Bug#651558: nfs-utils: NFSv4 sec=krb5 clients must install nfs-kernel-server to use rpc.svcgssd to receive delegations
According to J. Bruce Fields on the linux-nfs mailing list , NFSv4
clients using any sec=krb5 variant will need to run rpc.svcgssd to
receive delegations. On debian, this appears to mean that the clients
will need to install nfs-kernel-server, even if they do not intend to
act as a server.
Should rpc.svcgssd get moved out to the nfs-common package (or, if the
fragmentation isn't too much, to its own package)? It doesn't seem like
encouraging clients to run nfsd when they have no intention of serving
files is a good idea.
Another alternative is to consider encouraging NFSv4.1 instead of
NFSv4 (apparently the delegations in 4.1 happen over the
client-initiated channels instead of establishing new connections back),
but this was only been enabled in debian kernels since
If moving the daemon implementation between packages isn't the right
idea, it would at least be good to document what's going on here and
what the recommended configuration is for decently-performing
cryptographically-secured NFS. I see no mention of the multi-daemon
requirement for clients in
/usr/share/doc/nfs-common/README.Debian.nfsv4, for example.
If i wasn't stumbling my way through this setup myself, i'd offer to
write improved documentation, but i'm not in deep enough to know
best-practices or advise others at the moment.