FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Kernel

 
 
LinkBack Thread Tools
 
Old 11-14-2011, 02:36 PM
Luk Claes
 
Default Bug#622146: nfs-kernel-server: error Encryption type not permitted

On 11/14/2011 04:57 PM, Mc.Sim wrote:

> Hello!

Hi

> I have Win2k8 R2 as a domain controller (as KDC for NFS).
> There is an NFS client on Debian wheezy: hostname - debian:

> I tried to uncomment
> # default_tgs_enctypes = des3-hmac-sha1
> # default_tkt_enctypes = des3-hmac-sha1
> # permitted_enctypes = des3-hmac-sha1
> and comment:
> default_tgs_enctypes = des-cbc-crc
> default_tkt_enctypes = des-cbc-crc
> permitted_enctypes = des-cbc-crc

Why would that work without changing anything in your Kerberos keytabs?

> but always when trying to connect to the server,
> root@debian:~# mount -vvv -t nfs4 -o sec=krb5 archiv:/nfs /mnt2

> And get the error in log on server:
> ARCHIV ~ # tailf /var/log/daemon.log
> Nov 14 18:26:42 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:26:42 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:29:30 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:29:30 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:39:05 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:39:20 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted

Expected when des3-hmac-sha1 is not in keytab.

> ==============================================
> In this case, the second mount on the client only after a servise nfs-common restart, because mount hangs and stops due to a timeout.
> When I comment on all the settings on the server and client:
>
> # allow_weak_crypto = true
> # default_tgs_enctypes = des-cbc-crc
> # default_tkt_enctypes = des-cbc-crc
> # permitted_enctypes = des-cbc-crc
> # default_tgs_enctypes = des3-hmac-sha1
> # default_tkt_enctypes = des3-hmac-sha1
> # permitted_enctypes = des3-hmac-sha1
> # permitted_enctypes = des-cbc-crc

> And I get message on server-log:
>
> Nov 14 18:50:23 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No supported encryption types (config file error?)
> Nov 14 18:50:23 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No supported encryption types (config file error?)
>
> Help me, please for this problem.

This will only work if you have other possibilities in the Kerberos keytab.

> p.s. On the client (hostname debian) as an NFS server is installed and if I run:
> root@debian:~# grep -v ^# /etc/exports
> /nfs gss/krb5(rw,sync,fsid=0,crossmnt,no_subtree_check)
> root@debian:~# mount -v -t nfs4 -o sec=krb5 debian:/ /mnt
> mount.nfs4: timeout set for Mon Nov 14 18:58:10 2011
> mount.nfs4: trying text-based options 'sec=krb5,addr=10.0.0.50,clientaddr=10.0.0.50'
> debian:/ on /mnt type nfs4 (rw,sec=krb5)
> root@debian:~# mount | grep nfs
> nfsd on /proc/fs/nfsd type nfsd (rw)
> rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
> debian:/ on /mnt type nfs4 (rw,sec=krb5,addr=10.0.0.50,clientaddr=10.0.0.50)

So it worked, I guess that's the initial scenario where you are using
des-cbc-crc?

I myself have little to no experience with Kerberos, but I would try
klist to see what's in your keytabs (/etc/krb5.keytab) and related tools
to add entries to the keytab when needed. This does not look like an NFS
problem to me or am I mistaken?

Cheers

Luk



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4EC13589.6020106@debian.org">http://lists.debian.org/4EC13589.6020106@debian.org
 
Old 11-14-2011, 02:57 PM
"Mc.Sim"
 
Default Bug#622146: nfs-kernel-server: error Encryption type not permitted

Package: nfs-kernel-server
Version: 1:1.2.4-1~bpo60+1
Severity: normal


Hello!
I have Win2k8 R2 as a domain controller (as KDC for NFS).
There is an NFS client on Debian wheezy: hostname - debian:

root@debian:~# dpkg -l | grep nfs
ii libnfsidmap2 0.24-1 An nfs idmapping library
ii nfs-common 1:1.2.5-2 NFS support files common to client and server
ii nfs-kernel-server 1:1.2.5-2 support for NFS kernel server

There is an NFS server: host name - archiv:

ARCHIV ~ # dpkg -l | grep nfs
ii libnfsidmap2 0.23-2 An nfs idmapping library
ii nfs-common 1:1.2.4-1~bpo60+1 NFS support files common to client and server
ii nfs-kernel-server 1:1.2.4-1~bpo60+1 support for NFS kernel server
ARCHIV ~ # grep -v ^# /etc/exports
/nfs gss/krb5(rw,sync,no_subtree_check)

On both Debian:

ARCHIV ~ # cat /etc/krb5.conf
[libdefaults]
default_realm = SAG.LOCAL

# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
allow_weak_crypto = true

default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
permitted_enctypes = des-cbc-crc

# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true

[realms]
SAG.LOCAL = {
kdc = dc.sag.local
admin_server = dc.sag.local
default_domain = SAG.LOCAL
}

[domain_realm]
.sag.local = SAG.LOCAL
sag.local = SAG.LOCAL

[login]
krb4_convert = true
krb4_get_tickets = false
================================================== =
I tried to uncomment
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
and comment:
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
permitted_enctypes = des-cbc-crc

but always when trying to connect to the server,
root@debian:~# mount -vvv -t nfs4 -o sec=krb5 archiv:/nfs /mnt2
mount: fstab path: "/etc/fstab"
mount: mtab path: "/etc/mtab"
mount: lock path: "/etc/mtab~"
mount: temp path: "/etc/mtab.tmp"
mount: UID: 0
mount: eUID: 0
mount: spec: "archiv:/"
mount: node: "/mnt2"
mount: types: "nfs4"
mount: opts: "sec=krb5"
mount: external mount: argv[0] = "/sbin/mount.nfs4"
mount: external mount: argv[1] = "archiv:/"
mount: external mount: argv[2] = "/mnt2"
mount: external mount: argv[3] = "-v"
mount: external mount: argv[4] = "-o"
mount: external mount: argv[5] = "rw,sec=krb5"
mount.nfs4: timeout set for Mon Nov 14 18:40:42 2011
mount.nfs4: trying text-based options 'sec=krb5,addr=10.0.0.6,clientaddr=10.0.0.50'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting archiv:/nfs

