Package: nfs-common
Version: 1:1.3.4-2.5+deb10u1
Severity: important
Tags: upstream
Dear Maintainers
There is a long standing bug (or wrong documentation) in rpc.gssd
Probably debian uses an outdated version (new upstream version).
I consider this bug as severe because it breaks backward compa-
tibility since debian bullseye. It might affect most SAMBA AD/DC
setups that were working with buster and fail with bulseye.
PROBLEM
The point is the nfs/... SPN (service principle name) that was
historically used to fill the kerberos machine credential cache.
The documentation explicitly states that rpc.gssd first tries
the (windows) machine account <HOSTNAME>$/... then a SPN (or UPN?)
root/... then some others and FINALLY the nfs/... SPN. But this
is wrong, only nfs/... is recognized.
This creates a problem with SAMBA AD/DCs setups. Samba uses heimdal
kerberos. A difference between heimdal and MIT are the SPNs. So in
SAMBA you have to add a UPN (like the before mentioned root/...)
and to attach the nfs/... SPN to the UPN. This is how it looks:
samba-tool user create --random-password --gid-number=100 \
--gecos="nfs user" --unix-home=/tmp --login-shell=/usr/sbin/nologin \
root/myhost.centauri.home
samba-tool user setexpiry --noexpiry root/myhost.centauri.home
samba-tool spn add nfs/myhost.centauri.home root/myhost.centauri.home
The exported keytab works fine (until kernel 5.9) and allows NFS4 with
kerberos security:
samba-tool domain exportkeytab xxx.keytab --principal MYHOST$
samba-tool domain exportkeytab xxx.keytab --principal root/myhost.centauri.home
samba-tool domain exportkeytab xxx.keytab --principal nfs/myhost.centauri.home
But as nfs/... SPN seems to be historic SAMBA only exports weak
encryption keys for nfs/... whereas the machine account and the root/...
UPN have strong encryption:
klist -e -k /etc/krb5.keytab.old
Keytab name: FILE:/etc/krb5.keytab.old
KVNO Principal
---- --------------------------------------------------------------------------
1 alpha1$@CENTAURI.HOME (aes256-cts-hmac-sha1-96)
1 alpha1$@CENTAURI.HOME (aes128-cts-hmac-sha1-96)
1 alpha1$@CENTAURI.HOME (arcfour-hmac)
1 alpha1$@CENTAURI.HOME (des-cbc-md5)
1 alpha1$@CENTAURI.HOME (des-cbc-crc)
2 root/alpha1.centauri.h...@centauri.home (aes256-cts-hmac-sha1-96)
2 root/alpha1.centauri.h...@centauri.home (aes128-cts-hmac-sha1-96)
2 root/alpha1.centauri.h...@centauri.home (arcfour-hmac)
2 root/alpha1.centauri.h...@centauri.home (des-cbc-md5)
2 root/alpha1.centauri.h...@centauri.home (des-cbc-crc)
2 nfs/alpha1.centauri.h...@centauri.home (arcfour-hmac)
2 nfs/alpha1.centauri.h...@centauri.home (des-cbc-md5)
2 nfs/alpha1.centauri.h...@centauri.home (des-cbc-crc)
SOLUTION
This was OK until kernel 5.9 only. Since 5.10 somebody disabled weak
encrytion in the kernel part of GSSAPI. Now debian's old rpc.gssd
fails. Probably creating a security problem as NFS mount now tries
NFS 3 (without kerberos).
The SAMBA documentation explains the SAMBA behaviour here:
https://wiki.samba.org/index.php/Generating_Keytabs
The solution is to explicitly set the supported encryption for
the root/... UPN:
net ads enctypes set root/myhost.centauri.home 31
A newly created keytab now contains the required encryptions
for the nfs/... SPN. And now NFS4 works with 5.10 / bullseye.
CONCLUSION
The NFS4 / SAMBA / KERBEROS setup is extremly complacated, debian's
rpc.gssd is outdated or buggy and someone tried to improve security
by removing something from the kernel. NFS mounts on bullseye
systems may fall back to NFS3 without kerberos. Not good.
PLEASE
Give users a hint, a usefull error message, or fix rpc.gssd
It took me a long time to indentify the reported problem and I am
thankfull for a hint that I found in the univention bug tracker.
Yours Jürgen
-- Package-specific info:
-- rpcinfo --
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
-- /etc/default/nfs-common --
NEED_STATD=no
STATDOPTS=
NEED_IDMAPD=yes
NEED_GSSD=yes
-- /etc/idmapd.conf --
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
Domain = centauri.home
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
-- /etc/fstab --
-- System Information:
Debian Release: 10.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.4.0-0.bpo.4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages nfs-common depends on:
ii adduser 3.118
ii keyutils 1.6-6
ii libc6 2.28-10
ii libcap2 1:2.25-2
ii libcom-err2 1.44.5-1+deb10u3
ii libdevmapper1.02.1 2:1.02.155-3
ii libevent-2.1-6 2.1.8-stable-4
ii libgssapi-krb5-2 1.17-3+deb10u1
ii libk5crypto3 1.17-3+deb10u1
ii libkeyutils1 1.6-6
ii libkrb5-3 1.17-3+deb10u1
ii libmount1 2.33.1-0.1
ii libnfsidmap2 0.25-5.1
ii libtirpc3 1.1.4-0.4
ii libwrap0 7.6.q-28
ii lsb-base 10.2019051400
ii rpcbind 1.2.5-0.3+deb10u1
ii ucf 3.0038+nmu1
Versions of packages nfs-common recommends:
ii python 2.7.16-1
Versions of packages nfs-common suggests:
pn open-iscsi <none>
pn watchdog <none>
Versions of packages nfs-kernel-server depends on:
ii keyutils 1.6-6
ii libblkid1 2.33.1-0.1
ii libc6 2.28-10
ii libcap2 1:2.25-2
ii libsqlite3-0 3.27.2-3+deb10u1
ii libtirpc3 1.1.4-0.4
ii libwrap0 7.6.q-28
ii lsb-base 10.2019051400
ii netbase 5.6
ii ucf 3.0038+nmu1
-- Configuration Files:
/etc/default/nfs-common changed [not included]
-- no debconf information
-- debsums errors found:
debsums: changed file /usr/lib/systemd/scripts/nfs-utils_env.sh (from
nfs-common package)
