From owner-freebsd-current@freebsd.org  Sun Oct 11 02:18:58 2020
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 82DE643248A
 for <freebsd-current@mailman.nyi.freebsd.org>;
 Sun, 11 Oct 2020 02:18:58 +0000 (UTC)
 (envelope-from rmacklem@uoguelph.ca)
Received: from CAN01-TO1-obe.outbound.protection.outlook.com
 (mail-to1can01on0603.outbound.protection.outlook.com
 [IPv6:2a01:111:f400:fe5d::603])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mail.protection.outlook.com",
 Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4C858c2x3nz4X0w
 for <freebsd-current@freebsd.org>; Sun, 11 Oct 2020 02:18:56 +0000 (UTC)
 (envelope-from rmacklem@uoguelph.ca)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=ngmQX71yzy7J91zUkBsHHSQhmCfFG6k33eNyFtWQF0GajYKo2l6TlJBYFH7DGM0jFNjtGTiIoRmjk/to2YBDQt4jz+k9LdFStNy91kyGrP32eBdakLjWIFsEXQRM5DGSAZ6FxE/wM5utH95b4q5TvBO+8yCXrNaZDp44qhPhELlEa0/WwBVHPxDnN4IPYUmUxQX6/Dsia5ivwyqIu5SCzzi+82hq/xMiPz10XwUc7pfZT/sFjAxJgdy62p0WF4TLDEceTJ2N7Uair3GJXOGW1ROKW0Fjwxw9zO4jwFOi8vGkb/XtVRqk8t5upyaAnf3iqMHDtvw1PuXiAsP8MQLM2A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=0YI7rI92fvRUU8mjUkuoXFDjPI6ZX9W1huggFBayCio=;
 b=F9yvcPfN6cdAW70mOoFrx5RSS7ChrvFqpoCO1hWXThi8PObWdn+15mvBiC1ZTfM/MaIcZ9CFda/RC3AEqF77/PNsvrvc36b2pK7YNoMtSmQksSwTex8ebB99s9XQ0+ttuQc9w6QsjzEj35h2RPMv0USzDgn0bcpIKWF/u4iIDlGK/nXwqJRbZqdGX5MxSqh12Dx/DQqvF8uns277toOdR/tfvkybBmxi7DuhFQeEmww9RgaDqzdePuSOi34zeurZ2FFyDpB6ArN4Y4t+ywSI1mMeS/Ox1bPX226q1EcgDXNOlLdx3NOl7+eEpOu37zQyhHg0tIvHHIA79ypegFThLg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca;
 dkim=pass header.d=uoguelph.ca; arc=none
Received: from YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:24::27)
 by YTOPR0101MB0940.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b00:1c::11)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.28; Sun, 11 Oct
 2020 02:18:51 +0000
Received: from YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM
 ([fe80::687f:d85a:a0a3:bd20]) by YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM
 ([fe80::687f:d85a:a0a3:bd20%6]) with mapi id 15.20.3455.028; Sun, 11 Oct 2020
 02:18:51 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: "freebsd-current@freebsd.org" <freebsd-current@freebsd.org>
CC: Meowthink <meowthink@gmail.com>
Subject: RFC: gssd needs /usr mounted to start up
Thread-Topic: RFC: gssd needs /usr mounted to start up
Thread-Index: AQHWn3MMVFQ2dhtCu0yNdRi2qRdLdw==
Date: Sun, 11 Oct 2020 02:18:51 +0000
Message-ID: <YTBPR01MB3966D99D48BA5F72D14F6CB9DD060@YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 13daabaa-20af-467e-9fc6-08d86d8bfee3
x-ms-traffictypediagnostic: YTOPR0101MB0940:
x-microsoft-antispam-prvs: <YTOPR0101MB094070B36CA736112DC59E18DD060@YTOPR0101MB0940.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: vZJrUphHq4D01um5cUCx+6NaX98T+/UlmL2FQGFspiRC6PxzqCmq+QUS5R/Ot3ZOfA1HSpW53MqTP3O8wTR++bbH0E0ObWrbJWuH5ym2/3ZZ3MUi13HUocKfzeJc4sv8wW2hiR9pYBaEO/GA6hSk2zZo1F1fV9bWjbYWEPi4gA49KQkjaUIJERi/PX/NQelAEQXUTUNq3gMgbPcLAylEtIa8hlIiukrAg08sufH/lHgUaNVbX9XpBqBYN3gaS2KhMlgmG9Y42JJltC74gDkYwmI1SePGX5d6ih8nsZugv25Ecft2ZbhRVhBwHg4dgAasARuhLDvX7WwKIkbeZtgjNg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE;
 SFS:(366004)(136003)(376002)(346002)(39850400004)(396003)(4326008)(2906002)(6916009)(55016002)(186003)(478600001)(9686003)(52536014)(33656002)(83380400001)(8936002)(316002)(786003)(66556008)(8676002)(64756008)(66446008)(86362001)(66946007)(76116006)(66476007)(6506007)(5660300002)(7696005)(71200400001);
 DIR:OUT; SFP:1101; 
