Package: nfs-kernel-server Version: 1:2.6.2-4+deb12u1
Other relevant packages: gssproxy (0.9.1-1+b1), we have tested both with rpc.svcgssd and gssproxy with seemingly similar results. I am struggling in our lab to understand why my kerberized nfs-servers running debian is not able to handle aes256-cts-hmac-sha384-192 / aes128-cts-hmac-sha256-128 encryption. We configured a freeIPA-enrolled Debian server, and configure our shares in a similar way as on our Red Hat (RockyLinux) servers, and all clients got access denied, while trying to mount the relevant shares. After some investigation we saw the following we saw the following message in the logs: | ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type aes256-cts-hmac-sha384-192 not permitted The default keytabs provided via freeipa enrollment are the following (we add the nfs-service-keytab manually) | | klist -e -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/basic-nas.lab.skyfritt....@lab.skyfritt.net (aes256-cts-hmac-sha384-192) 1 host/basic-nas.lab.skyfritt....@lab.skyfritt.net (aes128-cts-hmac-sha256-128) 1 host/basic-nas.lab.skyfritt....@lab.skyfritt.net (aes256-cts-hmac-sha1-96) 1 host/basic-nas.lab.skyfritt....@lab.skyfritt.net (aes128-cts-hmac-sha1-96) 1 nfs/basic-nas.lab.skyfritt....@lab.skyfritt.net (aes256-cts-hmac-sha384-192) 1 nfs/basic-nas.lab.skyfritt....@lab.skyfritt.net (aes128-cts-hmac-sha256-128)|| 1 nfs/basic-nas.lab.skyfritt....@lab.skyfritt.net (aes256-cts-hmac-sha1-96) 1 nfs/basic-nas.lab.skyfritt....@lab.skyfritt.net (aes128-cts-hmac-sha1-96)| So we tried to remove the "nfs/basic-nas.lab.skyfritt....@lab.skyfritt.net (aes256-cts-hmac-sha384-192)"-keytab and tested again, then we saw aes128-sha2 erros in the logs, only after we removed the "nfs/basic-nas.lab.skyfritt....@lab.skyfritt.net (aes128-cts-hmac-sha256-128)" as well our clients where able to mount their shares. So the following server-keytabs are ok: | klist -e -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/basic-nas.lab.skyfritt....@lab.skyfritt.net (aes256-cts-hmac-sha384-192) 1 host/basic-nas.lab.skyfritt....@lab.skyfritt.net (aes128-cts-hmac-sha256-128) 1 host/basic-nas.lab.skyfritt....@lab.skyfritt.net (aes256-cts-hmac-sha1-96) 1 host/basic-nas.lab.skyfritt....@lab.skyfritt.net (aes128-cts-hmac-sha1-96) 1 nfs/basic-nas.lab.skyfritt....@lab.skyfritt.net (aes256-cts-hmac-sha1-96) 1 nfs/basic-nas.lab.skyfritt....@lab.skyfritt.net (aes128-cts-hmac-sha1-96)| Having all the standard keytabs seems to be unproblematic on the client side. We have tried to install gssproxy as well on our servers, but the same access denied messages are occurring but the log-messages are more dubious when we use the encryption-/hashing-schemas in question. We have experimented quite a bit, and cannot understand why Debian nfs-servies should not be able to accept aes256-cts-hmac-sha384-192 and aes128-cts-hmac-sha256-128 tickets which our Red Hat / Rocky Servers are. Setting things like: permitted_enctypes = aes256-cts-hmac-sha384-192,aes128-cts-hmac-sha256-128,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tkt_enctypes = aes256-cts-hmac-sha384-192,aes128-cts-hmac-sha256-128,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = aes256-cts-hmac-sha384-192,aes128-cts-hmac-sha256-128,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 Seems to have no effect. -- Best Regards, Jostein Fossheim
