Bug#979764: Problem now understood, but potential security problem
Dear Maintainers
my bug report contained the neccessary information to understand the whole
problem, but it is quite complex.
FIXING bullseye NFS4 Kerberos with SAMBA
Probably debian uses an outdated version of rpc.gssd , SAMBA behaves 100%
correctly and someone removed support for weak rpc.gssd encryption from
the 5.10 kernel.
In short: rpc.gssd wants a nfs/... SPN and SAMBA by default only writes
weak encryption keys for nfs/... into a keytab.
In SAMBA Kerberos SPNs are based on a UPN and you have to set encryption
types for the UPN to let samba export better encryption keys for the SPN:
net ads enctypes set root/alpha1.centauri.home 31
The samba behaviour is documented at:
https://wiki.samba.org/index.php/Generating_Keytabs
POTENTIAL SECURITY PROBLEM
Except from the debian rpc.gssd bug, what happens is not a bug but by
design. But there is no reasonable error message and backward compatibility
is broken.
Mount tries to use NFS3 if NFS4 fails. Does this create a security
problem? Could a mount without kerberos using NFS3 happen in this
case? This would break security completely. Sorry, I never used NFS3.
Please close this bug if it does not create a security problem via NFS3.
I am going to report the rpc.gssd / SAMBA thing as a different bug.
Thanks
Jürgen
Reply to: