On 25/08/11 23:14, Jiri Kanicky wrote:
On
25/08/11 22:11, Jiri Kanicky wrote:
On 25/08/11 02:23, Bastian Blank wrote:
On Sun, Aug 14, 2011 at 12:43:14AM
+1000, ganomi wrote:
Please get a name.
maverick:~# klist -ke /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
4 nfs/maverick.firm.local@FIRM.LOCAL (des3-cbc-sha1)
4 nfs/maverick.firm.local@FIRM.LOCAL (des-cbc-crc)
Please setup standard encryption types.
root@knightrider:~# klist -ke
/etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
6 nfs/knightrider.firm.local@FIRM.LOCAL (des-cbc-crc)
DES is disabled in the meantime. Use other encryption types.
ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context():
GSS_S_FAILURE (Unspecified GSS failure. Minor code may
provide more
information) - Encryption type not permitted
I hope this message is clear.
Bastian
Dear Bastian.
I am not sure what do you mean by "setup standard encryption
types". I believe that those are the standard encryption types.
I haven't use any special configuration. I tried to use the most
basic setting for Kerberos and LDAP.
[kdcdefaults]
kdc_ports = 750,88
[realms]
FIRM.LOCAL = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal
des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm
des:afs3
default_principal_flags = +preauth
}
Regards,
Jiri
Hi.
I found out that NFS (in RHEL 6) does not currently support
des-hmac-sha1, des-cbc-md5 neither des-cbc-crc. However, it should
support aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96,
des3-cbc-sha1 a arcfour-hmac. So, I am assuming that Debian Wheezy
have the same issue.
I will try to generate keys for those which are supported and
re-test it. I will come back with the results.
Thanks for giving me the idea.
Jiri
Hi.
So, I changed the encryption type to (aes256-cts-hmac-sha1-96). I
generated new keytab on the client (knightrider).
root@knightrider:/home/ganomi# klist -ke /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
7 nfs/knightrider.firm.local@FIRM.LOCAL (aes256-cts-hmac-sha1-96)
I still have the same problem.
maverick:/home/ganomi/# rpc.svcgssd -fvvv
entering poll
leaving poll
handling null request
WARNING: gss_accept_sec_context failed
ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context():
GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more
information) - No supported encryption types (config file error?)
sending null reply
writing message: \x \x608202c706092a86... ...1314468539 851968
2529639149 \x \x
finished handling null request
Any idea? Could it be the same issue as in
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=719776
Jiri
|