Bug#622146: This is broken for me.

Daniel Kahn Gillmor Mon, 24 Oct 2011 09:03:25 -0700

On 10/24/2011 09:42 AM, Rob Naccarato wrote:

>         supported_enctypes = aes256-cts:normal arcfour-hmac:normal \
>       des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm \
>       des:onlyrealm des:afs3 aes128-cts:normal
> 
> Client (khan) attempting to use sec=krb5.
> root@khan:/# klist -e -k /etc/krb5.keytab
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    2 host/khan.some.domain...@naccy.org (AES-256 CTS mode with 96-bit SHA-1
>    HMAC) 
>    2 host/khan.some.domain...@naccy.org (ArcFour with HMAC/md5) 
>    2 host/khan.some.domain...@naccy.org (Triple DES cbc mode with HMAC/sha1) 
>    2 host/khan.some.domain...@naccy.org (DES cbc mode with CRC-32) 
>    2 nfs/khan.some.domain...@naccy.org (AES-256 CTS mode with 96-bit SHA-1
>    HMAC) 
>    2 nfs/khan.some.domain...@naccy.org (ArcFour with HMAC/md5) 
>    2 nfs/khan.some.domain...@naccy.org (Triple DES cbc mode with HMAC/sha1) 
>    2 nfs/khan.some.domain...@naccy.org (DES cbc mode with CRC-32)


this appears to have everything *but* aes128-cts:normal, fwiw.

My example client has:


0 example:~# klist -e -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   2 host/example.example....@example.org (AES-128 CTS mode with 96-bit
SHA-1 HMAC)
0 example:~#

> /etc/fstab:
>       blackdog:/      /shares         nfs4    _netdev,auto,sec=krb5,acl 0 0
> 


0 example:~# grep nfs /etc/fstab
nfshost:/ /usr/local/data nfs4 sec=krb5p,fsc 0 0
0 example:~#

i don't think the fsc is relevant to this discussion -- and i can't
imagine that the difference between krb5 and krb5p is the issue.

> Server (blackdog), with kdc, exporting nfs4, when I attempt to mount the 
> above:
> 
> Oct 24 09:32:36 blackdog rpc.svcgssd[22979]: ERROR: GSS-API: error in
> handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
> failure.  Minor code may provide more information) - Encryption type not
> permitted

can you show the same klist on blackdog?  here's what i've got on my server:

0 nfshost:~# klist -e -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   8 nfs/nfshost.example....@example.org (AES-128 CTS mode with 96-bit
SHA-1 HMAC)
0 nfshost:~#


> Both machines, client and server have:
> 
> linux-image-2.6.39-bpo.2-amd64
> nfs-kernel-server 1:1.2.4-1~bpo60+1

you shouldn't need nfs-kernel-server on the client -- what version of
nfs-common do you have on the client?

> Both machines, client and server have in krb5.conf:
> 
> allow_weak_crypto = true

A useful test might be to *reduce* the number of supported_enctypes to a
select one or two, then change the keys for the client and the server
(and for any user account using krb5 authentication) and re-try.

hth,

        --dkg

signature.asc
Description: OpenPGP digital signature

Bug#622146: This is broken for me.

Reply via email to