[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#622146: This is broken for me.

On Sun, Oct 23, 2011 at 05:16:59PM -0400, Daniel Kahn Gillmor wrote:
> On 10/23/2011 02:25 PM, Rob Naccarato wrote:
> > On 11-10-23 01:18 PM, Sam Hartman wrote:
> >>>>>>> "Rob" == Rob Naccarato<rob@naccy.org>  writes:
> >>
> >>      Rob>  This doesn't appear to be fixed to me. I get the same
> >>      Rob>  problems. I have even installed backported kernel
> >>      Rob>  (2.6.39-bpo.2-amd64) and nfs-utils (1:1.2.4-1~bpo60+1) and I
> >>      Rob>  still get these:
> >>
> >> This requires fixes in krb5 and nfs-utils.
> >> krb5 has been fixed, but nothing gets better until the nfs-utils fix.
> > 
> > So, nfs-utils 1.2.5, then? When's that suppose to be available?
> > 
> > I imagine this is a pretty critical issue for people. It is for me, at
> > least.
> 
> I'm the current backporter of nfs-utils.  I use 1:1.2.4-1~bpo60+1 with
> the squeeze-backports kernel (nfs server and nfs clients both use these
> versions) and a squeeze kdc configured with:
> 
>         supported_enctypes = aes128-cts:normal
> 
> I'm able to use kerberized (sec=krb5p) nfsv4 mounts in this arrangement.
>  Could you clarify how your configuration differs from what i've
> described above so i could be sure what might need changing?

Ok, here we go.

        supported_enctypes = aes256-cts:normal arcfour-hmac:normal \
	des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm \
	des:onlyrealm des:afs3 aes128-cts:normal

Client (khan) attempting to use sec=krb5.
root@khan:/# klist -e -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   2 host/khan.some.domain.ca@NACCY.ORG (AES-256 CTS mode with 96-bit SHA-1
   HMAC) 
   2 host/khan.some.domain.ca@NACCY.ORG (ArcFour with HMAC/md5) 
   2 host/khan.some.domain.ca@NACCY.ORG (Triple DES cbc mode with HMAC/sha1) 
   2 host/khan.some.domain.ca@NACCY.ORG (DES cbc mode with CRC-32) 
   2 nfs/khan.some.domain.ca@NACCY.ORG (AES-256 CTS mode with 96-bit SHA-1
   HMAC) 
   2 nfs/khan.some.domain.ca@NACCY.ORG (ArcFour with HMAC/md5) 
   2 nfs/khan.some.domain.ca@NACCY.ORG (Triple DES cbc mode with HMAC/sha1) 
   2 nfs/khan.some.domain.ca@NACCY.ORG (DES cbc mode with CRC-32) 

/etc/fstab:
	blackdog:/      /shares         nfs4    _netdev,auto,sec=krb5,acl 0 0


Server (blackdog), with kdc, exporting nfs4, when I attempt to mount the above:

Oct 24 09:32:36 blackdog rpc.svcgssd[22979]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
failure.  Minor code may provide more information) - Encryption type not
permitted

Both machines, client and server have:

linux-image-2.6.39-bpo.2-amd64
nfs-kernel-server 1:1.2.4-1~bpo60+1

Both machines, client and server have in krb5.conf:

allow_weak_crypto = true


Thanks.
Reply to: