Bug#637660: nfs-kernel-server: gss_accept_sec_context failed - Encryption type not permitted

Thu, 25 Aug 2011 06:18:24 -0700 

On 25/08/11 22:11, Jiri Kanicky wrote:

On 25/08/11 02:23, Bastian Blank wrote:

On Sun, Aug 14, 2011 at 12:43:14AM +1000, ganomi wrote:

Please get a name.


maverick:~# klist -ke /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- -------------------------------------------------------------------------- 
    4 nfs/maverick.firm.local@FIRM.LOCAL (des3-cbc-sha1)
    4 nfs/maverick.firm.local@FIRM.LOCAL (des-cbc-crc)

Please setup standard encryption types.


root@knightrider:~# klist -ke /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- -------------------------------------------------------------------------- 
    6 nfs/knightrider.firm.local@FIRM.LOCAL (des-cbc-crc)

DES is disabled in the meantime. Use other encryption types.


ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context():
GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more
information) - Encryption type not permitted

I hope this message is clear.

Bastian



Dear Bastian.
I am not sure what do you mean by "setup standard encryption types". I believe that those are the standard encryption types. I haven't use any special configuration. I tried to use the most basic setting for Kerberos and LDAP. 

[kdcdefaults]
    kdc_ports = 750,88

[realms]
    FIRM.LOCAL = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 
        default_principal_flags = +preauth
    }

Regards,
Jiri




Hi.
I found out that NFS (in RHEL 6) does not currently support des-hmac-sha1, des-cbc-md5 neither des-cbc-crc. However, it should support aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1 a arcfour-hmac. So, I am assuming that Debian Wheezy have the same issue.
I will try to generate keys for those which are supported and re-test it. I will come back with the results. 

Thanks for giving me the idea.

Jiri




--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4e564aa9.3050...@ganomi.com

Reply via email to