Bug#983508: nfs-common: Bullseys/Kernel 5.10 SAMBA AD/DC NFSv4 Kerberos Problem with rpc.gssd
On Thu, 2021-02-25 11:07:13 +0100, J. Pfennig wrote:
> Package: nfs-common
> Version: 1:1.3.4-2.5+deb10u1
> Severity: important
> Tags: upstream
>
> Dear Maintainers
>
> There is a long standing bug (or wrong documentation) in rpc.gssd
> Probably debian uses an outdated version (new upstream version).
>
> I consider this bug as severe because it breaks backward compa-
> tibility since debian bullseye. It might affect most SAMBA AD/DC
> setups that were working with buster and fail with bulseye.
Thank you for filing this bug#983508.
You tagged it upstream. Do you have a web page address or upstream bug
report reference of this bug when in was reported upstream?
Could you please test the current version of nfs-common in experimental?
> PROBLEM
>
> The point is the nfs/... SPN (service principle name) that was
> historically used to fill the kerberos machine credential cache.
>
> The documentation explicitly states that rpc.gssd first tries
> the (windows) machine account <HOSTNAME>$/... then a SPN (or UPN?)
> root/... then some others and FINALLY the nfs/... SPN. But this
> is wrong, only nfs/... is recognized.
>
> This creates a problem with SAMBA AD/DCs setups. Samba uses heimdal
> kerberos. A difference between heimdal and MIT are the SPNs. So in
> SAMBA you have to add a UPN (like the before mentioned root/...)
> and to attach the nfs/... SPN to the UPN. This is how it looks:
>
> samba-tool user create --random-password --gid-number=100 \
> --gecos="nfs user" --unix-home=/tmp --login-shell=/usr/sbin/nologin \
> root/myhost.centauri.home
> samba-tool user setexpiry --noexpiry root/myhost.centauri.home
> samba-tool spn add nfs/myhost.centauri.home root/myhost.centauri.home
>
> The exported keytab works fine (until kernel 5.9) and allows NFS4 with
> kerberos security:
>
> samba-tool domain exportkeytab xxx.keytab --principal MYHOST$
> samba-tool domain exportkeytab xxx.keytab --principal root/myhost.centauri.home
> samba-tool domain exportkeytab xxx.keytab --principal nfs/myhost.centauri.home
>
> But as nfs/... SPN seems to be historic SAMBA only exports weak
> encryption keys for nfs/... whereas the machine account and the root/...
> UPN have strong encryption:
>
> klist -e -k /etc/krb5.keytab.old
> Keytab name: FILE:/etc/krb5.keytab.old
> KVNO Principal
> ---- --------------------------------------------------------------------------
> 1 alpha1$@CENTAURI.HOME (aes256-cts-hmac-sha1-96)
> 1 alpha1$@CENTAURI.HOME (aes128-cts-hmac-sha1-96)
> 1 alpha1$@CENTAURI.HOME (arcfour-hmac)
> 1 alpha1$@CENTAURI.HOME (des-cbc-md5)
> 1 alpha1$@CENTAURI.HOME (des-cbc-crc)
> 2 root/alpha1.centauri.home@CENTAURI.HOME (aes256-cts-hmac-sha1-96)
> 2 root/alpha1.centauri.home@CENTAURI.HOME (aes128-cts-hmac-sha1-96)
> 2 root/alpha1.centauri.home@CENTAURI.HOME (arcfour-hmac)
> 2 root/alpha1.centauri.home@CENTAURI.HOME (des-cbc-md5)
> 2 root/alpha1.centauri.home@CENTAURI.HOME (des-cbc-crc)
> 2 nfs/alpha1.centauri.home@CENTAURI.HOME (arcfour-hmac)
> 2 nfs/alpha1.centauri.home@CENTAURI.HOME (des-cbc-md5)
> 2 nfs/alpha1.centauri.home@CENTAURI.HOME (des-cbc-crc)
>
>
> SOLUTION
>
> This was OK until kernel 5.9 only. Since 5.10 somebody disabled weak
> encrytion in the kernel part of GSSAPI. Now debian's old rpc.gssd
> fails. Probably creating a security problem as NFS mount now tries
> NFS 3 (without kerberos).
>
> The SAMBA documentation explains the SAMBA behaviour here:
>
> https://wiki.samba.org/index.php/Generating_Keytabs
>
> The solution is to explicitly set the supported encryption for
> the root/... UPN:
>
> net ads enctypes set root/myhost.centauri.home 31
>
> A newly created keytab now contains the required encryptions
> for the nfs/... SPN. And now NFS4 works with 5.10 / bullseye.
>
>
> CONCLUSION
>
> The NFS4 / SAMBA / KERBEROS setup is extremly complacated, debian's
> rpc.gssd is outdated or buggy and someone tried to improve security
> by removing something from the kernel. NFS mounts on bullseye
> systems may fall back to NFS3 without kerberos. Not good.
>
>
> PLEASE
>
> Give users a hint, a usefull error message, or fix rpc.gssd
> It took me a long time to indentify the reported problem and I am
> thankfull for a hint that I found in the univention bug tracker.
>
> Yours Jürgen
>
>
> -- Package-specific info:
> -- rpcinfo --
> program vers proto port service
> 100000 4 tcp 111 portmapper
> 100000 3 tcp 111 portmapper
> 100000 2 tcp 111 portmapper
> 100000 4 udp 111 portmapper
> 100000 3 udp 111 portmapper
> 100000 2 udp 111 portmapper
> -- /etc/default/nfs-common --
> NEED_STATD=no
> STATDOPTS=
> NEED_IDMAPD=yes
> NEED_GSSD=yes
> -- /etc/idmapd.conf --
> [General]
> Verbosity = 0
> Pipefs-Directory = /run/rpc_pipefs
> Domain = centauri.home
> [Mapping]
> Nobody-User = nobody
> Nobody-Group = nogroup
> -- /etc/fstab --
>
> -- System Information:
> Debian Release: 10.8
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 5.4.0-0.bpo.4-amd64 (SMP w/8 CPU cores)
> Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages nfs-common depends on:
> ii adduser 3.118
> ii keyutils 1.6-6
> ii libc6 2.28-10
> ii libcap2 1:2.25-2
> ii libcom-err2 1.44.5-1+deb10u3
> ii libdevmapper1.02.1 2:1.02.155-3
> ii libevent-2.1-6 2.1.8-stable-4
> ii libgssapi-krb5-2 1.17-3+deb10u1
> ii libk5crypto3 1.17-3+deb10u1
> ii libkeyutils1 1.6-6
> ii libkrb5-3 1.17-3+deb10u1
> ii libmount1 2.33.1-0.1
> ii libnfsidmap2 0.25-5.1
> ii libtirpc3 1.1.4-0.4
> ii libwrap0 7.6.q-28
> ii lsb-base 10.2019051400
> ii rpcbind 1.2.5-0.3+deb10u1
> ii ucf 3.0038+nmu1
>
> Versions of packages nfs-common recommends:
> ii python 2.7.16-1
>
> Versions of packages nfs-common suggests:
> pn open-iscsi <none>
> pn watchdog <none>
>
> Versions of packages nfs-kernel-server depends on:
> ii keyutils 1.6-6
> ii libblkid1 2.33.1-0.1
> ii libc6 2.28-10
> ii libcap2 1:2.25-2
> ii libsqlite3-0 3.27.2-3+deb10u1
> ii libtirpc3 1.1.4-0.4
> ii libwrap0 7.6.q-28
> ii lsb-base 10.2019051400
> ii netbase 5.6
> ii ucf 3.0038+nmu1
>
> -- Configuration Files:
> /etc/default/nfs-common changed [not included]
>
> -- no debconf information
>
> -- debsums errors found:
> debsums: changed file /usr/lib/systemd/scripts/nfs-utils_env.sh (from nfs-common package)
Reply to: