FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Kernel

 
 
LinkBack Thread Tools
 
Old 11-14-2011, 05:59 PM
"Kramarenko A. Maxim"
 
Default Bug#622146: nfs-kernel-server: error Encryption type not permitted

Russ Allbery <rra@debian.org> писал(а) в своём письме Mon, 14 Nov 2011
22:19:04 +0400:



I don't know what's going on with the NFS portion of this, since I don't
use NFS at all, but I can tell you a few things about the Kerberos end.

For a Windows 2008r2 Active Directory domain controller, the only
enctypes

there that are going to work are arcfour-hmac and aes128. (aes256 might
as well in some situations, but I think you have to go to some extra
work,

or maybe it's that a lot of Windows clients don't support them.)

You generally don't want to set these parameters, although I realize that
used to be the case for NFS.

The NFS machinery is going to need to support either arcfour-hmac or
aes128, since Windows never supported 3DES, and you don't want to use
plain DES any more (and it has to be specifically enabled on the Windows
side, if they haven't dropped it entirely now). I'm not sure what
enctypes the kernel-level support currently implements.


Thank you all for your answers.

Russ,

I absolutely agree with you. Win 2k8 works correctly with the arcfour-hmac
(RC4-HMAC) and AES 128 (not supported by WinXP and younger).

Therefore, the application settings allow_weak_crypto not helping me.
But how can I check the support RC4-HMAC, and AES128, to make sure that
reason the problem?
And how do we know up to what I need to upgrade the kernel to have a
stable system and running NFS?


P.S. But kinit gets the same ticket from KDC? Or kinit does not use the
kernel and uses the tools of userland-level?


P.P.S.:
I also tried to explicitly specify the type of encryption in krb5.conf:
=============
root@debian:~# grep -e rc4 -e des /etc/krb5.conf
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
# default_tgs_enctypes = des-cbc-crc
# default_tkt_enctypes = des-cbc-crc
# permitted_enctypes = des-cbc-crc
root@debian:~# kinit -k nfs/debian.sag.local
root@debian:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/debian.sag.local@SAG.LOCAL

Valid starting Expires Service principal
11/14/11 22:51:28 11/15/11 08:51:36 krbtgt/SAG.LOCAL@SAG.LOCAL
renew until 11/15/11 22:51:28
=============
and on server
=============
ARCHIV ~ # vim /etc/krb5.conf
ARCHIV ~ # kinit -k nfs/archiv.sag.local
ARCHIV ~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/archiv.sag.local@SAG.LOCAL

Valid starting Expires Service principal
11/14/11 22:53:45 11/15/11 08:53:45 krbtgt/SAG.LOCAL@SAG.LOCAL
renew until 11/15/11 22:53:45
====================
And once again got an error on the server:
===================
Nov 14 22:54:40 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
failure. Minor code may provide more information) - No supported
encryption types (config file error?)
Nov 14 22:54:40 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
failure. Minor code may provide more information) - No supported
encryption types (config file error?)



--
Best Regards



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: op.v4x9p7pgeaxn5m@odmen.sag.local">http://lists.debian.org/op.v4x9p7pgeaxn5m@odmen.sag.local
 
Old 11-14-2011, 06:05 PM
Daniel Kahn Gillmor
 
Default Bug#622146: nfs-kernel-server: error Encryption type not permitted

On 11/14/2011 01:19 PM, Russ Allbery wrote:

> The NFS machinery is going to need to support either arcfour-hmac or
> aes128, since Windows never supported 3DES, and you don't want to use
> plain DES any more (and it has to be specifically enabled on the Windows
> side, if they haven't dropped it entirely now). I'm not sure what
> enctypes the kernel-level support currently implements.

You'll need the kernel from squeeze-backports or later to get enctypes
other than des-cbc-crc.

I can attest that 2.6.39-3~bpo60+1 works with aes128-cts with SHA-1
HMAC, as long as you're using the nfs-kernel-server from bpo or later.
I haven't tried it against a win2k8 kdc, though.

--dkg
 
Old 11-14-2011, 07:17 PM
"Kramarenko A. Maxim"
 
Default Bug#622146: nfs-kernel-server: error Encryption type not permitted

Daniel Kahn Gillmor <dkg@fifthhorseman.net> писал(а) в своём письме Mon,
14 Nov 2011 23:05:36 +0400:



On 11/14/2011 01:19 PM, Russ Allbery wrote:


You'll need the kernel from squeeze-backports or later to get enctypes
other than des-cbc-crc.

I can attest that 2.6.39-3~bpo60+1 works with aes128-cts with SHA-1
HMAC, as long as you're using the nfs-kernel-server from bpo or later.
I haven't tried it against a win2k8 kdc, though.

--dkg



Thank you for your reply.
Daniel,

I updated the kernel to:
ARCHIV ~ # uname -a
Linux ARCHIV 2.6.39-bpo.2-686-pae #1 SMP Thu Aug 4 11:02:22 UTC 2011 i686
GNU/Linux


But the error appears again and unable to mount.
client:
==============
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si
0xbfcd458c data 0xbfcd460c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si
0xbfcd458c data 0xbfcd460c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si
0xbfcd458c data 0xbfcd460c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si
0xbfcd458c data 0xbfcd460c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si
0xbfcd458c data 0xbfcd460c
Nov 15 00:06:32 debian rpc.gssd[1730]: handling gssd upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt1f)
Nov 15 00:06:32 debian rpc.gssd[1730]: handle_gssd_upcall: 'mech=krb5
uid=0 enctypes=18,17,16,23,3,1,2 '
Nov 15 00:06:32 debian rpc.gssd[1730]: handling krb5 upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt1f)
Nov 15 00:06:32 debian rpc.gssd[1730]: process_krb5_upcall: service is
'<null>'
Nov 15 00:06:32 debian rpc.gssd[1730]: Full hostname for
'archiv.sag.local' is 'archiv.sag.local'
Nov 15 00:06:32 debian rpc.gssd[1730]: Full hostname for
'debian.sag.local' is 'debian.sag.local'
Nov 15 00:06:32 debian rpc.gssd[1730]: No key table entry found for
DEBIAN$@SAG.LOCAL while getting keytab entry for 'DEBIAN$@SAG.LOCAL'
Nov 15 00:06:32 debian rpc.gssd[1730]: No key table entry found for
root/debian.sag.local@SAG.LOCAL while getting keytab entry for
'root/debian.sag.local@SAG.LOCAL'
Nov 15 00:06:32 debian rpc.gssd[1730]: Success getting keytab entry for
'nfs/debian.sag.local@SAG.LOCAL'
Nov 15 00:06:32 debian rpc.gssd[1730]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 15 00:06:32 debian rpc.gssd[1730]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 15 00:06:32 debian rpc.gssd[1730]: using
FILE:/tmp/krb5cc_machine_SAG.LOCAL as credentials cache for machine creds
Nov 15 00:06:32 debian rpc.gssd[1730]: using environment variable to
select krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 15 00:06:32 debian rpc.gssd[1730]: creating context using fsuid 0
(save_uid 0)
Nov 15 00:06:32 debian rpc.gssd[1730]: creating tcp client for server
archiv.sag.local

Nov 15 00:06:32 debian rpc.gssd[1730]: DEBUG: port already set to 2049
Nov 15 00:06:32 debian rpc.gssd[1730]: creating context with server
nfs@archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: WARNING: Failed to create krb5
context for user with uid 0 for server archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: WARNING: Failed to create machine
krb5 context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for
server archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: WARNING: Machine cache is
prematurely expired or corrupted trying to recreate cache for server
archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: Full hostname for
'archiv.sag.local' is 'archiv.sag.local'
Nov 15 00:06:32 debian rpc.gssd[1730]: Full hostname for
'debian.sag.local' is 'debian.sag.local'
Nov 15 00:06:32 debian rpc.gssd[1730]: No key table entry found for
DEBIAN$@SAG.LOCAL while getting keytab entry for 'DEBIAN$@SAG.LOCAL'
Nov 15 00:06:32 debian rpc.gssd[1730]: No key table entry found for
root/debian.sag.local@SAG.LOCAL while getting keytab entry for
'root/debian.sag.local@SAG.LOCAL'
Nov 15 00:06:32 debian rpc.gssd[1730]: Success getting keytab entry for
'nfs/debian.sag.local@SAG.LOCAL'
Nov 15 00:06:32 debian rpc.gssd[1730]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 15 00:06:32 debian rpc.gssd[1730]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 15 00:06:32 debian rpc.gssd[1730]: using
FILE:/tmp/krb5cc_machine_SAG.LOCAL as credentials cache for machine creds
Nov 15 00:06:32 debian rpc.gssd[1730]: using environment variable to
select krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 15 00:06:32 debian rpc.gssd[1730]: creating context using fsuid 0
(save_uid 0)
Nov 15 00:06:32 debian rpc.gssd[1730]: creating tcp client for server
archiv.sag.local

Nov 15 00:06:32 debian rpc.gssd[1730]: DEBUG: port already set to 2049
Nov 15 00:06:32 debian rpc.gssd[1730]: creating context with server
nfs@archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: WARNING: Failed to create krb5
context for user with uid 0 for server archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: WARNING: Failed to create machine
krb5 context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for
server archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: WARNING: Failed to create machine
krb5 context with any credentials cache for server archiv.sag.local

Nov 15 00:06:32 debian rpc.gssd[1730]: doing error downcall
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si
0xbfcd40bc data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si
0xbfcd40bc data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si
0xbfcd40bc data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si
0xbfcd40bc data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si
0xbfcd40bc data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si
0xbfcd40bc data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si
0xbfcd40bc data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: destroying client
/var/lib/nfs/rpc_pipefs/nfs/clnt20
Nov 15 00:06:32 debian rpc.gssd[1730]: destroying client
/var/lib/nfs/rpc_pipefs/nfs/clnt1f

===============
... and server:
===============
Nov 15 00:06:34 archiv rpc.svcgssd[1097]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
failure. Minor code may provide more information) - No supported
encryption types (config file error?)
Nov 15 00:06:34 archiv rpc.svcgssd[1097]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
failure. Minor code may provide more information) - No supported
encryption types (config file error?)



have any ideas?

--
Best Rgards



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: op.v4ydbzs0eaxn5m@odmen.sag.local">http://lists.debian.org/op.v4ydbzs0eaxn5m@odmen.sag.local
 

Thread Tools




All times are GMT. The time now is 07:10 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org