On 11/14/2011 04:57 PM, Mc.Sim wrote: > Hello!
Hi > I have Win2k8 R2 as a domain controller (as KDC for NFS). > There is an NFS client on Debian wheezy: hostname - debian: > I tried to uncomment > # default_tgs_enctypes = des3-hmac-sha1 > # default_tkt_enctypes = des3-hmac-sha1 > # permitted_enctypes = des3-hmac-sha1 > and comment: > default_tgs_enctypes = des-cbc-crc > default_tkt_enctypes = des-cbc-crc > permitted_enctypes = des-cbc-crc Why would that work without changing anything in your Kerberos keytabs? > but always when trying to connect to the server, > root@debian:~# mount -vvv -t nfs4 -o sec=krb5 archiv:/nfs /mnt2 > And get the error in log on server: > ARCHIV ~ # tailf /var/log/daemon.log > Nov 14 18:26:42 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in > handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS > failure. Minor code may provide more information) - Encryption type not > permitted > Nov 14 18:26:42 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in > handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS > failure. Minor code may provide more information) - Encryption type not > permitted > Nov 14 18:29:30 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in > handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS > failure. Minor code may provide more information) - Encryption type not > permitted > Nov 14 18:29:30 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in > handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS > failure. Minor code may provide more information) - Encryption type not > permitted > Nov 14 18:39:05 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in > handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS > failure. Minor code may provide more information) - Encryption type not > permitted > Nov 14 18:39:20 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in > handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS > failure. Minor code may provide more information) - Encryption type not > permitted Expected when des3-hmac-sha1 is not in keytab. > ============================================== > In this case, the second mount on the client only after a servise nfs-common > restart, because mount hangs and stops due to a timeout. > When I comment on all the settings on the server and client: > > # allow_weak_crypto = true > # default_tgs_enctypes = des-cbc-crc > # default_tkt_enctypes = des-cbc-crc > # permitted_enctypes = des-cbc-crc > # default_tgs_enctypes = des3-hmac-sha1 > # default_tkt_enctypes = des3-hmac-sha1 > # permitted_enctypes = des3-hmac-sha1 > # permitted_enctypes = des-cbc-crc > And I get message on server-log: > > Nov 14 18:50:23 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in > handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS > failure. Minor code may provide more information) - No supported encryption > types (config file error?) > Nov 14 18:50:23 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in > handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS > failure. Minor code may provide more information) - No supported encryption > types (config file error?) > > Help me, please for this problem. This will only work if you have other possibilities in the Kerberos keytab. > p.s. On the client (hostname debian) as an NFS server is installed and if I > run: > root@debian:~# grep -v ^# /etc/exports > /nfs gss/krb5(rw,sync,fsid=0,crossmnt,no_subtree_check) > root@debian:~# mount -v -t nfs4 -o sec=krb5 debian:/ /mnt > mount.nfs4: timeout set for Mon Nov 14 18:58:10 2011 > mount.nfs4: trying text-based options > 'sec=krb5,addr=10.0.0.50,clientaddr=10.0.0.50' > debian:/ on /mnt type nfs4 (rw,sec=krb5) > root@debian:~# mount | grep nfs > nfsd on /proc/fs/nfsd type nfsd (rw) > rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) > debian:/ on /mnt type nfs4 (rw,sec=krb5,addr=10.0.0.50,clientaddr=10.0.0.50) So it worked, I guess that's the initial scenario where you are using des-cbc-crc? I myself have little to no experience with Kerberos, but I would try klist to see what's in your keytabs (/etc/krb5.keytab) and related tools to add entries to the keytab when needed. This does not look like an NFS problem to me or am I mistaken? Cheers Luk -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ec13589.6020...@debian.org