Mount error with NFSv4 and Kerberos (Bad encryption type)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Laurent Bonnaud <bonnaud-jHyHnS8NkcXLSxaa5bH2iPQULIy34Utc@public.gmane.org>
To: linux-nfs@vger.kernel.org
Subject: Mount error with NFSv4 and Kerberos (Bad encryption type)
Date: Wed, 30 Jun 2010 17:43:51 +0200	[thread overview]
Message-ID: <1277912631.11798.22.camel@localhost> (raw)

[-- Attachment #1: Type: text/plain, Size: 2357 bytes --]

Hi,

I am trying to mount a NFSv4 share from a Debian squeeze NFS server on a
Debian squeeze NFS client using sec=krb5.  The same setup used to work
an Debian lenny and failed just after the upgrade to Debian squeeze.

Both systems use the latest versions in Debian squeeze, currently:
 - nfs-utils version 1.2.2 (package version 1.2.2-1)
 - kernel 2.6.32 (package version 2.6.32-15)
 - krb5 1.8.1 (package version 1.8.1+dfsg-5)

The mount operation fails with this error message:

root@svn-info:~# mount -v /users
mount.nfs4: timeout set for Wed Jun 30 17:29:47 2010
mount.nfs4: trying text-based options 'intr,sec=krb5,addr=192.168.141.5,clientaddr=195.221.57.54'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting erebus2-pdg:/users

Here is the /etc/fstab entry on the client:

  erebus2-pdg:/users /users nfs4 auto,user,exec,intr,sec=krb5

On the server /var/log/daemon.log contains the following error messages:

Jun 30 17:27:47 erebus2-pdg rpc.svcgssd[24332]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure.
Minor code may provide more information - Bad encryption type
Jun 30 17:27:47 erebus2-pdg rpc.svcgssd[24332]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure.
Minor code may provide more information - Bad encryption type

Kerberos keys were generated on a Windows 2003 AD server and the same
keys used to work in Debian lenny:

 - on the client:

root@svn-info:~# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 nfs/pc-client-nfs-mNjEMxXs7nNb7MaPNYHebcAQG6jrQJLRZR6xolQnxMI@public.gmane.org (DES cbc mode with RSA-MD5) 

 - on the server:

root@erebus2-pdg:~# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 nfs/erebus2-pdg.iut2.upmf-grenoble.fr-mNjEMxXs7nNb7MaPNYHebcAQG6jrQJLRZR6xolQnxMI@public.gmane.org (DES cbc mode with RSA-MD5) 

On the server /etc/krb5.conf does contain the following line (see the
attached file):

  allow_weak_crypto = true

Google does not know about this problem:

  http://www.google.com/search?q=rpc.svcgssd+%22Bad+encryption+type%22

Could anybody please help ?

-- 
Laurent Bonnaud.

[-- Attachment #2: krb5.conf --]
[-- Type: text/plain, Size: 490 bytes --]

[libdefaults]
	default_realm = NTIUT2GRE.IUT2.UPMF-GRENOBLE.FR

# The following krb5.conf variables are only for MIT Kerberos.
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true

     	allow_weak_crypto = true

[realms]
	NTIUT2GRE.IUT2.UPMF-GRENOBLE.FR = {
		kdc = xxx.iut2.upmf-grenoble.fr
		admin_server = xxx.iut2.upmf-grenoble.fr
	}

[domain_realm]
	.iut2.upmf-grenoble.fr = NTIUT2GRE.IUT2.UPMF-GRENOBLE.FR
	iut2.upmf-grenoble.fr = NTIUT2GRE.IUT2.UPMF-GRENOBLE.FR

next             reply	other threads:[~2010-06-30 15:54 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-06-30 15:43 Laurent Bonnaud [this message]
2010-06-30 16:22 ` Mount error with NFSv4 and Kerberos (Bad encryption type) Timo Aaltonen
     [not found]   ` <alpine.DEB.2.00.1006301918360.17692-8U32XKBxp6oxHbG02/KK1g@public.gmane.org>
2010-06-30 17:24     ` Laurent Bonnaud
2010-07-01 21:50       ` Timo Aaltonen
     [not found]         ` <alpine.DEB.2.00.1007020048220.17692-8U32XKBxp6oxHbG02/KK1g@public.gmane.org>
2010-07-02 13:57           ` Laurent Bonnaud
2010-07-02 14:17             ` Kevin Coffman
     [not found]               ` <AANLkTikusWEjVBEdtnR9fOSv4f_NgMBKK6BtWVLQ1nWf-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-07-05 15:12                 ` Laurent Bonnaud
2010-07-06 17:34                   ` Kevin Coffman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1277912631.11798.22.camel@localhost \
    --to=bonnaud-jhyhns8nkcxlsxaa5bh2ipquliy34utc@public.gmane.org \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.