Bug#1100641: marked as done (Kerberized NFSv4-servers unable to accept: aes256-cts-hmac-sha384-192 or aes128-cts-hmac-sha256-128 encryption.)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 23 Mar 2025 06:11:29 +0000
with message-id <E1twEYT-008rb9-4V@fasolo.debian.org>
and subject line Bug#1100641: fixed in linux 6.13.8-1~exp1
has caused the Debian Bug report #1100641,
regarding Kerberized NFSv4-servers unable to accept: aes256-cts-hmac-sha384-192 or aes128-cts-hmac-sha256-128 encryption.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1100641: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100641
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: Kerberized NFSv4-servers unable to accept: aes256-cts-hmac-sha384-192 or aes128-cts-hmac-sha256-128 encryption.
• From: Jostein Fossheim <jfossheim@skyfritt.net>
• Date: Sun, 16 Mar 2025 14:53:14 +0100
• Message-id: <[🔎] a550ec35-21a6-41e2-a257-64c17a42d46e@skyfritt.net>

Package: nfs-kernel-server
Version: 1:2.6.2-4+deb12u1

Other relevant packages: gssproxy (0.9.1-1+b1), we have tested both with rpc.svcgssd and gssproxy with seemingly similar results.


I am struggling in our lab to understand why my kerberized nfs-servers running debian is not able to handle aes256-cts-hmac-sha384-192 / aes128-cts-hmac-sha256-128 encryption.

We configured a freeIPA-enrolled Debian server, and configure our shares in a similar way as on our Red Hat (RockyLinux) servers, and all clients got access denied, while trying to mount the relevant shares.

After some investigation we saw the following we saw the following message in the logs: 	
|

ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Encryption type aes256-cts-hmac-sha384-192 not permitted

The default keytabs provided via freeipa enrollment are the following (we add the nfs-service-keytab manually)

|

|

klist -e -k /etc/krb5.keytab

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 host/basic-nas.lab.skyfritt.net@LAB.SKYFRITT.NET (aes256-cts-hmac-sha384-192)
   1 host/basic-nas.lab.skyfritt.net@LAB.SKYFRITT.NET (aes128-cts-hmac-sha256-128)
   1 host/basic-nas.lab.skyfritt.net@LAB.SKYFRITT.NET (aes256-cts-hmac-sha1-96)
   1 host/basic-nas.lab.skyfritt.net@LAB.SKYFRITT.NET (aes128-cts-hmac-sha1-96)
   1 nfs/basic-nas.lab.skyfritt.net@LAB.SKYFRITT.NET (aes256-cts-hmac-sha384-192)
   1 nfs/basic-nas.lab.skyfritt.net@LAB.SKYFRITT.NET (aes128-cts-hmac-sha256-128)||
   1 nfs/basic-nas.lab.skyfritt.net@LAB.SKYFRITT.NET (aes256-cts-hmac-sha1-96)
   1 nfs/basic-nas.lab.skyfritt.net@LAB.SKYFRITT.NET (aes128-cts-hmac-sha1-96)|


So we tried to remove the "nfs/basic-nas.lab.skyfritt.net@LAB.SKYFRITT.NET (aes256-cts-hmac-sha384-192)"-keytab and tested again,
then we saw aes128-sha2 erros in the logs, only after we removed the "nfs/basic-nas.lab.skyfritt.net@LAB.SKYFRITT.NET (aes128-cts-hmac-sha256-128)" as well
our clients where able to mount their shares. So the following server-keytabs are ok:

|

klist -e -k /etc/krb5.keytab

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 host/basic-nas.lab.skyfritt.net@LAB.SKYFRITT.NET (aes256-cts-hmac-sha384-192)
   1 host/basic-nas.lab.skyfritt.net@LAB.SKYFRITT.NET (aes128-cts-hmac-sha256-128)
   1 host/basic-nas.lab.skyfritt.net@LAB.SKYFRITT.NET (aes256-cts-hmac-sha1-96)
   1 host/basic-nas.lab.skyfritt.net@LAB.SKYFRITT.NET (aes128-cts-hmac-sha1-96)
   1 nfs/basic-nas.lab.skyfritt.net@LAB.SKYFRITT.NET (aes256-cts-hmac-sha1-96)
   1 nfs/basic-nas.lab.skyfritt.net@LAB.SKYFRITT.NET (aes128-cts-hmac-sha1-96)|


Having all the standard keytabs seems to be unproblematic on the client side.

We have tried to install gssproxy as well on our servers, but the same access denied messages are occurring but the log-messages are more dubious
when we use the encryption-/hashing-schemas in question. We have experimented quite a bit, and cannot understand why Debian nfs-servies should not be able to accept
aes256-cts-hmac-sha384-192 and aes128-cts-hmac-sha256-128 tickets which our Red Hat / Rocky Servers are.

Setting things like:

permitted_enctypes = aes256-cts-hmac-sha384-192,aes128-cts-hmac-sha256-128,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha384-192,aes128-cts-hmac-sha256-128,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha384-192,aes128-cts-hmac-sha256-128,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

Seems to have no effect.


--
Best Regards,

Jostein Fossheim

--- End Message ---

--- Begin Message ---

• To: 1100641-close@bugs.debian.org
• Subject: Bug#1100641: fixed in linux 6.13.8-1~exp1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sun, 23 Mar 2025 06:11:29 +0000
• Message-id: <E1twEYT-008rb9-4V@fasolo.debian.org>
• Reply-to: Salvatore Bonaccorso <carnil@debian.org>

Source: linux
Source-Version: 6.13.8-1~exp1
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
linux, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1100641@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated linux package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 23 Mar 2025 06:40:56 +0100
Source: linux
Architecture: source
Version: 6.13.8-1~exp1
Distribution: experimental
Urgency: medium
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1091696 1093124 1098698 1099591 1100641 1100694
Changes:
 linux (6.13.8-1~exp1) experimental; urgency=medium
 .
   * New upstream stable update:
     https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.13.8
     - fs/netfs/read_collect: add to next->prev_donated (Closes: #1098698,
       #1099591)
 .
   [ Salvatore Bonaccorso ]
   * drm/amdkfd: Fix user queue validation on Gfx7/8 (Closes: #1093124)
   * net/sunrpc: Enable RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2 (Closes: #1100641)
   * [x86] drivers/pinctrl/intel: Enable PINCTRL_INTEL_PLATFORM as module
     (Closes: #1100694)
   * ata: libata-core: Add ATA_QUIRK_NO_LPM_ON_ATI for certain Samsung SSDs
     (Closes: #1091696)
 .
   [ Madhu Adav M J ]
   * drivers/nvme/target: Enable NVME_TARGET_PASSTHRU
   * drivers/nvme/target: Enable NVME_TARGET_LOOP and NVME_TARGET_FCLOOP
     as modules
Checksums-Sha1:
 7443cc79cbcf9cabbfa516601b6b415630d1e3f7 200434 linux_6.13.8-1~exp1.dsc
 c5d649a3f9c823e1689d48879024ce8e680ecff9 151549996 linux_6.13.8.orig.tar.xz
 1db80940458f29447a155c4379fded60285cd547 1546228 linux_6.13.8-1~exp1.debian.tar.xz
 27e298398f3f85b3d74996aa66b5ade2b18702e8 6664 linux_6.13.8-1~exp1_source.buildinfo
Checksums-Sha256:
 2d6454a6eac44473e952a4ff093907a14e98a48f941d684ad6710723e5e0661d 200434 linux_6.13.8-1~exp1.dsc
 5f3820da9128a21876bfa56299406febbf24f694d2a3216e8d4080dfe75b1ede 151549996 linux_6.13.8.orig.tar.xz
 9d8cc6eec0979333701d387bea4f45424af85dfaa122e15b4959954ee9c82458 1546228 linux_6.13.8-1~exp1.debian.tar.xz
 abd85f3efc4bcd214be11173e90398662981faf3a25f3fdead6784227831d3ea 6664 linux_6.13.8-1~exp1_source.buildinfo
Files:
 293b1150b215b8908340cacd4dd8103c 200434 kernel optional linux_6.13.8-1~exp1.dsc
 2b412fdff5ab2cb4c090baa5a7232563 151549996 kernel optional linux_6.13.8.orig.tar.xz
 9e33f561a6444ac4f1bc62727b487c39 1546228 kernel optional linux_6.13.8-1~exp1.debian.tar.xz
 eee8d73a8452ce52f0fbf19b8f491e05 6664 kernel optional linux_6.13.8-1~exp1_source.buildinfo


-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmffn9xfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Elh0QAIlaknCIkLtDg19+vzQpl4wBv3Ks4ju8
R3uHoySMqzXFzwWMd9w2WIherNHPR/i9PNPUYGRykUT1eaAv5ENE+P3CbdB0d9jL
eAOhPLRS1bIAEXmsMjvjs+bm/DSVcosOFh26Gmv4hRBYR+eBemIeCURcLNz6wOwE
8pgi1fo3x7TrRRtA+5SoJzXMUCGU77eQc1t6QZC/dV5yy6bz5UiffATP/HwPWH9n
vgD2L/Vmjdn7KnMC8XQbEc829bSsmYXunXjOsVpWd6ZWeR///BQKyedJWUpdh6Je
U3j0y/ttpU+w1EphbJ2/V7jSygg2h3THIXtueG5bT2U7ylrGM/SqUaObTtimalaj
4x2WPCJ4ytTgyw+7ZrYO85x/pqDWJrJB/gdc6HWdj+kpWZFo1OVp/O7jPk7+Wh2C
grErvTIkhFtUfLWt2WKt3FjJBoqf+OGVdTBNrNNAumbePUViPrWJsOXQlC3ulDrD
RV7sH+pPZF06V3u/XOE3zqykqnf5IgmvogD+Hq73bjXunzShIEkdOOBjjtWHSJaB
uPk2CBqdDHWTTUAydHQ4B/5vQ61kkkf4TyzwblFK90tNjFkQ2QqUR+gM+Huh4HC1
UnA/ZN4O9mwJewfN/Pefo0Vj4bFT9h8nZSjlPal6+r2ULKjnlMh5RpG//zlIB4oR
7+U7MDcACE4o
=DhiO
-----END PGP SIGNATURE-----

Attachment: pgph5lmD_YPRG.pgp
Description: PGP signature

--- End Message ---