Mount error with NFSv4 and Kerberos (Bad encryption type)

Linux NFS development
 help / color / mirror / Atom feed

From: Laurent Bonnaud <bonnaud-jHyHnS8NkcXLSxaa5bH2iPQULIy34Utc@public.gmane.org>
To: linux-nfs@vger.kernel.org
Subject: Mount error with NFSv4 and Kerberos (Bad encryption type)
Date: Wed, 30 Jun 2010 17:43:51 +0200	[thread overview]
Message-ID: <1277912631.11798.22.camel@localhost> (raw)

[-- Attachment #1: Type: text/plain, Size: 2357 bytes --]

Hi,

I am trying to mount a NFSv4 share from a Debian squeeze NFS server on a
Debian squeeze NFS client using sec=krb5.  The same setup used to work
an Debian lenny and failed just after the upgrade to Debian squeeze.

Both systems use the latest versions in Debian squeeze, currently:
 - nfs-utils version 1.2.2 (package version 1.2.2-1)
 - kernel 2.6.32 (package version 2.6.32-15)
 - krb5 1.8.1 (package version 1.8.1+dfsg-5)

The mount operation fails with this error message:

root@svn-info:~# mount -v /users
mount.nfs4: timeout set for Wed Jun 30 17:29:47 2010
mount.nfs4: trying text-based options 'intr,sec=krb5,addr=192.168.141.5,clientaddr=195.221.57.54'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting erebus2-pdg:/users

Here is the /etc/fstab entry on the client:

  erebus2-pdg:/users /users nfs4 auto,user,exec,intr,sec=krb5

On the server /var/log/daemon.log contains the following error messages:

Jun 30 17:27:47 erebus2-pdg rpc.svcgssd[24332]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure.
Minor code may provide more information - Bad encryption type
Jun 30 17:27:47 erebus2-pdg rpc.svcgssd[24332]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure.
Minor code may provide more information - Bad encryption type

Kerberos keys were generated on a Windows 2003 AD server and the same
keys used to work in Debian lenny:

 - on the client:

root@svn-info:~# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 nfs/pc-client-nfs-mNjEMxXs7nNb7MaPNYHebcAQG6jrQJLRZR6xolQnxMI@public.gmane.org (DES cbc mode with RSA-MD5) 

 - on the server:

root@erebus2-pdg:~# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 nfs/erebus2-pdg.iut2.upmf-grenoble.fr-mNjEMxXs7nNb7MaPNYHebcAQG6jrQJLRZR6xolQnxMI@public.gmane.org (DES cbc mode with RSA-MD5) 

On the server /etc/krb5.conf does contain the following line (see the
attached file):

  allow_weak_crypto = true

Google does not know about this problem:

  http://www.google.com/search?q=rpc.svcgssd+%22Bad+encryption+type%22

Could anybody please help ?

-- 
Laurent Bonnaud.

[-- Attachment #2: krb5.conf --]
[-- Type: text/plain, Size: 490 bytes --]

[libdefaults]
	default_realm = NTIUT2GRE.IUT2.UPMF-GRENOBLE.FR

# The following krb5.conf variables are only for MIT Kerberos.
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true

     	allow_weak_crypto = true

[realms]
	NTIUT2GRE.IUT2.UPMF-GRENOBLE.FR = {
		kdc = xxx.iut2.upmf-grenoble.fr
		admin_server = xxx.iut2.upmf-grenoble.fr
	}

[domain_realm]
	.iut2.upmf-grenoble.fr = NTIUT2GRE.IUT2.UPMF-GRENOBLE.FR
	iut2.upmf-grenoble.fr = NTIUT2GRE.IUT2.UPMF-GRENOBLE.FR

next             reply	other threads:[~2010-06-30 15:54 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-06-30 15:43 Laurent Bonnaud [this message]
2010-06-30 16:22 ` Mount error with NFSv4 and Kerberos (Bad encryption type) Timo Aaltonen
     [not found]   ` <alpine.DEB.2.00.1006301918360.17692-8U32XKBxp6oxHbG02/KK1g@public.gmane.org>
2010-06-30 17:24     ` Laurent Bonnaud
2010-07-01 21:50       ` Timo Aaltonen
     [not found]         ` <alpine.DEB.2.00.1007020048220.17692-8U32XKBxp6oxHbG02/KK1g@public.gmane.org>
2010-07-02 13:57           ` Laurent Bonnaud
2010-07-02 14:17             ` Kevin Coffman
     [not found]               ` <AANLkTikusWEjVBEdtnR9fOSv4f_NgMBKK6BtWVLQ1nWf-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-07-05 15:12                 ` Laurent Bonnaud
2010-07-06 17:34                   ` Kevin Coffman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1277912631.11798.22.camel@localhost \
    --to=bonnaud-jhyhns8nkcxlsxaa5bh2ipquliy34utc@public.gmane.org \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox