Bug#622146: This is broken for me.

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: 622146@bugs.debian.org, Sam Hartman <hartmans@debian.org>
Subject: Bug#622146: This is broken for me.
From: Rob Naccarato <rob@naccy.org>
Date: Mon, 24 Oct 2011 15:09:47 -0400
Message-id: <[🔎] 20111024190947.GA26708@naccy.org>
Reply-to: Rob Naccarato <rob@naccy.org>, 622146@bugs.debian.org
In-reply-to: <[🔎] 4EA58B91.7040703@fifthhorseman.net>
References: <[🔎] 4EA36590.3030603@naccy.org> <[🔎] tslobx7iq3f.fsf@mit.edu> <[🔎] 4EA45C0C.8000502@naccy.org> <[🔎] 4EA4844B.1060508@fifthhorseman.net> <[🔎] 20111024134233.GA22865@naccy.org> <[🔎] 4EA58B91.7040703@fifthhorseman.net>

On Mon, Oct 24, 2011 at 12:00:17PM -0400, Daniel Kahn Gillmor wrote:
> On 10/24/2011 09:42 AM, Rob Naccarato wrote:
> 
> >         supported_enctypes = aes256-cts:normal arcfour-hmac:normal \
> > 	des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm \
> > 	des:onlyrealm des:afs3 aes128-cts:normal
> > 
> > Client (khan) attempting to use sec=krb5.
> > root@khan:/# klist -e -k /etc/krb5.keytab
> > Keytab name: WRFILE:/etc/krb5.keytab
> > KVNO Principal
> > ----
> > --------------------------------------------------------------------------
> >    2 host/khan.some.domain.ca@NACCY.ORG (AES-256 CTS mode with 96-bit SHA-1
> >    HMAC) 
> >    2 host/khan.some.domain.ca@NACCY.ORG (ArcFour with HMAC/md5) 
> >    2 host/khan.some.domain.ca@NACCY.ORG (Triple DES cbc mode with HMAC/sha1) 
> >    2 host/khan.some.domain.ca@NACCY.ORG (DES cbc mode with CRC-32) 
> >    2 nfs/khan.some.domain.ca@NACCY.ORG (AES-256 CTS mode with 96-bit SHA-1
> >    HMAC) 
> >    2 nfs/khan.some.domain.ca@NACCY.ORG (ArcFour with HMAC/md5) 
> >    2 nfs/khan.some.domain.ca@NACCY.ORG (Triple DES cbc mode with HMAC/sha1) 
> >    2 nfs/khan.some.domain.ca@NACCY.ORG (DES cbc mode with CRC-32) 
> 
> this appears to have everything *but* aes128-cts:normal, fwiw.
> 
> My example client has:
> 
> 
> 0 example:~# klist -e -k /etc/krb5.keytab
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    2 host/example.example.org@EXAMPLE.ORG (AES-128 CTS mode with 96-bit
> SHA-1 HMAC)
> 0 example:~#

Fair enough, I now have this on the client:
root@khan:/etc# klist -e -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   4 nfs/khan.some.domain.ca@NACCY.ORG (AES-128 CTS mode with 96-bit SHA-1
   HMAC)
   4 host/khan.some.domain.ca@NACCY.ORG (AES-128 CTS mode with 96-bit SHA-1
   HMAC)

I also have this on the server:

blackdog:/etc# klist -e -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   8 host/blackdog.some.domain.ca@NACCY.ORG (AES-128 CTS mode with 96-bit
   SHA-1 HMAC) 
   7 nfs/blackdog.some.domain.ca@NACCY.ORG (AES-128 CTS mode with 96-bit SHA-1
   HMAC) 


> 
> > /etc/fstab:
> > 	blackdog:/      /shares         nfs4    _netdev,auto,sec=krb5,acl 0 0
> > 
> 
> 
> 0 example:~# grep nfs /etc/fstab
> nfshost:/ /usr/local/data nfs4 sec=krb5p,fsc 0 0
> 0 example:~#
> 
> i don't think the fsc is relevant to this discussion -- and i can't
> imagine that the difference between krb5 and krb5p is the issue.

Yep, and I have no need for the encryption across the wire, either.

> 
> > Server (blackdog), with kdc, exporting nfs4, when I attempt to mount the above:
> > 
> > Oct 24 09:32:36 blackdog rpc.svcgssd[22979]: ERROR: GSS-API: error in
> > handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
> > failure.  Minor code may provide more information) - Encryption type not
> > permitted
> 
> can you show the same klist on blackdog?  here's what i've got on my server:
> 
> 0 nfshost:~# klist -e -k /etc/krb5.keytab
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    8 nfs/nfshost.example.org@EXAMPLE.ORG (AES-128 CTS mode with 96-bit
> SHA-1 HMAC)
> 0 nfshost:~#

Yup, shown above.


> 
> > Both machines, client and server have:
> > 
> > linux-image-2.6.39-bpo.2-amd64
> > nfs-kernel-server 1:1.2.4-1~bpo60+1
> 
> you shouldn't need nfs-kernel-server on the client -- what version of
> nfs-common do you have on the client?
>

nfs-common 1:1.2.4-1~bpo60+1


> > Both machines, client and server have in krb5.conf:
> > 
> > allow_weak_crypto = true
> 
> A useful test might be to *reduce* the number of supported_enctypes to a
> select one or two, then change the keys for the client and the server
> (and for any user account using krb5 authentication) and re-try.

So, reduce the list to, say, just aes128-cts:normal? Should I also remove the
allow_weak_crypto option?

Reply to:

Follow-Ups:
- Bug#622146: This is broken for me.
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

References:
- Bug#622146: This is broken for me.
  - From: Rob Naccarato <rob@naccy.org>
- Bug#622146: This is broken for me.
  - From: Sam Hartman <hartmans@debian.org>
- Bug#622146: This is broken for me.
  - From: Rob Naccarato <rob@naccy.org>
- Bug#622146: This is broken for me.
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Bug#622146: This is broken for me.
  - From: Rob Naccarato <rob@naccy.org>
- Bug#622146: This is broken for me.
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Prev by Date: Bug#642729: linux-image-2.6.32-5-686: bad ssd performance with squeeze kernel 2.6.32
Next by Date: Bug#642729: linux-image-2.6.32-5-686: bad ssd performance with squeeze kernel 2.6.32
Previous by thread: Bug#622146: This is broken for me.
Next by thread: Bug#622146: This is broken for me.
Index(es):
- Date
- Thread