----- Original Message ----- > On Wed, 5 Feb 2014 10:56:39 -0500 Chuck Lever <chuck.lever@xxxxxxxxxx> wrote: > > > Hi Neil! > > > > > > On Feb 4, 2014, at 10:09 PM, NeilBrown <neilb@xxxxxxx> wrote: > > > > > On Tue, 4 Feb 2014 11:20:52 -0500 "J. Bruce Fields" > > > <bfields@xxxxxxxxxxxx> > > > wrote: > > > > > >> On Tue, Feb 04, 2014 at 09:34:52AM +1100, NeilBrown wrote: > > >>> Also, I've been wondering if we could avoid the need to explicitly > > >>> enable > > >>> the gss stuff by gating it on the existence of /etc/krb5.keytab. > > >>> Do you think that would be reasonable? > > >> > > >> That would be great. I hate that people have to care about these > > >> support daemons, they should just be started automatically when they're > > >> needed. > > >> > > >> Is /etc/krb5.keytab the best indicator? > > > > > > I was hoping you would tell me. :-) > > > > rpc.gssd has to run in cases where there is no /etc/krb5.keytab. Remember > > the discussion we had last year about using root’s user credential as the > > client’s machine credential? We want the kernel to be able to find out > > whether there is a machine credential available, and one can be available > > even if there is no keytab. > > Hi Chuck, > thanks for reminding me about that! Yes we clearly cannot key > off /etc/krb5.keytab for rpc.gssd. > > Maybe /etc/krb5.conf? Seems a bit lame. > How about /etc/gssapi_mech.conf ?? rpc.gssd seems to exit if that doesn't > exist. What if systemd is told not to run rpc.gssd if that file is > missing? -1 > I guess that otherwise we can make it on-by-default, but document that > people > can turn it off with > systemctl mask rpc-gssd big +1 > which is probably easier that requiring "systemctl enable nfs-secure". I would really like to see nfs-secure go away, it is a "configuration option" not some entity you start anyway so it never made sense to me. Simo. -- Simo Sorce * Red Hat, Inc. * New York -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html