that 'ExecStart' line a default
systemd
> line ?
> 
> Rowland
> 
>

Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...
> Im not really sure here. 
Seems that nfs-config crate the file correctly:

 root at vdmpp1:/srv# cat /run/sysconfig/nfs-utils 
 PIPEFS_MOUNTPOINT=/run/rpc_pipefs
 RPCNFSDARGS=" 8"
 RPCMOUNTDARGS="--manage-gids"
 STATDARGS=""
 RPCSVCGSSDARGS="-vvvvv -n"

but the nfs(s) systemd unit file misses the 'EnvironmentFile='
directive:

	https://www.freedesktop.org/software/systemd/man/systemd.exec.html#EnvironmentFile

Seems time to fire up a bug...

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)