Hi,
I am trying to mount a NFSv4 share from a Debian squeeze NFS server on a
Debian squeeze NFS client using sec=krb5. The same setup used to work
an Debian lenny and failed just after the upgrade to Debian squeeze.
Both systems use the latest versions in Debian squeeze, currently:
- nfs-utils version 1.2.2 (package version 1.2.2-1)
- kernel 2.6.32 (package version 2.6.32-15)
- krb5 1.8.1 (package version 1.8.1+dfsg-5)
The mount operation fails with this error message:
root@svn-info:~# mount -v /users
mount.nfs4: timeout set for Wed Jun 30 17:29:47 2010
mount.nfs4: trying text-based options 'intr,sec=krb5,addr=192.168.141.5,clientaddr=195.221.57.54'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting erebus2-pdg:/users
Here is the /etc/fstab entry on the client:
erebus2-pdg:/users /users nfs4 auto,user,exec,intr,sec=krb5
On the server /var/log/daemon.log contains the following error messages:
Jun 30 17:27:47 erebus2-pdg rpc.svcgssd[24332]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure.
Minor code may provide more information - Bad encryption type
Jun 30 17:27:47 erebus2-pdg rpc.svcgssd[24332]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure.
Minor code may provide more information - Bad encryption type
Kerberos keys were generated on a Windows 2003 AD server and the same
keys used to work in Debian lenny:
- on the client:
root@svn-info:~# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 nfs/pc-client-nfs-mNjEMxXs7nNb7MaPNYHebcAQG6jrQJLRZR6xolQnxMI@public.gmane.org (DES cbc mode with RSA-MD5)
- on the server:
root@erebus2-pdg:~# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 nfs/erebus2-pdg.iut2.upmf-grenoble.fr-mNjEMxXs7nNb7MaPNYHebcAQG6jrQJLRZR6xolQnxMI@public.gmane.org (DES cbc mode with RSA-MD5)
On the server /etc/krb5.conf does contain the following line (see the
attached file):
allow_weak_crypto = true
Google does not know about this problem:
http://www.google.com/search?q=rpc.svcgssd+%22Bad+encryption+type%22
Could anybody please help ?
--
Laurent Bonnaud.
On Wed, 30 Jun 2010, Laurent Bonnaud wrote:
> On the server /etc/krb5.conf does contain the following line (see the
> attached file):
>
> allow_weak_crypto = true
Put that on the client as well and it should work.
--
Timo Aaltonen
Systems Specialist
Aalto IT
On Wed, 2010-06-30 at 19:22 +0300, Timo Aaltonen wrote:
> Put that on the client as well and it should work.
Thank you for the suggestion !
Unfortunately the client already has the same /etc/krb5.conf file as the
server. Any other idea ?
--
Laurent Bonnaud.
On Fri, 2010-07-02 at 10:17 -0400, Kevin Coffman wrote:
>
> The KDC hasn't changed, and is still Windows 2003?
Yes it is. However, according to my packet captures it is not involved
during the mount operation.
> Is there any extra
> information logged if you increase the debug level for svcgssd
> ("-vvv")?
Here it is:
Jul 5 17:09:11 erebus2-pdg kernel: [428525.872129] svc: failed to register lockdv1 RPC service (errno 97).
Jul 5 17:09:11 erebus2-pdg kernel: [428525.873430] NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery directory
Jul 5 17:09:11 erebus2-pdg kernel: [428525.873507] NFSD: starting 90-second grace period
Jul 5 17:09:11 erebus2-pdg rpc.svcgssd[15388]: rpcsec_gss: debug level is 3
Jul 5 17:09:11 erebus2-pdg rpc.svcgssd[15389]: entering poll
Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: leaving poll
Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: handling null request
Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: WARNING: gss_accept_sec_context failed
Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure. Minor code may provide more information - Bad encryption type
Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: sending null reply
Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: writing message: \x \x6082050406092a864886f71201020201006e8204f3308204efa003020105a10302010ea20703050020000000a382040761820403308203ffa003020105a1211b1f4e54495554324752452e495554322e55504d462d4752454e4f424c452e4652a2333031a003020103a12a30281b036e66731b21657265627573322d7064672e697574322e75706d662d6772656e6f626c652e6672a382039e3082039aa003020103a103020103a282038c04820388cce83fa7d364e478106141139e5be399606ab27723eff208dc1d8af46ad9f6cb6e1de35a2ce6c7e59219ffc982bb0ce55eb0792765a2a66b62c1bef0e485fb67e4c5f6fa6be8594abb3035f0521f34820ac27ace85b7f2220f826165e3804df6876c57c4a1fcb5cc6385baa0269588d08e98779b2c2de0d463cdf817577fa457d75291f6fe2256e358b3b0198ad0e98bec7e1e53c8a3dd483a6bfe6bbe253695494ae019cb63961004d2f6231b93f794df251988d04481cb0c7274b4e942aaaf0441b2bd52adcd838503d2faa143d30262469e387297605683ba839e65e0ed314bbdce06f764b90056836a709db735cdafc72222131892455f296029f25a51dd0c21d4b15caf9d218196570278274f2e5a90f7bc42ff41a2819e0d089bbca95b6914bd5edb3758a0228376aa524e94d281932556f3c9030782b609e84139a2cff45b3bc1d862e2c36911325b52e1c125d11d0fcb8a7aa368d696e617acfa15efadffd75670cd1b5b3fb41c26816412e1f41cee360229e61e7848ccedd4d30e4bb0f6103d380acab4750a1a22f0fd33070938b0bbd01f926e52e8a98946114a2348b154eb1ff26f4338eeb1bfee73c2ea2d75b40cd66fc4f768dc851ad6baea48216394d248700e8084e13c3ba7959bf9f1f6ff1c1a5c7342f785450de065ecb7d9f003c899e4e054316fa3d49d34699515fcc289f28e246fc2b37e6f934c1fbc988763d0d160c23f0b92760c05f81f02251517bd1b1cd7aad7800cb860e5d8851ecb38d4a6e292ad6c6676315db51489a779e546c4502526e29151a34e5b056afe38666af2bfa91e3940c2a49d2c122cf7c0a4cefefcc8ebf6678b486f7cbc765b1cd73d39fcc0d2fa26d94ee28f0ca934c5486d618860d0994c240cb4789bca7256274bdae1e96811bb6fb308f0ca6d04704f2f4a40cf3b9ebb66d3b1ba634178a26fe078e3790cdfe653e32cee74934c57840246a03109669827e1af2af03b9278cda2fd77818d9a620e121493f25bacf746699c6b734eeab1eb04c0832eafb98a24ff11767bf9c9b40b10ce65df36805f800713a7c05c0b5cb352eb84f519fb5c1f3bc2b9ff5467b1c1ed7ef23037ac49e20d5c69306438557aef4c105cf287b1c72f43afa0361c22bc3f0e1c3496aec7
Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: finished handling null request
Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: entering poll
Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: leaving poll
Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: handling null request
Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: WARNING: gss_accept_sec_context failed
Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure. Minor code may provide more information - Bad encryption type
Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: sending null reply
Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: writing message: \x \x6082050406092a864886f71201020201006e8204f3308204efa003020105a10302010ea20703050020000000a382040761820403308203ffa003020105a1211b1f4e54495554324752452e495554322e55504d462d4752454e4f424c452e4652a2333031a003020103a12a30281b036e66731b21657265627573322d7064672e697574322e75706d662d6772656e6f626c652e6672a382039e3082039aa003020103a103020103a282038c04820388cce83fa7d364e478106141139e5be399606ab27723eff208dc1d8af46ad9f6cb6e1de35a2ce6c7e59219ffc982bb0ce55eb0792765a2a66b62c1bef0e485fb67e4c5f6fa6be8594abb3035f0521f34820ac27ace85b7f2220f826165e3804df6876c57c4a1fcb5cc6385baa0269588d08e98779b2c2de0d463cdf817577fa457d75291f6fe2256e358b3b0198ad0e98bec7e1e53c8a3dd483a6bfe6bbe253695494ae019cb63961004d2f6231b93f794df251988d04481cb0c7274b4e942aaaf0441b2bd52adcd838503d2faa143d30262469e387297605683ba839e65e0ed314bbdce06f764b90056836a709db735cdafc72222131892455f296029f25a51dd0c21d4b15caf9d218196570278274f2e5a90f7bc42ff41a2819e0d089bbca95b6914bd5edb3758a0228376aa524e94d281932556f3c9030782b609e84139a2cff45b3bc1d862e2c36911325b52e1c125d11d0fcb8a7aa368d696e617acfa15efadffd75670cd1b5b3fb41c26816412e1f41cee360229e61e7848ccedd4d30e4bb0f6103d380acab4750a1a22f0fd33070938b0bbd01f926e52e8a98946114a2348b154eb1ff26f4338eeb1bfee73c2ea2d75b40cd66fc4f768dc851ad6baea48216394d248700e8084e13c3ba7959bf9f1f6ff1c1a5c7342f785450de065ecb7d9f003c899e4e054316fa3d49d34699515fcc289f28e246fc2b37e6f934c1fbc988763d0d160c23f0b92760c05f81f02251517bd1b1cd7aad7800cb860e5d8851ecb38d4a6e292ad6c6676315db51489a779e546c4502526e29151a34e5b056afe38666af2bfa91e3940c2a49d2c122cf7c0a4cefefcc8ebf6678b486f7cbc765b1cd73d39fcc0d2fa26d94ee28f0ca934c5486d618860d0994c240cb4789bca7256274bdae1e96811bb6fb308f0ca6d04704f2f4a40cf3b9ebb66d3b1ba634178a26fe078e3790cdfe653e32cee74934c57840246a03109669827e1af2af03b9278cda2fd77818d9a620e121493f25bacf746699c6b734eeab1eb04c0832eafb98a24ff11767bf9c9b40b10ce65df36805f800713a7c05c0b5cb352eb84f519fb5c1f3bc2b9ff5467b1c1ed7ef23037ac49e20d5c69306438557aef4c105cf287b1c72f43afa0361c22bc3f0e1c3496aec7
Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: finished handling null request
Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: entering poll
> Could you send, me and/or the list, packet traces taken
> from the (NFS) client and the server?
See the attached file.
--
Laurent Bonnaud.
Unfortunately, the log messages and trace don't provide any new
information you haven't already provided. I've been looking to see
whether there have been any (Kerberos) changes which would reject the
use of des-cbc-md5, but haven't found anything. I'm not sure how to
proceed...
On Mon, Jul 5, 2010 at 11:12 AM, Laurent Bonnaud
<[email protected]> wrote:
> On Fri, 2010-07-02 at 10:17 -0400, Kevin Coffman wrote:
>>
>> The KDC hasn't changed, and is still Windows 2003?
>
> Yes it is. =A0However, according to my packet captures it is not invo=
lved
> during the mount operation.
>
>> Is there any extra
>> information logged if you increase the debug level for svcgssd
>> ("-vvv")?
>
> Here it is:
>
> [ ... ]
On Wed, 30 Jun 2010, Laurent Bonnaud wrote:
> On Wed, 2010-06-30 at 19:22 +0300, Timo Aaltonen wrote:
>
>> Put that on the client as well and it should work.
>
> Thank you for the suggestion !
>
> Unfortunately the client already has the same /etc/krb5.conf file as the
> server. Any other idea ?
Try forcing the encryption type in krb5.conf:
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
--
Timo Aaltonen
Systems Specialist, Aalto IT
On Fri, 2010-07-02 at 00:50 +0300, Timo Aaltonen wrote:
>
> Try forcing the encryption type in krb5.conf:
>
> default_tkt_enctypes = des-cbc-crc
> default_tgs_enctypes = des-cbc-crc
I did that both on the client and the server and the result is the
same :<.
--
Laurent Bonnaud.
http://www.lis.inpg.fr/pages_perso/bonnaud/
On Fri, Jul 2, 2010 at 9:57 AM, Laurent Bonnaud
<[email protected]> wrote:
> On Fri, 2010-07-02 at 00:50 +0300, Timo Aaltonen wrote:
>>
>> Try forcing the encryption type in krb5.conf:
>>
>> default_tkt_enctypes = des-cbc-crc
>> default_tgs_enctypes = des-cbc-crc
>
> I did that both on the client and the server and the result is the
> same :<.
>
The KDC hasn't changed, and is still Windows 2003? Is there any extra
information logged if you increase the debug level for svcgssd
("-vvv")? Could you send, me and/or the list, packet traces taken
from the (NFS) client and the server?
K.C.