[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#622146: nfs-kernel-server: error Encryption type not permitted

Russ Allbery <rra@debian.org> писал(а) в своём письме Tue, 15 Nov 2011 00:27:01 +0400: 


"Kramarenko A. Maxim" <mc-sim85@ya.ru> writes:


The NFS server, client, and KDC all have to agree on a single encryption
type, and the encryption type of the service ticket issued by the KDC to
the client has to be in an encryption type that the NFS server supports.
KDC supports the types of encryption (http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx): 
AES256-CTS-HMAC-SHA1-96
AES128-CTS-HMAC-SHA1-96
RC4-HMAC
The NFS server is the core:
ARCHIV ~ # uname -a
Linux ARCHIV 2.6.39-bpo.2-686-pae #1 SMP Thu Aug 4 11:02:22 UTC 2011 i686 GNU/Linux 
As you said above, it supports:
AES256-CTS-HMAC-SHA1-96
AES128-CTS-HMAC-SHA1-96
RC4-HMAC
The NFS client has a core:
root@debian:~# uname -a
Linux debian 3.0.0-1-486 #1 Sat Aug 27 15:56:48 UTC 2011 i686 GNU/Linux
It is older than the server, respectively, should also support the above types of encryption. (If the server and client on the kernel Linux debian 3.0.0-1-486 # 1, then there is no error ...) 

I tried to tune in krb5.conf on the client and server NFS (last letter):
        default_tkt_enctypes = rc4-hmac
        default_tgs_enctypes = rc4-hmac
        permitted_enctypes = rc4-hmac

But still there was an error on NFS server:
Nov 14 22:54:40 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No supported encryption types (config file error?) Nov 14 22:54:40 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No supported encryption types (config file error?) 




It would be more interesting to run klist -e after attempting to contact
the server, so that you can see what the encryption type of the service
ticket for the NFS server was.


on client:

root@debian:~# kinit -k  nfs/debian.sag.local
root@debian:~# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/debian.sag.local@SAG.LOCAL

Valid starting     Expires            Service principal
11/15/11 09:27:22  11/15/11 19:27:30  krbtgt/SAG.LOCAL@SAG.LOCAL
renew until 11/16/11 09:27:22, Etype (skey, tkt): arcfour-hmac, arcfour-hmac 

...and on server:

ARCHIV ~ # kinit -k nfs/archiv.sag.local
ARCHIV ~ # klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/archiv.sag.local@SAG.LOCAL

Valid starting     Expires            Service principal
11/15/11 09:26:37  11/15/11 19:26:42  krbtgt/SAG.LOCAL@SAG.LOCAL
renew until 11/16/11 09:26:37, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 

--
Best Regards
Reply to: