Bug#622146: nfs-kernel-server: error Encryption type not permitted
Luk Claes <luk@debian.org> писал(а) в своём письме Mon, 14 Nov 2011
19:36:41 +0400:
On 11/14/2011 04:57 PM, Mc.Sim wrote:
Why would that work without changing anything in your Kerberos keytabs?
keytab contains both types of encryption. (example below in the text)
Nov 14 18:39:20 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified
GSS failure. Minor code may provide more information) - Encryption
type not permitted
Expected when des3-hmac-sha1 is not in keytab.
Nov 14 18:50:23 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified
GSS failure. Minor code may provide more information) - No supported
encryption types (config file error?)
Help me, please for this problem.
This will only work if you have other possibilities in the Kerberos
keytab.
Yes, the other encryption types are present in keytab ...
p.s. On the client (hostname debian) as an NFS server is installed and
if I run:
root@debian:~# grep -v ^# /etc/exports
/nfs gss/krb5(rw,sync,fsid=0,crossmnt,no_subtree_check)
root@debian:~# mount -v -t nfs4 -o sec=krb5 debian:/ /mnt
root@debian:~# mount | grep nfs
debian:/ on /mnt type nfs4
(rw,sec=krb5,addr=10.0.0.50,clientaddr=10.0.0.50)
So it worked, I guess that's the initial scenario where you are using
des-cbc-crc?
I myself have little to no experience with Kerberos, but I would try
klist to see what's in your keytabs (/etc/krb5.keytab) and related tools
to add entries to the keytab when needed. This does not look like an NFS
problem to me or am I mistaken?
According to the documentation (
http://technet.microsoft.com/en-us/library/dd560670(v=ws.10).aspx ), Win
2k8 R2 does not support DES-CBC-MD5 & DES-CBC-CRC.
As I understand it, probably for this error when uncommented parameters
# default_tgs_enctypes = des-cbc-crc
# default_tkt_enctypes = des-cbc-crc
# permitted_enctypes = des-cbc-crc
or
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
But in the keytab there are other types of encryption:
root@debian:~# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
3 nfs/debian.sag.local@SAG.LOCAL (des-cbc-crc)
3 nfs/debian.sag.local@SAG.LOCAL (des-cbc-md5)
3 nfs/debian.sag.local@SAG.LOCAL (arcfour-hmac)
3 nfs/debian.sag.local@SAG.LOCAL (aes256-cts-hmac-sha1-96)
3 nfs/debian.sag.local@SAG.LOCAL (aes128-cts-hmac-sha1-96)
===========================================
kinit gets the correct tickets from the KDC on client only commented
parameters:
==========================================
root@debian:~# vim /etc/krb5.conf
root@debian:~# grep des /etc/krb5.conf
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
permitted_enctypes = des-cbc-crc
root@debian:~# kinit -k nfs/debian.sag.local
kinit: KDC has no support for encryption type while getting initial
credentials
root@debian:~# vim /etc/krb5.conf
root@debian:~# grep des /etc/krb5.conf
default_tgs_enctypes = des3-hmac-sha1
default_tkt_enctypes = des3-hmac-sha1
permitted_enctypes = des3-hmac-sha1
# default_tgs_enctypes = des-cbc-crc
# default_tkt_enctypes = des-cbc-crc
# permitted_enctypes = des-cbc-crc
root@debian:~# kinit -k nfs/debian.sag.local
kinit: KDC has no support for encryption type while getting initial
credentials
root@debian:~# vim /etc/krb5.conf
root@debian:~# grep des /etc/krb5.conf
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# default_tgs_enctypes = des-cbc-crc
# default_tkt_enctypes = des-cbc-crc
# permitted_enctypes = des-cbc-crc
root@debian:~# kinit -k nfs/debian.sag.local
root@debian:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/debian.sag.local@SAG.LOCAL
Valid starting Expires Service principal
11/14/11 20:33:18 11/15/11 06:33:21 krbtgt/SAG.LOCAL@SAG.LOCAL
renew until 11/15/11 20:33:18
=======================
...and on server:
=======================
ARCHIV ~ # vim /etc/krb5.conf
ARCHIV ~ # grep des /etc/krb5.conf
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
permitted_enctypes = des-cbc-crc
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
ARCHIV ~ # kinit -k nfs/archiv.sag.local
kinit: KDC has no support for encryption type while getting initial
credentials
ARCHIV ~ # vim /etc/krb5.conf
ARCHIV ~ # grep des /etc/krb5.conf
# default_tgs_enctypes = des-cbc-crc
# default_tkt_enctypes = des-cbc-crc
# permitted_enctypes = des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1
default_tkt_enctypes = des3-hmac-sha1
permitted_enctypes = des3-hmac-sha1
ARCHIV ~ # kinit -k nfs/archiv.sag.local
kinit: KDC has no support for encryption type while getting initial
credentials
ARCHIV ~ # vim /etc/krb5.conf
ARCHIV ~ # kinit -k nfs/archiv.sag.local
ARCHIV ~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/archiv.sag.local@SAG.LOCAL
Valid starting Expires Service principal
11/14/11 21:05:29 11/15/11 07:05:29 krbtgt/SAG.LOCAL@SAG.LOCAL
renew until 11/15/11 21:05:29
However, NFS does not work for any given parameters. :(
Cheers
Luk
P.s.
Luk Claes <luk@debian.org> писал(а) в своём письме Mon, 14 Nov 2011
19:39:06 +0400:
On 11/14/2011 04:35 PM, "Крамаренко Максим" wrote:
Здравствуйте!
Ваше письмо получено.
Unfortunately I don't understand Russian, can you please translate?
Cheers
Luk
Sorry! This e-mail answering service. I have it turned off.
Best Regards
Reply to: