On Mon, Oct 24, 2011 at 12:00:17PM -0400, Daniel Kahn Gillmor wrote: > On 10/24/2011 09:42 AM, Rob Naccarato wrote: > > > supported_enctypes = aes256-cts:normal arcfour-hmac:normal \ > > des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm \ > > des:onlyrealm des:afs3 aes128-cts:normal > > > > Client (khan) attempting to use sec=krb5. > > root@khan:/# klist -e -k /etc/krb5.keytab > > Keytab name: WRFILE:/etc/krb5.keytab > > KVNO Principal > > ---- > > -------------------------------------------------------------------------- > > 2 host/khan.some.domain...@naccy.org (AES-256 CTS mode with 96-bit SHA-1 > > HMAC) > > 2 host/khan.some.domain...@naccy.org (ArcFour with HMAC/md5) > > 2 host/khan.some.domain...@naccy.org (Triple DES cbc mode with > > HMAC/sha1) > > 2 host/khan.some.domain...@naccy.org (DES cbc mode with CRC-32) > > 2 nfs/khan.some.domain...@naccy.org (AES-256 CTS mode with 96-bit SHA-1 > > HMAC) > > 2 nfs/khan.some.domain...@naccy.org (ArcFour with HMAC/md5) > > 2 nfs/khan.some.domain...@naccy.org (Triple DES cbc mode with HMAC/sha1) > > 2 nfs/khan.some.domain...@naccy.org (DES cbc mode with CRC-32) > > this appears to have everything *but* aes128-cts:normal, fwiw. > > My example client has: > > > 0 example:~# klist -e -k /etc/krb5.keytab > Keytab name: WRFILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 2 host/example.example....@example.org (AES-128 CTS mode with 96-bit > SHA-1 HMAC) > 0 example:~#
Fair enough, I now have this on the client: root@khan:/etc# klist -e -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 4 nfs/khan.some.domain...@naccy.org (AES-128 CTS mode with 96-bit SHA-1 HMAC) 4 host/khan.some.domain...@naccy.org (AES-128 CTS mode with 96-bit SHA-1 HMAC) I also have this on the server: blackdog:/etc# klist -e -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 8 host/blackdog.some.domain...@naccy.org (AES-128 CTS mode with 96-bit SHA-1 HMAC) 7 nfs/blackdog.some.domain...@naccy.org (AES-128 CTS mode with 96-bit SHA-1 HMAC) > > > /etc/fstab: > > blackdog:/ /shares nfs4 _netdev,auto,sec=krb5,acl 0 0 > > > > > 0 example:~# grep nfs /etc/fstab > nfshost:/ /usr/local/data nfs4 sec=krb5p,fsc 0 0 > 0 example:~# > > i don't think the fsc is relevant to this discussion -- and i can't > imagine that the difference between krb5 and krb5p is the issue. Yep, and I have no need for the encryption across the wire, either. > > > Server (blackdog), with kdc, exporting nfs4, when I attempt to mount the > > above: > > > > Oct 24 09:32:36 blackdog rpc.svcgssd[22979]: ERROR: GSS-API: error in > > handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS > > failure. Minor code may provide more information) - Encryption type not > > permitted > > can you show the same klist on blackdog? here's what i've got on my server: > > 0 nfshost:~# klist -e -k /etc/krb5.keytab > Keytab name: WRFILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 8 nfs/nfshost.example....@example.org (AES-128 CTS mode with 96-bit > SHA-1 HMAC) > 0 nfshost:~# Yup, shown above. > > > Both machines, client and server have: > > > > linux-image-2.6.39-bpo.2-amd64 > > nfs-kernel-server 1:1.2.4-1~bpo60+1 > > you shouldn't need nfs-kernel-server on the client -- what version of > nfs-common do you have on the client? > nfs-common 1:1.2.4-1~bpo60+1 > > Both machines, client and server have in krb5.conf: > > > > allow_weak_crypto = true > > A useful test might be to *reduce* the number of supported_enctypes to a > select one or two, then change the keys for the client and the server > (and for any user account using krb5 authentication) and re-try. So, reduce the list to, say, just aes128-cts:normal? Should I also remove the allow_weak_crypto option? -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111024190947.ga26...@naccy.org
