Return-Path: linux-nfs-owner@vger.kernel.org Received: from mx3-phx2.redhat.com ([209.132.183.24]:60018 "EHLO mx3-phx2.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755949AbaBFMPP convert rfc822-to-8bit (ORCPT ); Thu, 6 Feb 2014 07:15:15 -0500 Date: Thu, 6 Feb 2014 07:15:10 -0500 (EST) From: Simo Sorce To: NeilBrown Cc: Chuck Lever , "J. Bruce Fields" , Steve Dickson , Linux NFS Mailing List , Simo Sorce Message-ID: <1159251059.5418996.1391688910525.JavaMail.root@redhat.com> In-Reply-To: <20140206122751.41b2fbf9@notabene.brown> References: <20140130172451.7a354ce4@notabene.brown> <52F003A1.3060908@RedHat.com> <20140204093452.7b6d7c7d@notabene.brown> <20140204162052.GA5295@fieldses.org> <20140205140906.0b3ba9fd@notabene.brown> <1B2F95A4-8439-4274-A859-F33986D06824@oracle.com> <20140206122751.41b2fbf9@notabene.brown> Subject: Re: [PATCH/RFC: nfs-utils] Common systemd unit files for nfs-utils. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Sender: linux-nfs-owner@vger.kernel.org List-ID: ----- Original Message ----- > On Wed, 5 Feb 2014 10:56:39 -0500 Chuck Lever wrote: > > > Hi Neil! > > > > > > On Feb 4, 2014, at 10:09 PM, NeilBrown wrote: > > > > > On Tue, 4 Feb 2014 11:20:52 -0500 "J. Bruce Fields" > > > > > > wrote: > > > > > >> On Tue, Feb 04, 2014 at 09:34:52AM +1100, NeilBrown wrote: > > >>> Also, I've been wondering if we could avoid the need to explicitly > > >>> enable > > >>> the gss stuff by gating it on the existence of /etc/krb5.keytab. > > >>> Do you think that would be reasonable? > > >> > > >> That would be great. I hate that people have to care about these > > >> support daemons, they should just be started automatically when they're > > >> needed. > > >> > > >> Is /etc/krb5.keytab the best indicator? > > > > > > I was hoping you would tell me. :-) > > > > rpc.gssd has to run in cases where there is no /etc/krb5.keytab. Remember > > the discussion we had last year about using root’s user credential as the > > client’s machine credential? We want the kernel to be able to find out > > whether there is a machine credential available, and one can be available > > even if there is no keytab. > > Hi Chuck, > thanks for reminding me about that! Yes we clearly cannot key > off /etc/krb5.keytab for rpc.gssd. > > Maybe /etc/krb5.conf? Seems a bit lame. > How about /etc/gssapi_mech.conf ?? rpc.gssd seems to exit if that doesn't > exist. What if systemd is told not to run rpc.gssd if that file is > missing? -1 > I guess that otherwise we can make it on-by-default, but document that > people > can turn it off with > systemctl mask rpc-gssd big +1 > which is probably easier that requiring "systemctl enable nfs-secure". I would really like to see nfs-secure go away, it is a "configuration option" not some entity you start anyway so it never made sense to me. Simo. -- Simo Sorce * Red Hat, Inc. * New York