Bug#622146: This is broken for me.
On Mon, Oct 24, 2011 at 12:00:17PM -0400, Daniel Kahn Gillmor wrote:
> On 10/24/2011 09:42 AM, Rob Naccarato wrote:
>
> > supported_enctypes = aes256-cts:normal arcfour-hmac:normal \
> > des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm \
> > des:onlyrealm des:afs3 aes128-cts:normal
> >
> > Client (khan) attempting to use sec=krb5.
> > root@khan:/# klist -e -k /etc/krb5.keytab
> > Keytab name: WRFILE:/etc/krb5.keytab
> > KVNO Principal
> > ----
> > --------------------------------------------------------------------------
> > 2 host/khan.some.domain.ca@NACCY.ORG (AES-256 CTS mode with 96-bit SHA-1
> > HMAC)
> > 2 host/khan.some.domain.ca@NACCY.ORG (ArcFour with HMAC/md5)
> > 2 host/khan.some.domain.ca@NACCY.ORG (Triple DES cbc mode with HMAC/sha1)
> > 2 host/khan.some.domain.ca@NACCY.ORG (DES cbc mode with CRC-32)
> > 2 nfs/khan.some.domain.ca@NACCY.ORG (AES-256 CTS mode with 96-bit SHA-1
> > HMAC)
> > 2 nfs/khan.some.domain.ca@NACCY.ORG (ArcFour with HMAC/md5)
> > 2 nfs/khan.some.domain.ca@NACCY.ORG (Triple DES cbc mode with HMAC/sha1)
> > 2 nfs/khan.some.domain.ca@NACCY.ORG (DES cbc mode with CRC-32)
>
> this appears to have everything *but* aes128-cts:normal, fwiw.
>
> My example client has:
>
>
> 0 example:~# klist -e -k /etc/krb5.keytab
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 2 host/example.example.org@EXAMPLE.ORG (AES-128 CTS mode with 96-bit
> SHA-1 HMAC)
> 0 example:~#
Fair enough, I now have this on the client:
root@khan:/etc# klist -e -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
4 nfs/khan.some.domain.ca@NACCY.ORG (AES-128 CTS mode with 96-bit SHA-1
HMAC)
4 host/khan.some.domain.ca@NACCY.ORG (AES-128 CTS mode with 96-bit SHA-1
HMAC)
I also have this on the server:
blackdog:/etc# klist -e -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
8 host/blackdog.some.domain.ca@NACCY.ORG (AES-128 CTS mode with 96-bit
SHA-1 HMAC)
7 nfs/blackdog.some.domain.ca@NACCY.ORG (AES-128 CTS mode with 96-bit SHA-1
HMAC)
>
> > /etc/fstab:
> > blackdog:/ /shares nfs4 _netdev,auto,sec=krb5,acl 0 0
> >
>
>
> 0 example:~# grep nfs /etc/fstab
> nfshost:/ /usr/local/data nfs4 sec=krb5p,fsc 0 0
> 0 example:~#
>
> i don't think the fsc is relevant to this discussion -- and i can't
> imagine that the difference between krb5 and krb5p is the issue.
Yep, and I have no need for the encryption across the wire, either.
>
> > Server (blackdog), with kdc, exporting nfs4, when I attempt to mount the above:
> >
> > Oct 24 09:32:36 blackdog rpc.svcgssd[22979]: ERROR: GSS-API: error in
> > handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
> > failure. Minor code may provide more information) - Encryption type not
> > permitted
>
> can you show the same klist on blackdog? here's what i've got on my server:
>
> 0 nfshost:~# klist -e -k /etc/krb5.keytab
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 8 nfs/nfshost.example.org@EXAMPLE.ORG (AES-128 CTS mode with 96-bit
> SHA-1 HMAC)
> 0 nfshost:~#
Yup, shown above.
>
> > Both machines, client and server have:
> >
> > linux-image-2.6.39-bpo.2-amd64
> > nfs-kernel-server 1:1.2.4-1~bpo60+1
>
> you shouldn't need nfs-kernel-server on the client -- what version of
> nfs-common do you have on the client?
>
nfs-common 1:1.2.4-1~bpo60+1
> > Both machines, client and server have in krb5.conf:
> >
> > allow_weak_crypto = true
>
> A useful test might be to *reduce* the number of supported_enctypes to a
> select one or two, then change the keys for the client and the server
> (and for any user account using krb5 authentication) and re-try.
So, reduce the list to, say, just aes128-cts:normal? Should I also remove the
allow_weak_crypto option?
Reply to: