Bug#657802: nfs-kernel-server: NFSv4 kerberos mount stopped working after upgrade to 6.0.4 point release

To: Petter Reinholdtsen <pere@hungry.com>, 657802@bugs.debian.org
Cc: "Andreas B. Mundt" <andi.mundt@web.de>, Russ Allbery <rra@debian.org>
Subject: Bug#657802: nfs-kernel-server: NFSv4 kerberos mount stopped working after upgrade to 6.0.4 point release
From: Luk Claes <luk@debian.org>
Date: Tue, 31 Jan 2012 19:58:17 +0100
Message-id: <[🔎] 4F2839C9.4030503@debian.org>
Reply-to: Luk Claes <luk@debian.org>, 657802@bugs.debian.org
In-reply-to: <[🔎] 20120131184126.GA13464@login1.uio.no>
References: <[🔎] 20120131184126.GA13464@login1.uio.no>

On 01/31/2012 07:41 PM, Petter Reinholdtsen wrote:
> [Andreas B. Mundt]
>> For kerberized NFSv4 on squeeze 6.0.4 you need: 
>>
>> [libdefaults]
>>         permitted_enctypes = des-cbc-crc
>>         allow_weak_crypto = true
> 
> This setting broke Kerberos authentication using pam_sss.  I found
> lines like this in the server kdc.log:
> 
>   Jan 31 15:26:42 tjener.intern krb5kdc[16339](info): AS_REQ (4 etypes
>     {18 17 16 23}) 10.0.15.1: NEEDED_PREAUTH: pere@INTERN for
>     krbtgt/INTERN@INTERN, Additional pre-authentication required
> 
> I then looked up what the etypes meant, and found
> <URL: http://pig.made-it.com/kerberos-etypes.html > mapping IDs to
> names.
> 
> By adding the names for 16-18,23 to krb5.conf on the KDC I was able to
> get pam_sss working again.  The result looked like this:
> 
>   [libdefaults]
>          permitted_enctypes = des-cbc-crc rc4-hmac des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
>          allow_weak_crypto = true
> 
> I'm not sure which of these etypes should be listed, nor the other
> consequence of listing them like this, but thought it best to mention
> it here.
> 
> Is this a good solution?  Which of the etypes should one permit?  Will
> any of them cause problems with NFSv4 or other systems?

permitted_enctypes lists the permitted enctypes so if you don't mention
one you want to use, it won't work. Though one should not put any in it
unless one wants to restrict the used enctypes.

The allow_weak_crypto = true alone should be enough to get the weak (cbc
ones) to work again AFAIK. Though unless one has old clients that don't
work with stronger encryption it's better to make sure there is a better
encryption method used for the nfs server AFAICT. I guess the
documentation on the wikipage (http://wiki.debian.org/NFS/Kerberos)
should be updated to not mention the cbc one anymore.

Russ: Which enctype is now preferred and could you please update the
above wikipage accordingly, TIA?

Cheers

Luk

Reply to:

Follow-Ups:
- Bug#657802: nfs-kernel-server: NFSv4 kerberos mount stopped working after upgrade to 6.0.4 point release
  - From: Russ Allbery <rra@debian.org>

References:
- Bug#657802: nfs-kernel-server: NFSv4 kerberos mount stopped working after upgrade to 6.0.4 point release
  - From: Petter Reinholdtsen <pere@hungry.com>

Prev by Date: Bug#657802: nfs-kernel-server: NFSv4 kerberos mount stopped working after upgrade to 6.0.4 point release
Next by Date: Bug#657802: nfs-kernel-server: NFSv4 kerberos mount stopped working after upgrade to 6.0.4 point release
Previous by thread: Bug#657802: nfs-kernel-server: NFSv4 kerberos mount stopped working after upgrade to 6.0.4 point release
Next by thread: Bug#657802: nfs-kernel-server: NFSv4 kerberos mount stopped working after upgrade to 6.0.4 point release
Index(es):
- Date
- Thread