I get the error log on client:
Nov 14 18:38:42 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81f9bc data 0xbf81fa3c
Nov 14 18:38:42 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b21c data 0xbf81b29c
Nov 14 18:38:42 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b21c data 0xbf81b29c
Nov 14 18:38:47 debian rpc.gssd[696]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt13)
Nov 14 18:38:47 debian rpc.gssd[696]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Nov 14 18:38:47 debian rpc.gssd[696]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt13)
Nov 14 18:38:47 debian rpc.gssd[696]: process_krb5_upcall: service is '<null>'
Nov 14 18:38:52 debian rpc.gssd[696]: Full hostname for 'archiv.sag.local' is 'archiv.sag.local'
Nov 14 18:38:52 debian rpc.gssd[696]: Full hostname for 'debian.sag.local' is 'debian.sag.local'
Nov 14 18:38:52 debian rpc.gssd[696]: No key table entry found for DEBIAN$@SAG.LOCAL while getting keytab entry for 'DEBIAN$@SAG.LOCAL'
Nov 14 18:38:52 debian rpc.gssd[696]: No key table entry found for root/debian.sag.local@SAG.LOCAL while getting keytab entry for 'root/debian.sag.local@SAG.LOCAL'
Nov 14 18:38:52 debian rpc.gssd[696]: Success getting keytab entry for 'nfs/debian.sag.local@SAG.LOCAL'
Nov 14 18:38:52 debian rpc.gssd[696]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321295320
Nov 14 18:38:52 debian rpc.gssd[696]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321295320
Nov 14 18:38:52 debian rpc.gssd[696]: using FILE:/tmp/krb5cc_machine_SAG.LOCAL as credentials cache for machine creds
Nov 14 18:38:52 debian rpc.gssd[696]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 14 18:38:52 debian rpc.gssd[696]: creating context using fsuid 0 (save_uid 0)
Nov 14 18:38:52 debian rpc.gssd[696]: creating tcp client for server archiv.sag.local
Nov 14 18:38:52 debian rpc.gssd[696]: DEBUG: port already set to 2049
Nov 14 18:38:52 debian rpc.gssd[696]: creating context with server nfs@archiv.sag.local
Nov 14 18:39:03 debian rpc.gssd[696]: WARNING: Failed to create krb5 context for user with uid 0 for server archiv.sag.local
Nov 14 18:39:03 debian rpc.gssd[696]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for server archiv.sag.local
Nov 14 18:39:03 debian rpc.gssd[696]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server archiv.sag.local
Nov 14 18:39:08 debian rpc.gssd[696]: Full hostname for 'archiv.sag.local' is 'archiv.sag.local'
Nov 14 18:39:08 debian rpc.gssd[696]: Full hostname for 'debian.sag.local' is 'debian.sag.local'
Nov 14 18:39:08 debian rpc.gssd[696]: No key table entry found for DEBIAN$@SAG.LOCAL while getting keytab entry for 'DEBIAN$@SAG.LOCAL'
Nov 14 18:39:08 debian rpc.gssd[696]: No key table entry found for root/debian.sag.local@SAG.LOCAL while getting keytab entry for 'root/debian.sag.local@SAG.LOCAL'
Nov 14 18:39:08 debian rpc.gssd[696]: Success getting keytab entry for 'nfs/debian.sag.local@SAG.LOCAL'
Nov 14 18:39:08 debian rpc.gssd[696]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321295320
Nov 14 18:39:08 debian rpc.gssd[696]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321295320
Nov 14 18:39:08 debian rpc.gssd[696]: using FILE:/tmp/krb5cc_machine_SAG.LOCAL as credentials cache for machine creds
Nov 14 18:39:08 debian rpc.gssd[696]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 14 18:39:08 debian rpc.gssd[696]: creating context using fsuid 0 (save_uid 0)
Nov 14 18:39:08 debian rpc.gssd[696]: creating tcp client for server archiv.sag.local
Nov 14 18:39:08 debian rpc.gssd[696]: DEBUG: port already set to 2049
Nov 14 18:39:08 debian rpc.gssd[696]: creating context with server nfs@archiv.sag.local
Nov 14 18:39:10 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b07c data 0xbf81b0fc
Nov 14 18:39:10 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b07c data 0xbf81b0fc
Nov 14 18:39:10 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b07c data 0xbf81b0fc
Nov 14 18:39:10 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b07c data 0xbf81b0fc
Nov 14 18:39:10 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b07c data 0xbf81b0fc
Nov 14 18:39:10 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b07c data 0xbf81b0fc
Nov 14 18:39:10 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b07c data 0xbf81b0fc
Nov 14 18:39:18 debian rpc.gssd[696]: WARNING: Failed to create krb5 context for user with uid 0 for server archiv.sag.local
Nov 14 18:39:18 debian rpc.gssd[696]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for server archiv.sag.local
Nov 14 18:39:18 debian rpc.gssd[696]: WARNING: Failed to create machine krb5 context with any credentials cache for server archiv.sag.local
Nov 14 18:39:18 debian rpc.gssd[696]: doing error downcall
Nov 14 18:39:18 debian rpc.gssd[696]: Failed to write error downcall!
Nov 14 18:39:18 debian rpc.gssd[696]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt14
Nov 14 18:39:18 debian rpc.gssd[696]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt13

And get the error in log on server:
ARCHIV ~ # tailf /var/log/daemon.log
Nov 14 18:26:42 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
Nov 14 18:26:42 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
Nov 14 18:29:30 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
Nov 14 18:29:30 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
Nov 14 18:39:05 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
Nov 14 18:39:20 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
==============================================
In this case, the second mount on the client only after a servise nfs-common restart, because mount hangs and stops due to a timeout.
When I comment on all the settings on the server and client:

# allow_weak_crypto = true
# default_tgs_enctypes = des-cbc-crc
# default_tkt_enctypes = des-cbc-crc
# permitted_enctypes = des-cbc-crc
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# permitted_enctypes = des-cbc-crc

If you try to mount I get on the client-log:

Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd458c data 0xbfcd460c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd458c data 0xbfcd460c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd458c data 0xbfcd460c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd458c data 0xbfcd460c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd458c data 0xbfcd460c
Nov 14 18:50:20 debian rpc.gssd[1730]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt17)
Nov 14 18:50:20 debian rpc.gssd[1730]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Nov 14 18:50:20 debian rpc.gssd[1730]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt17)
Nov 14 18:50:20 debian rpc.gssd[1730]: process_krb5_upcall: service is '<null>'
Nov 14 18:50:20 debian rpc.gssd[1730]: Full hostname for 'archiv.sag.local' is 'archiv.sag.local'
Nov 14 18:50:20 debian rpc.gssd[1730]: Full hostname for 'debian.sag.local' is 'debian.sag.local'
Nov 14 18:50:20 debian rpc.gssd[1730]: No key table entry found for DEBIAN$@SAG.LOCAL while getting keytab entry for 'DEBIAN$@SAG.LOCAL'
Nov 14 18:50:20 debian rpc.gssd[1730]: No key table entry found for root/debian.sag.local@SAG.LOCAL while getting keytab entry for 'root/debian.sag.local@SAG.LOCAL'
Nov 14 18:50:20 debian rpc.gssd[1730]: Success getting keytab entry for 'nfs/debian.sag.local@SAG.LOCAL'
Nov 14 18:50:20 debian rpc.gssd[1730]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 14 18:50:20 debian rpc.gssd[1730]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 14 18:50:20 debian rpc.gssd[1730]: using FILE:/tmp/krb5cc_machine_SAG.LOCAL as credentials cache for machine creds
Nov 14 18:50:20 debian rpc.gssd[1730]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 14 18:50:20 debian rpc.gssd[1730]: creating context using fsuid 0 (save_uid 0)
Nov 14 18:50:20 debian rpc.gssd[1730]: creating tcp client for server archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: DEBUG: port already set to 2049
Nov 14 18:50:20 debian rpc.gssd[1730]: creating context with server nfs@archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: WARNING: Failed to create krb5 context for user with uid 0 for server archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for server archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: Full hostname for 'archiv.sag.local' is 'archiv.sag.local'
Nov 14 18:50:20 debian rpc.gssd[1730]: Full hostname for 'debian.sag.local' is 'debian.sag.local'
Nov 14 18:50:20 debian rpc.gssd[1730]: No key table entry found for DEBIAN$@SAG.LOCAL while getting keytab entry for 'DEBIAN$@SAG.LOCAL'
Nov 14 18:50:20 debian rpc.gssd[1730]: No key table entry found for root/debian.sag.local@SAG.LOCAL while getting keytab entry for 'root/debian.sag.local@SAG.LOCAL'
Nov 14 18:50:20 debian rpc.gssd[1730]: Success getting keytab entry for 'nfs/debian.sag.local@SAG.LOCAL'
Nov 14 18:50:20 debian rpc.gssd[1730]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 14 18:50:20 debian rpc.gssd[1730]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 14 18:50:20 debian rpc.gssd[1730]: using FILE:/tmp/krb5cc_machine_SAG.LOCAL as credentials cache for machine creds
Nov 14 18:50:20 debian rpc.gssd[1730]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 14 18:50:20 debian rpc.gssd[1730]: creating context using fsuid 0 (save_uid 0)
Nov 14 18:50:20 debian rpc.gssd[1730]: creating tcp client for server archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: DEBUG: port already set to 2049
Nov 14 18:50:20 debian rpc.gssd[1730]: creating context with server nfs@archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: WARNING: Failed to create krb5 context for user with uid 0 for server archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for server archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: WARNING: Failed to create machine krb5 context with any credentials cache for server archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: doing error downcall
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc data 0xbfcd413c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc data 0xbfcd413c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc data 0xbfcd413c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc data 0xbfcd413c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc data 0xbfcd413c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc data 0xbfcd413c
Nov 14 18:50:20 debian rpc.gssd[1730]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt17

And I get message on server-log:

Nov 14 18:50:23 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No supported encryption types (config file error?)
Nov 14 18:50:23 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No supported encryption types (config file error?)

Help me, please for this problem.

p.s. On the client (hostname debian) as an NFS server is installed and if I run:
root@debian:~# grep -v ^# /etc/exports
/nfs gss/krb5(rw,sync,fsid=0,crossmnt,no_subtree_check)
root@debian:~# mount -v -t nfs4 -o sec=krb5 debian:/ /mnt
mount.nfs4: timeout set for Mon Nov 14 18:58:10 2011
mount.nfs4: trying text-based options 'sec=krb5,addr=10.0.0.50,clientaddr=10.0.0.50'
debian:/ on /mnt type nfs4 (rw,sec=krb5)
root@debian:~# mount | grep nfs
nfsd on /proc/fs/nfsd type nfsd (rw)
rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
debian:/ on /mnt type nfs4 (rw,sec=krb5,addr=10.0.0.50,clientaddr=10.0.0.50)





-- Package-specific info:
-- rpcinfo --
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 56885 status
100024 1 tcp 42127 status
100021 1 udp 42119 nlockmgr
100021 3 udp 42119 nlockmgr
100021 4 udp 42119 nlockmgr
100021 1 tcp 38382 nlockmgr
100021 3 tcp 38382 nlockmgr
100021 4 tcp 38382 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100005 1 udp 42843 mountd
100005 1 tcp 50330 mountd
100005 2 udp 55182 mountd
100005 2 tcp 44541 mountd
100005 3 udp 50955 mountd
100005 3 tcp 44805 mountd
-- /etc/default/nfs-kernel-server --
RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS=--manage-gids
NEED_SVCGSSD=yes
RPCSVCGSSDOPTS=yes
-- /etc/exports --
/nfs gss/krb5(rw,sync,no_subtree_check)
-- /proc/fs/nfs/exports --
# Version 1.1
# Path Client(Flags) # IPs

-- System Information:
Debian Release: 6.0.3
APT prefers stable
APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages nfs-kernel-server depends on:
ii libblkid1 2.17.2-9 block device id library
ii libc6 2.13-21 Embedded GNU C Library: Shared lib
ii libcomerr2 1.41.12-4stable1 common error description library
ii libgssapi-krb5-2 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - k
ii libgssglue1 0.1-4 mechanism-switch gssapi library
ii libk5crypto3 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - C
ii libkrb5-3 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries
ii libnfsidmap2 0.23-2 An nfs idmapping library
ii libtirpc1 0.2.2-5 transport-independent RPC library
ii libwrap0 7.6.q-19 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii nfs-common 1:1.2.4-1~bpo60+1 NFS support files common to client
ii ucf 3.0025+nmu1 Update Configuration File: preserv

nfs-kernel-server recommends no packages.

nfs-kernel-server suggests no packages.

-- no debconf information



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20111114145704.4829.23854.reportbug@archiv.SAG.loc al">http://lists.debian.org/20111114145704.4829.23854.reportbug@archiv.SAG.loc al
 
Old 11-14-2011, 04:13 PM
"Kramarenko A. Maxim"
 
Default Bug#622146: nfs-kernel-server: error Encryption type not permitted

Luk Claes <luk@debian.org> писал(а) в своём письме Mon, 14 Nov 2011
19:36:41 +0400:



On 11/14/2011 04:57 PM, Mc.Sim wrote:


Why would that work without changing anything in your Kerberos keytabs?

keytab contains both types of encryption. (example below in the text)



Nov 14 18:39:20 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified
GSS failure. Minor code may provide more information) - Encryption
type not permitted


Expected when des3-hmac-sha1 is not in keytab.

