Russ Allbery <r...@debian.org> писал(а) в своём письме Tue, 15 Nov 2011
00:27:01 +0400:
"Kramarenko A. Maxim" <mc-si...@ya.ru> writes:
The NFS server, client, and KDC all have to agree on a single encryption
type, and the encryption type of the service ticket issued by the KDC to
the client has to be in an encryption type that the NFS server supports.
KDC supports the types of encryption
(http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx):
AES256-CTS-HMAC-SHA1-96
AES128-CTS-HMAC-SHA1-96
RC4-HMAC
The NFS server is the core:
ARCHIV ~ # uname -a
Linux ARCHIV 2.6.39-bpo.2-686-pae #1 SMP Thu Aug 4 11:02:22 UTC 2011 i686
GNU/Linux
As you said above, it supports:
AES256-CTS-HMAC-SHA1-96
AES128-CTS-HMAC-SHA1-96
RC4-HMAC
The NFS client has a core:
root@debian:~# uname -a
Linux debian 3.0.0-1-486 #1 Sat Aug 27 15:56:48 UTC 2011 i686 GNU/Linux
It is older than the server, respectively, should also support the above
types of encryption.
(If the server and client on the kernel Linux debian 3.0.0-1-486 # 1, then
there is no error ...)
I tried to tune in krb5.conf on the client and server NFS (last letter):
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
But still there was an error on NFS server:
Nov 14 22:54:40 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
failure. Minor code may provide more information) - No supported
encryption types (config file error?)
Nov 14 22:54:40 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
failure. Minor code may provide more information) - No supported
encryption types (config file error?)
It would be more interesting to run klist -e after attempting to contact
the server, so that you can see what the encryption type of the service
ticket for the NFS server was.
on client:
root@debian:~# kinit -k nfs/debian.sag.local
root@debian:~# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/debian.sag.local@SAG.LOCAL
Valid starting Expires Service principal
11/15/11 09:27:22 11/15/11 19:27:30 krbtgt/SAG.LOCAL@SAG.LOCAL
renew until 11/16/11 09:27:22, Etype (skey, tkt): arcfour-hmac,
arcfour-hmac
...and on server:
ARCHIV ~ # kinit -k nfs/archiv.sag.local
ARCHIV ~ # klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/archiv.sag.local@SAG.LOCAL
Valid starting Expires Service principal
11/15/11 09:26:37 11/15/11 19:26:42 krbtgt/SAG.LOCAL@SAG.LOCAL
renew until 11/16/11 09:26:37, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
--
Best Regards
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/op.v4y244dleax...@odmen.sag.local
