* Mount error with NFSv4 and Kerberos (Bad encryption type)
@ 2010-06-30 15:43 Laurent Bonnaud
2010-06-30 16:22 ` Timo Aaltonen
0 siblings, 1 reply; 8+ messages in thread
From: Laurent Bonnaud @ 2010-06-30 15:43 UTC (permalink / raw)
To: linux-nfs
[-- Attachment #1: Type: text/plain, Size: 2357 bytes --]
Hi,
I am trying to mount a NFSv4 share from a Debian squeeze NFS server on a
Debian squeeze NFS client using sec=krb5. The same setup used to work
an Debian lenny and failed just after the upgrade to Debian squeeze.
Both systems use the latest versions in Debian squeeze, currently:
- nfs-utils version 1.2.2 (package version 1.2.2-1)
- kernel 2.6.32 (package version 2.6.32-15)
- krb5 1.8.1 (package version 1.8.1+dfsg-5)
The mount operation fails with this error message:
root@svn-info:~# mount -v /users
mount.nfs4: timeout set for Wed Jun 30 17:29:47 2010
mount.nfs4: trying text-based options 'intr,sec=krb5,addr=192.168.141.5,clientaddr=195.221.57.54'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting erebus2-pdg:/users
Here is the /etc/fstab entry on the client:
erebus2-pdg:/users /users nfs4 auto,user,exec,intr,sec=krb5
On the server /var/log/daemon.log contains the following error messages:
Jun 30 17:27:47 erebus2-pdg rpc.svcgssd[24332]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure.
Minor code may provide more information - Bad encryption type
Jun 30 17:27:47 erebus2-pdg rpc.svcgssd[24332]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure.
Minor code may provide more information - Bad encryption type
Kerberos keys were generated on a Windows 2003 AD server and the same
keys used to work in Debian lenny:
- on the client:
root@svn-info:~# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 nfs/pc-client-nfs-mNjEMxXs7nNb7MaPNYHebcAQG6jrQJLRZR6xolQnxMI@public.gmane.org (DES cbc mode with RSA-MD5)
- on the server:
root@erebus2-pdg:~# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 nfs/erebus2-pdg.iut2.upmf-grenoble.fr-mNjEMxXs7nNb7MaPNYHebcAQG6jrQJLRZR6xolQnxMI@public.gmane.org (DES cbc mode with RSA-MD5)
On the server /etc/krb5.conf does contain the following line (see the
attached file):
allow_weak_crypto = true
Google does not know about this problem:
http://www.google.com/search?q=rpc.svcgssd+%22Bad+encryption+type%22
Could anybody please help ?
--
Laurent Bonnaud.
[-- Attachment #2: krb5.conf --]
[-- Type: text/plain, Size: 490 bytes --]
[libdefaults]
default_realm = NTIUT2GRE.IUT2.UPMF-GRENOBLE.FR
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
allow_weak_crypto = true
[realms]
NTIUT2GRE.IUT2.UPMF-GRENOBLE.FR = {
kdc = xxx.iut2.upmf-grenoble.fr
admin_server = xxx.iut2.upmf-grenoble.fr
}
[domain_realm]
.iut2.upmf-grenoble.fr = NTIUT2GRE.IUT2.UPMF-GRENOBLE.FR
iut2.upmf-grenoble.fr = NTIUT2GRE.IUT2.UPMF-GRENOBLE.FR
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: Mount error with NFSv4 and Kerberos (Bad encryption type) 2010-06-30 15:43 Mount error with NFSv4 and Kerberos (Bad encryption type) Laurent Bonnaud @ 2010-06-30 16:22 ` Timo Aaltonen [not found] ` <alpine.DEB.2.00.1006301918360.17692-8U32XKBxp6oxHbG02/KK1g@public.gmane.org> 0 siblings, 1 reply; 8+ messages in thread From: Timo Aaltonen @ 2010-06-30 16:22 UTC (permalink / raw) To: Laurent Bonnaud; +Cc: linux-nfs On Wed, 30 Jun 2010, Laurent Bonnaud wrote: > On the server /etc/krb5.conf does contain the following line (see the > attached file): > > allow_weak_crypto = true Put that on the client as well and it should work. -- Timo Aaltonen Systems Specialist Aalto IT ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <alpine.DEB.2.00.1006301918360.17692-8U32XKBxp6oxHbG02/KK1g@public.gmane.org>]
* Re: Mount error with NFSv4 and Kerberos (Bad encryption type) [not found] ` <alpine.DEB.2.00.1006301918360.17692-8U32XKBxp6oxHbG02/KK1g@public.gmane.org> @ 2010-06-30 17:24 ` Laurent Bonnaud 2010-07-01 21:50 ` Timo Aaltonen 0 siblings, 1 reply; 8+ messages in thread From: Laurent Bonnaud @ 2010-06-30 17:24 UTC (permalink / raw) To: Timo Aaltonen; +Cc: linux-nfs On Wed, 2010-06-30 at 19:22 +0300, Timo Aaltonen wrote: > Put that on the client as well and it should work. Thank you for the suggestion ! Unfortunately the client already has the same /etc/krb5.conf file as the server. Any other idea ? -- Laurent Bonnaud. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Mount error with NFSv4 and Kerberos (Bad encryption type) 2010-06-30 17:24 ` Laurent Bonnaud @ 2010-07-01 21:50 ` Timo Aaltonen [not found] ` <alpine.DEB.2.00.1007020048220.17692-8U32XKBxp6oxHbG02/KK1g@public.gmane.org> 0 siblings, 1 reply; 8+ messages in thread From: Timo Aaltonen @ 2010-07-01 21:50 UTC (permalink / raw) To: Laurent Bonnaud; +Cc: linux-nfs On Wed, 30 Jun 2010, Laurent Bonnaud wrote: > On Wed, 2010-06-30 at 19:22 +0300, Timo Aaltonen wrote: > >> Put that on the client as well and it should work. > > Thank you for the suggestion ! > > Unfortunately the client already has the same /etc/krb5.conf file as the > server. Any other idea ? Try forcing the encryption type in krb5.conf: default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc -- Timo Aaltonen Systems Specialist, Aalto IT ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <alpine.DEB.2.00.1007020048220.17692-8U32XKBxp6oxHbG02/KK1g@public.gmane.org>]
* Re: Mount error with NFSv4 and Kerberos (Bad encryption type) [not found] ` <alpine.DEB.2.00.1007020048220.17692-8U32XKBxp6oxHbG02/KK1g@public.gmane.org> @ 2010-07-02 13:57 ` Laurent Bonnaud 2010-07-02 14:17 ` Kevin Coffman 0 siblings, 1 reply; 8+ messages in thread From: Laurent Bonnaud @ 2010-07-02 13:57 UTC (permalink / raw) To: Timo Aaltonen; +Cc: linux-nfs On Fri, 2010-07-02 at 00:50 +0300, Timo Aaltonen wrote: > > Try forcing the encryption type in krb5.conf: > > default_tkt_enctypes = des-cbc-crc > default_tgs_enctypes = des-cbc-crc I did that both on the client and the server and the result is the same :<. -- Laurent Bonnaud. http://www.lis.inpg.fr/pages_perso/bonnaud/ ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Mount error with NFSv4 and Kerberos (Bad encryption type) 2010-07-02 13:57 ` Laurent Bonnaud @ 2010-07-02 14:17 ` Kevin Coffman [not found] ` <AANLkTikusWEjVBEdtnR9fOSv4f_NgMBKK6BtWVLQ1nWf-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 0 siblings, 1 reply; 8+ messages in thread From: Kevin Coffman @ 2010-07-02 14:17 UTC (permalink / raw) To: Laurent Bonnaud; +Cc: Timo Aaltonen, linux-nfs On Fri, Jul 2, 2010 at 9:57 AM, Laurent Bonnaud <bonnaud-jHyHnS8NkcXLSxaa5bH2iPQULIy34Utc@public.gmane.org> wrote: > On Fri, 2010-07-02 at 00:50 +0300, Timo Aaltonen wrote: >> >> Try forcing the encryption type in krb5.conf: >> >> default_tkt_enctypes = des-cbc-crc >> default_tgs_enctypes = des-cbc-crc > > I did that both on the client and the server and the result is the > same :<. > The KDC hasn't changed, and is still Windows 2003? Is there any extra information logged if you increase the debug level for svcgssd ("-vvv")? Could you send, me and/or the list, packet traces taken from the (NFS) client and the server? K.C. ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <AANLkTikusWEjVBEdtnR9fOSv4f_NgMBKK6BtWVLQ1nWf-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>]
* Re: Mount error with NFSv4 and Kerberos (Bad encryption type) [not found] ` <AANLkTikusWEjVBEdtnR9fOSv4f_NgMBKK6BtWVLQ1nWf-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> @ 2010-07-05 15:12 ` Laurent Bonnaud 2010-07-06 17:34 ` Kevin Coffman 0 siblings, 1 reply; 8+ messages in thread From: Laurent Bonnaud @ 2010-07-05 15:12 UTC (permalink / raw) To: Kevin Coffman; +Cc: Timo Aaltonen, linux-nfs [-- Attachment #1: Type: text/plain, Size: 6355 bytes --] On Fri, 2010-07-02 at 10:17 -0400, Kevin Coffman wrote: > > The KDC hasn't changed, and is still Windows 2003? Yes it is. However, according to my packet captures it is not involved during the mount operation. > Is there any extra > information logged if you increase the debug level for svcgssd > ("-vvv")? Here it is: Jul 5 17:09:11 erebus2-pdg kernel: [428525.872129] svc: failed to register lockdv1 RPC service (errno 97). Jul 5 17:09:11 erebus2-pdg kernel: [428525.873430] NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery directory Jul 5 17:09:11 erebus2-pdg kernel: [428525.873507] NFSD: starting 90-second grace period Jul 5 17:09:11 erebus2-pdg rpc.svcgssd[15388]: rpcsec_gss: debug level is 3 Jul 5 17:09:11 erebus2-pdg rpc.svcgssd[15389]: entering poll Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: leaving poll Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: handling null request Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: WARNING: gss_accept_sec_context failed Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure. Minor code may provide more information - Bad encryption type Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: sending null reply Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: writing message: \x \x6082050406092a864886f71201020201006e8204f3308204efa003020105a10302010ea20703050020000000a382040761820403308203ffa003020105a1211b1f4e54495554324752452e495554322e55504d462d4752454e4f424c452e4652a2333031a003020103a12a30281b036e66731b21657265627573322d7064672e697574322e75706d662d6772656e6f626c652e6672a382039e3082039aa003020103a103020103a282038c04820388cce83fa7d364e478106141139e5be399606ab27723eff208dc1d8af46ad9f6cb6e1de35a2ce6c7e59219ffc982bb0ce55eb0792765a2a66b62c1bef0e485fb67e4c5f6fa6be8594abb3035f0521f34820ac27ace85b7f2220f826165e3804df6876c57c4a1fcb5cc6385baa0269588d08e98779b2c2de0d463cdf817577fa457d75291f6fe2256e358b3b0198ad0e98bec7e1e53c8a3dd483a6bfe6bbe253695494ae019cb63961004d2f6231b93f794df251988d04481cb0c7274b4e942aaaf0441b2bd52adcd838503d2faa143d30262469e387297605683ba839e65e0ed314bbdce06f764b90056836a709db735cdafc72222131892455f296029f25a51dd0c21d4b15caf9d218196570278274f2e5a90f7bc42ff41a2819e0d089bbca95b6914bd5edb3758a0228376aa524e94d281932556f3c9030782b609e84139a2cff45b3bc1d862e2c36911325b52e1c125d11d0fcb8a7aa368d696e617acfa15efadffd75670cd1b5b3fb41c26816412e1f41cee360229e61e7848ccedd4d30e4bb0f6103d380acab4750a1a22f0fd33070938b0bbd01f926e52e8a98946114a2348b154eb1ff26f4338eeb1bfee73c2ea2d75b40cd66fc4f768dc851ad6baea48216394d248700e8084e13c3ba7959bf9f1f6ff1c1a5c7342f785450de065ecb7d9f003c899e4e054316fa3d49d34699515fcc289f28e246fc2b37e6f934c1fbc988763d0d160c23f0b92760c05f81f02251517bd1b1cd7aad7800cb860e5d8851ecb38d4a6e292ad6c6676315db51489a779e546c4502526e29151a34e5b056afe38666af2bfa91e3940c2a49d2c122cf7c0a4cefefcc8ebf6678b486f7cbc765b1cd73d39fcc0d2fa26d94ee28f0ca934c5486d618860d0994c240cb4789bca7256274bdae1e96811bb6fb308f0ca6d04704f2f4a40cf3b9ebb66d3b1ba634178a26fe078e3790cdfe653e32cee74934c57840246a03109669827e1af2af03b9278cda2fd77818d9a620e121493f25bacf746699c6b734eeab1eb04c0832eafb98a24ff11767bf9c9b40b10ce65df36805f800713a7c05c0b5cb352eb84f519fb5c1f3bc2b9ff5467b1c1ed7ef23037ac49e20d5c69306438557aef4c105cf287b1c72f43afa0361c22bc3f0e1c3496aec7 Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: finished handling null request Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: entering poll Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: leaving poll Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: handling null request Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: WARNING: gss_accept_sec_context failed Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure. Minor code may provide more information - Bad encryption type Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: sending null reply Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: writing message: \x \x6082050406092a864886f71201020201006e8204f3308204efa003020105a10302010ea20703050020000000a382040761820403308203ffa003020105a1211b1f4e54495554324752452e495554322e55504d462d4752454e4f424c452e4652a2333031a003020103a12a30281b036e66731b21657265627573322d7064672e697574322e75706d662d6772656e6f626c652e6672a382039e3082039aa003020103a103020103a282038c04820388cce83fa7d364e478106141139e5be399606ab27723eff208dc1d8af46ad9f6cb6e1de35a2ce6c7e59219ffc982bb0ce55eb0792765a2a66b62c1bef0e485fb67e4c5f6fa6be8594abb3035f0521f34820ac27ace85b7f2220f826165e3804df6876c57c4a1fcb5cc6385baa0269588d08e98779b2c2de0d463cdf817577fa457d75291f6fe2256e358b3b0198ad0e98bec7e1e53c8a3dd483a6bfe6bbe253695494ae019cb63961004d2f6231b93f794df251988d04481cb0c7274b4e942aaaf0441b2bd52adcd838503d2faa143d30262469e387297605683ba839e65e0ed314bbdce06f764b90056836a709db735cdafc72222131892455f296029f25a51dd0c21d4b15caf9d218196570278274f2e5a90f7bc42ff41a2819e0d089bbca95b6914bd5edb3758a0228376aa524e94d281932556f3c9030782b609e84139a2cff45b3bc1d862e2c36911325b52e1c125d11d0fcb8a7aa368d696e617acfa15efadffd75670cd1b5b3fb41c26816412e1f41cee360229e61e7848ccedd4d30e4bb0f6103d380acab4750a1a22f0fd33070938b0bbd01f926e52e8a98946114a2348b154eb1ff26f4338eeb1bfee73c2ea2d75b40cd66fc4f768dc851ad6baea48216394d248700e8084e13c3ba7959bf9f1f6ff1c1a5c7342f785450de065ecb7d9f003c899e4e054316fa3d49d34699515fcc289f28e246fc2b37e6f934c1fbc988763d0d160c23f0b92760c05f81f02251517bd1b1cd7aad7800cb860e5d8851ecb38d4a6e292ad6c6676315db51489a779e546c4502526e29151a34e5b056afe38666af2bfa91e3940c2a49d2c122cf7c0a4cefefcc8ebf6678b486f7cbc765b1cd73d39fcc0d2fa26d94ee28f0ca934c5486d618860d0994c240cb4789bca7256274bdae1e96811bb6fb308f0ca6d04704f2f4a40cf3b9ebb66d3b1ba634178a26fe078e3790cdfe653e32cee74934c57840246a03109669827e1af2af03b9278cda2fd77818d9a620e121493f25bacf746699c6b734eeab1eb04c0832eafb98a24ff11767bf9c9b40b10ce65df36805f800713a7c05c0b5cb352eb84f519fb5c1f3bc2b9ff5467b1c1ed7ef23037ac49e20d5c69306438557aef4c105cf287b1c72f43afa0361c22bc3f0e1c3496aec7 Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: finished handling null request Jul 5 17:09:15 erebus2-pdg rpc.svcgssd[15389]: entering poll > Could you send, me and/or the list, packet traces taken > from the (NFS) client and the server? See the attached file. -- Laurent Bonnaud. [-- Attachment #2: NFS-KRB.pcap --] [-- Type: application/octet-stream, Size: 5472 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Mount error with NFSv4 and Kerberos (Bad encryption type) 2010-07-05 15:12 ` Laurent Bonnaud @ 2010-07-06 17:34 ` Kevin Coffman 0 siblings, 0 replies; 8+ messages in thread From: Kevin Coffman @ 2010-07-06 17:34 UTC (permalink / raw) To: Laurent Bonnaud; +Cc: Timo Aaltonen, linux-nfs Unfortunately, the log messages and trace don't provide any new information you haven't already provided. I've been looking to see whether there have been any (Kerberos) changes which would reject the use of des-cbc-md5, but haven't found anything. I'm not sure how to proceed... On Mon, Jul 5, 2010 at 11:12 AM, Laurent Bonnaud <bonnaud-jHyHnS8NkcXLSxaa5bH2iPQULIy34Utc@public.gmane.org> wrote: > On Fri, 2010-07-02 at 10:17 -0400, Kevin Coffman wrote: >> >> The KDC hasn't changed, and is still Windows 2003? > > Yes it is. =A0However, according to my packet captures it is not invo= lved > during the mount operation. > >> Is there any extra >> information logged if you increase the debug level for svcgssd >> ("-vvv")? > > Here it is: > > [ ... ] ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2010-07-06 17:39 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-06-30 15:43 Mount error with NFSv4 and Kerberos (Bad encryption type) Laurent Bonnaud
2010-06-30 16:22 ` Timo Aaltonen
[not found] ` <alpine.DEB.2.00.1006301918360.17692-8U32XKBxp6oxHbG02/KK1g@public.gmane.org>
2010-06-30 17:24 ` Laurent Bonnaud
2010-07-01 21:50 ` Timo Aaltonen
[not found] ` <alpine.DEB.2.00.1007020048220.17692-8U32XKBxp6oxHbG02/KK1g@public.gmane.org>
2010-07-02 13:57 ` Laurent Bonnaud
2010-07-02 14:17 ` Kevin Coffman
[not found] ` <AANLkTikusWEjVBEdtnR9fOSv4f_NgMBKK6BtWVLQ1nWf-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-07-05 15:12 ` Laurent Bonnaud
2010-07-06 17:34 ` Kevin Coffman
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.