Nov 14 18:50:23 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified
GSS failure. Minor code may provide more information) - No supported
encryption types (config file error?)


Help me, please for this problem.


This will only work if you have other possibilities in the Kerberos
keytab.

Yes, the other encryption types are present in keytab ...



p.s. On the client (hostname debian) as an NFS server is installed and
if I run:

root@debian:~# grep -v ^# /etc/exports
/nfs gss/krb5(rw,sync,fsid=0,crossmnt,no_subtree_check)
root@debian:~# mount -v -t nfs4 -o sec=krb5 debian:/ /mnt
root@debian:~# mount | grep nfs
debian:/ on /mnt type nfs4
(rw,sec=krb5,addr=10.0.0.50,clientaddr=10.0.0.50)


So it worked, I guess that's the initial scenario where you are using
des-cbc-crc?

I myself have little to no experience with Kerberos, but I would try
klist to see what's in your keytabs (/etc/krb5.keytab) and related tools
to add entries to the keytab when needed. This does not look like an NFS
problem to me or am I mistaken?

According to the documentation (
http://technet.microsoft.com/en-us/library/dd560670(v=ws.10).aspx ), Win
2k8 R2 does not support DES-CBC-MD5 & DES-CBC-CRC.

As I understand it, probably for this error when uncommented parameters


# default_tgs_enctypes = des-cbc-crc
# default_tkt_enctypes = des-cbc-crc
# permitted_enctypes = des-cbc-crc

or

# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1


But in the keytab there are other types of encryption:
root@debian:~# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------

3 nfs/debian.sag.local@SAG.LOCAL (des-cbc-crc)
3 nfs/debian.sag.local@SAG.LOCAL (des-cbc-md5)
3 nfs/debian.sag.local@SAG.LOCAL (arcfour-hmac)
3 nfs/debian.sag.local@SAG.LOCAL (aes256-cts-hmac-sha1-96)
3 nfs/debian.sag.local@SAG.LOCAL (aes128-cts-hmac-sha1-96)
===========================================
kinit gets the correct tickets from the KDC on client only commented
parameters:

==========================================
root@debian:~# vim /etc/krb5.conf
root@debian:~# grep des /etc/krb5.conf
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
permitted_enctypes = des-cbc-crc
root@debian:~# kinit -k nfs/debian.sag.local
kinit: KDC has no support for encryption type while getting initial
credentials

root@debian:~# vim /etc/krb5.conf
root@debian:~# grep des /etc/krb5.conf
default_tgs_enctypes = des3-hmac-sha1
default_tkt_enctypes = des3-hmac-sha1
permitted_enctypes = des3-hmac-sha1
# default_tgs_enctypes = des-cbc-crc
# default_tkt_enctypes = des-cbc-crc
# permitted_enctypes = des-cbc-crc
root@debian:~# kinit -k nfs/debian.sag.local
kinit: KDC has no support for encryption type while getting initial
credentials

root@debian:~# vim /etc/krb5.conf
root@debian:~# grep des /etc/krb5.conf
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# default_tgs_enctypes = des-cbc-crc
# default_tkt_enctypes = des-cbc-crc
# permitted_enctypes = des-cbc-crc
root@debian:~# kinit -k nfs/debian.sag.local
root@debian:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/debian.sag.local@SAG.LOCAL

Valid starting Expires Service principal
11/14/11 20:33:18 11/15/11 06:33:21 krbtgt/SAG.LOCAL@SAG.LOCAL
renew until 11/15/11 20:33:18
=======================
...and on server:
=======================
ARCHIV ~ # vim /etc/krb5.conf
ARCHIV ~ # grep des /etc/krb5.conf
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
permitted_enctypes = des-cbc-crc
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
ARCHIV ~ # kinit -k nfs/archiv.sag.local
kinit: KDC has no support for encryption type while getting initial
credentials

ARCHIV ~ # vim /etc/krb5.conf
ARCHIV ~ # grep des /etc/krb5.conf
# default_tgs_enctypes = des-cbc-crc
# default_tkt_enctypes = des-cbc-crc
# permitted_enctypes = des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1
default_tkt_enctypes = des3-hmac-sha1
permitted_enctypes = des3-hmac-sha1
ARCHIV ~ # kinit -k nfs/archiv.sag.local
kinit: KDC has no support for encryption type while getting initial
credentials

ARCHIV ~ # vim /etc/krb5.conf
ARCHIV ~ # kinit -k nfs/archiv.sag.local
ARCHIV ~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/archiv.sag.local@SAG.LOCAL

Valid starting Expires Service principal
11/14/11 21:05:29 11/15/11 07:05:29 krbtgt/SAG.LOCAL@SAG.LOCAL
renew until 11/15/11 21:05:29

However, NFS does not work for any given parameters.



Cheers

Luk





P.s.
Luk Claes <luk@debian.org> писал(а) в своём письме Mon, 14 Nov 2011
19:39:06 +0400:



On 11/14/2011 04:35 PM, "Крамаренко Максим" wrote:

Здравствуйте!
Ваше письмо получено.

Unfortunately I don't understand Russian, can you please translate?
Cheers
Luk

Sorry! This e-mail answering service. I have it turned off.

Best Regards



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: op.v4x4sleseaxn5m@odmen.sag.local">http://lists.debian.org/op.v4x4sleseaxn5m@odmen.sag.local
 
Old 11-14-2011, 05:19 PM
Russ Allbery
 
Default Bug#622146: nfs-kernel-server: error Encryption type not permitted

I don't know what's going on with the NFS portion of this, since I don't
use NFS at all, but I can tell you a few things about the Kerberos end.

"Kramarenko A. Maxim" <mc-sim85@ya.ru> writes:

> But in the keytab there are other types of encryption:
> root@debian:~# klist -ke
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 3 nfs/debian.sag.local@SAG.LOCAL (des-cbc-crc)
> 3 nfs/debian.sag.local@SAG.LOCAL (des-cbc-md5)
> 3 nfs/debian.sag.local@SAG.LOCAL (arcfour-hmac)
> 3 nfs/debian.sag.local@SAG.LOCAL (aes256-cts-hmac-sha1-96)
> 3 nfs/debian.sag.local@SAG.LOCAL (aes128-cts-hmac-sha1-96)

For a Windows 2008r2 Active Directory domain controller, the only enctypes
there that are going to work are arcfour-hmac and aes128. (aes256 might
as well in some situations, but I think you have to go to some extra work,
or maybe it's that a lot of Windows clients don't support them.)

> root@debian:~# grep des /etc/krb5.conf
> # default_tgs_enctypes = des3-hmac-sha1
> # default_tkt_enctypes = des3-hmac-sha1
> # permitted_enctypes = des3-hmac-sha1
> default_tgs_enctypes = des-cbc-crc
> default_tkt_enctypes = des-cbc-crc
> permitted_enctypes = des-cbc-crc

You generally don't want to set these parameters, although I realize that
used to be the case for NFS.

The NFS machinery is going to need to support either arcfour-hmac or
aes128, since Windows never supported 3DES, and you don't want to use
plain DES any more (and it has to be specifically enabled on the Windows
side, if they haven't dropped it entirely now). I'm not sure what
enctypes the kernel-level support currently implements.

--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87obwed0tj.fsf@windlord.stanford.edu">http://lists.debian.org/87obwed0tj.fsf@windlord.stanford.edu
 

Thread Tools




All times are GMT. The time now is 12:14 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org