On Sun, Oct 23, 2011 at 05:16:59PM -0400, Daniel Kahn Gillmor wrote:
> On 10/23/2011 02:25 PM, Rob Naccarato wrote:
> > On 11-10-23 01:18 PM, Sam Hartman wrote:
> >>>>>>> "Rob" == Rob Naccarato<r...@naccy.org> writes:
> >>
> >> Rob> This doesn't appear to be fixed to me. I get the same
> >> Rob> problems. I have even installed backported kernel
> >> Rob> (2.6.39-bpo.2-amd64) and nfs-utils (1:1.2.4-1~bpo60+1) and I
> >> Rob> still get these:
> >>
> >> This requires fixes in krb5 and nfs-utils.
> >> krb5 has been fixed, but nothing gets better until the nfs-utils fix.
> >
> > So, nfs-utils 1.2.5, then? When's that suppose to be available?
> >
> > I imagine this is a pretty critical issue for people. It is for me, at
> > least.
>
> I'm the current backporter of nfs-utils. I use 1:1.2.4-1~bpo60+1 with
> the squeeze-backports kernel (nfs server and nfs clients both use these
> versions) and a squeeze kdc configured with:
>
> supported_enctypes = aes128-cts:normal
>
> I'm able to use kerberized (sec=krb5p) nfsv4 mounts in this arrangement.
> Could you clarify how your configuration differs from what i've
> described above so i could be sure what might need changing?
Ok, here we go.
supported_enctypes = aes256-cts:normal arcfour-hmac:normal \
des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm \
des:onlyrealm des:afs3 aes128-cts:normal
Client (khan) attempting to use sec=krb5.
root@khan:/# klist -e -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
2 host/khan.some.domain...@naccy.org (AES-256 CTS mode with 96-bit SHA-1
HMAC)
2 host/khan.some.domain...@naccy.org (ArcFour with HMAC/md5)
2 host/khan.some.domain...@naccy.org (Triple DES cbc mode with HMAC/sha1)
2 host/khan.some.domain...@naccy.org (DES cbc mode with CRC-32)
2 nfs/khan.some.domain...@naccy.org (AES-256 CTS mode with 96-bit SHA-1
HMAC)
2 nfs/khan.some.domain...@naccy.org (ArcFour with HMAC/md5)
2 nfs/khan.some.domain...@naccy.org (Triple DES cbc mode with HMAC/sha1)
2 nfs/khan.some.domain...@naccy.org (DES cbc mode with CRC-32)
/etc/fstab:
blackdog:/ /shares nfs4 _netdev,auto,sec=krb5,acl 0 0
Server (blackdog), with kdc, exporting nfs4, when I attempt to mount the above:
Oct 24 09:32:36 blackdog rpc.svcgssd[22979]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
failure. Minor code may provide more information) - Encryption type not
permitted
Both machines, client and server have:
linux-image-2.6.39-bpo.2-amd64
nfs-kernel-server 1:1.2.4-1~bpo60+1
Both machines, client and server have in krb5.conf:
allow_weak_crypto = true
Thanks.
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20111024134233.ga22...@naccy.org