x-ms-exchange-antispam-messagedata: dsziHGE9gmY61tB1lJD/AxElM1CEtLmg1iyW4ZFFbBTA525xwHykXZ1U1O1Y1xmS0vRV8nFzdeNJyjL27Gw1a6VrWadpyn+bc9T8eZuXwhURWn2tXuojlbEFUDRriaHydEccoMHYK0mdbuSpcGkdTUGFojdkI1Hc7jxeVXlsPTS320iIMTaL4s7PUZD4doxASro/PgOo925xaNGblLwgiyU9dKLHlMMFTXzRJ4ch5y/OaAvUh+wJHKgtEs6Gtd7V0mHnYDtzWkH9Jzq2wSWonnETI4gdAxDYdmb22yxXA41c6Ob++pRoMuwh6xt5HxK0Zo/oMAnAHn0+0ws9dE54ZxY/wWMCZ8XOCEiysL2W8K0XVI8bDRmMm2rwELLR32911n6h463utFfVy8u4ZkmzCsya9aqiNnVH5TzD4N01iJz3nhgFI1TE8hqhZ9ZbNLxJkjOiOPEQ5vfgWEJTQS2CgIwkpqHb+OhOgfgSgY14OWCCJXYnwXv5wA+V2owCBhmAFsgeCKcEt575evRsTYbddn8OqTVppl2oLp1yuIeoPbjm7KZstiQJ8zurbVn0EPYlRVcdy7uZRUWk/cvMWFQfvTpn9F720TMoLVt+YtyhMXzbvFYtJhW5YrUK/NlcmL+bgqh7OkoXTHJPjugreiASHzlNi8nP38NhnItBy4Kseit48U6jP9//ZWNGtn74RJcJ1q6ejUpWicZQ1/2Va5Xoxg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 13daabaa-20af-467e-9fc6-08d86d8bfee3
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Oct 2020 02:18:51.5998 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: tQZMUzDE/+ZHQKtW4oNKzjrh32RkXlk+dZI7sp1FrEBamZx4AU64ZF1iV+IstL4uXOVDVQ7KZxs1Pu27rwtq2g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YTOPR0101MB0940
X-Rspamd-Queue-Id: 4C858c2x3nz4X0w
X-Spamd-Bar: ------
X-Spamd-Result: default: False [-6.17 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[];
 NEURAL_HAM_MEDIUM(-1.01)[-1.013];
 R_DKIM_ALLOW(-0.20)[uoguelph.ca:s=selector1];
 FREEFALL_USER(0.00)[rmacklem]; FROM_HAS_DN(0.00)[];
 TO_DN_SOME(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip6:2a01:111:f400::/48];
 NEURAL_HAM_LONG(-1.01)[-1.014]; MIME_GOOD(-0.10)[text/plain];
 DWL_DNSWL_LOW(-1.00)[uoguelph.ca:dkim];
 RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 DKIM_TRACE(0.00)[uoguelph.ca:+]; RCPT_COUNT_TWO(0.00)[2];
 DMARC_POLICY_ALLOW(-0.50)[uoguelph.ca,none];
 NEURAL_HAM_SHORT(-1.14)[-1.144]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[];
 ASN(0.00)[asn:8075, ipnet:2a01:111:f000::/36, country:US];
 FREEMAIL_CC(0.00)[gmail.com];
 MAILMAN_DEST(0.00)[freebsd-current];
 ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Oct 2020 02:18:58 -0000

Meowthink reported a problem on freebsd-hackers@ where the=0A=
gssd would not start up because /usr was not yet mounted.=0A=
(I moved the discussion here, hoping to catch more comments.)=0A=
=0A=
He has a separately mounted /usr and, recently, gssd was failing=0A=
to start since /usr was not yet mounted when /etc/rc.d/gssd was=0A=
executed.=0A=
Looking at /etc/rc.d/gssd, this is not surprising, since the REQUIRED=0A=
line only lists "root" as a requirement.=0A=
I can see a couple of things that can be done, but no obvious ideal=0A=
solution:=0A=
(A) - Add "mountcritlocal" to the REQUIRED line, which is what=0A=
        Meowthink has done.=0A=
        This seems harmless and works for the case of a local filesystem=0A=
         /usr, but does not work if /usr is an NFS mounted file system.=0A=
=0A=
(B) - Add both "mountcritlocal" and "mountcritremote" to the=0A=
        REQUIRED line.=0A=
        This would also fix the case of an NFS mounted /usr, but it also=0A=
        implies that all NFS entries in /etc/fstab that uses "sec=3Dkrb5[ip=
]"=0A=
        would also need the "late" option specified.=0A=
=0A=
I am thinking that (A) can be done and MFC'd, since it shouldn't=0A=
break anything (or cause a POLA violation).=0A=
Maybe (B) can be done for head/FreeBSD13 with an entry in the=0A=
Release notes, indicating the need for "late" on NFS entries using=0A=
"sec=3Dkrb5[ip]" in /etc/fstab. (It would result in a POLA violation if=0A=
MFC'd, since "sec=3Dkrb5[ip]" entries in /etc/fstab would break until=0A=
"late" is added.)=0A=
=0A=
I am interested in a solution for this, in part, because the daemons=0A=
for NFS over TLS have the same problem.=0A=
=0A=
Any ideas/suggestions, rick=0A=
ps: I thought of moving gssd to /sbin, but it uses several libraries,=0A=
      including Kerberos ones, that are in /usr/lib.=0A=
=0A=