On 10/24/2011 09:42 AM, Rob Naccarato wrote: > supported_enctypes = aes256-cts:normal arcfour-hmac:normal \ > des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm \ > des:onlyrealm des:afs3 aes128-cts:normal > > Client (khan) attempting to use sec=krb5. > root@khan:/# klist -e -k /etc/krb5.keytab > Keytab name: WRFILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 2 host/khan.some.domain.ca@NACCY.ORG (AES-256 CTS mode with 96-bit SHA-1 > HMAC) > 2 host/khan.some.domain.ca@NACCY.ORG (ArcFour with HMAC/md5) > 2 host/khan.some.domain.ca@NACCY.ORG (Triple DES cbc mode with HMAC/sha1) > 2 host/khan.some.domain.ca@NACCY.ORG (DES cbc mode with CRC-32) > 2 nfs/khan.some.domain.ca@NACCY.ORG (AES-256 CTS mode with 96-bit SHA-1 > HMAC) > 2 nfs/khan.some.domain.ca@NACCY.ORG (ArcFour with HMAC/md5) > 2 nfs/khan.some.domain.ca@NACCY.ORG (Triple DES cbc mode with HMAC/sha1) > 2 nfs/khan.some.domain.ca@NACCY.ORG (DES cbc mode with CRC-32) this appears to have everything *but* aes128-cts:normal, fwiw. My example client has: 0 example:~# klist -e -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/example.example.org@EXAMPLE.ORG (AES-128 CTS mode with 96-bit SHA-1 HMAC) 0 example:~# > /etc/fstab: > blackdog:/ /shares nfs4 _netdev,auto,sec=krb5,acl 0 0 > 0 example:~# grep nfs /etc/fstab nfshost:/ /usr/local/data nfs4 sec=krb5p,fsc 0 0 0 example:~# i don't think the fsc is relevant to this discussion -- and i can't imagine that the difference between krb5 and krb5p is the issue. > Server (blackdog), with kdc, exporting nfs4, when I attempt to mount the above: > > Oct 24 09:32:36 blackdog rpc.svcgssd[22979]: ERROR: GSS-API: error in > handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS > failure. Minor code may provide more information) - Encryption type not > permitted can you show the same klist on blackdog? here's what i've got on my server: 0 nfshost:~# klist -e -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 8 nfs/nfshost.example.org@EXAMPLE.ORG (AES-128 CTS mode with 96-bit SHA-1 HMAC) 0 nfshost:~# > Both machines, client and server have: > > linux-image-2.6.39-bpo.2-amd64 > nfs-kernel-server 1:1.2.4-1~bpo60+1 you shouldn't need nfs-kernel-server on the client -- what version of nfs-common do you have on the client? > Both machines, client and server have in krb5.conf: > > allow_weak_crypto = true A useful test might be to *reduce* the number of supported_enctypes to a select one or two, then change the keys for the client and the server (and for any user account using krb5 authentication) and re-try. hth, --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature