Bug#657802: nfs-kernel-server: NFSv4 kerberos mount stopped working after upgrade to 6.0.4 point release
[Andreas B. Mundt] For kerberized NFSv4 on squeeze 6.0.4 you need: [libdefaults] permitted_enctypes = des-cbc-crc allow_weak_crypto = true This setting broke Kerberos authentication using pam_sss. I found lines like this in the server kdc.log: Jan 31 15:26:42 tjener.intern krb5kdc[16339](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.15.1: NEEDED_PREAUTH: pere@INTERN for krbtgt/INTERN@INTERN, Additional pre-authentication required I then looked up what the etypes meant, and found URL: http://pig.made-it.com/kerberos-etypes.html mapping IDs to names. By adding the names for 16-18,23 to krb5.conf on the KDC I was able to get pam_sss working again. The result looked like this: [libdefaults] permitted_enctypes = des-cbc-crc rc4-hmac des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 allow_weak_crypto = true I'm not sure which of these etypes should be listed, nor the other consequence of listing them like this, but thought it best to mention it here. Is this a good solution? Which of the etypes should one permit? Will any of them cause problems with NFSv4 or other systems? -- Happy hacking Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120131184126.ga13...@login1.uio.no
Bug#657802: nfs-kernel-server: NFSv4 kerberos mount stopped working after upgrade to 6.0.4 point release
On 01/31/2012 07:41 PM, Petter Reinholdtsen wrote: [Andreas B. Mundt] For kerberized NFSv4 on squeeze 6.0.4 you need: [libdefaults] permitted_enctypes = des-cbc-crc allow_weak_crypto = true This setting broke Kerberos authentication using pam_sss. I found lines like this in the server kdc.log: Jan 31 15:26:42 tjener.intern krb5kdc[16339](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.15.1: NEEDED_PREAUTH: pere@INTERN for krbtgt/INTERN@INTERN, Additional pre-authentication required I then looked up what the etypes meant, and found URL: http://pig.made-it.com/kerberos-etypes.html mapping IDs to names. By adding the names for 16-18,23 to krb5.conf on the KDC I was able to get pam_sss working again. The result looked like this: [libdefaults] permitted_enctypes = des-cbc-crc rc4-hmac des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 allow_weak_crypto = true I'm not sure which of these etypes should be listed, nor the other consequence of listing them like this, but thought it best to mention it here. Is this a good solution? Which of the etypes should one permit? Will any of them cause problems with NFSv4 or other systems? permitted_enctypes lists the permitted enctypes so if you don't mention one you want to use, it won't work. Though one should not put any in it unless one wants to restrict the used enctypes. The allow_weak_crypto = true alone should be enough to get the weak (cbc ones) to work again AFAIK. Though unless one has old clients that don't work with stronger encryption it's better to make sure there is a better encryption method used for the nfs server AFAICT. I guess the documentation on the wikipage (http://wiki.debian.org/NFS/Kerberos) should be updated to not mention the cbc one anymore. Russ: Which enctype is now preferred and could you please update the above wikipage accordingly, TIA? Cheers Luk -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f2839c9.4030...@debian.org
Bug#657802: nfs-kernel-server: NFSv4 kerberos mount stopped working after upgrade to 6.0.4 point release
Luk Claes l...@debian.org writes: The allow_weak_crypto = true alone should be enough to get the weak (cbc ones) to work again AFAIK. Though unless one has old clients that don't work with stronger encryption it's better to make sure there is a better encryption method used for the nfs server AFAICT. I guess the documentation on the wikipage (http://wiki.debian.org/NFS/Kerberos) should be updated to not mention the cbc one anymore. Russ: Which enctype is now preferred and could you please update the above wikipage accordingly, TIA? I personally have never used Kerberized NFS (we're an AFS site), so I'm not really the one to comment on what enctypes NFS requires. I don't track NFS development at all. But if NFS is no longer limited to DES, it's very likely that it now supports the full range of standard Kerberos enctypes, in which case the right thing to do is to just leave off the -e flag completely and let the Kerberos infrastructure use whatever its default configured enctype list is. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87wr87y9gc@windlord.stanford.edu
Bug#657802: nfs-kernel-server: NFSv4 kerberos mount stopped working after upgrade to 6.0.4 point release
On 01/31/2012 02:10 PM, Russ Allbery wrote: I personally have never used Kerberized NFS (we're an AFS site), so I'm not really the one to comment on what enctypes NFS requires. I don't track NFS development at all. But if NFS is no longer limited to DES, it's very likely that it now supports the full range of standard Kerberos enctypes, in which case the right thing to do is to just leave off the -e flag completely and let the Kerberos infrastructure use whatever its default configured enctype list is. Recent versions of the nfs userland (1.2.5 and up, i think) rely on getting a report from the kernel about what enctypes the kernel supports. I think that data is usually reported by the kernel in /proc/fs/nfsd/supported_krb5_enctypes, where the enctypes are identified by number, like so: 18,17,16,23,3,1,2 note that there has been some talk about moving the location of that file, but i'm not sure whether any decision has been made: http://thread.gmane.org/gmane.linux.nfs/40940 --dkg signature.asc Description: OpenPGP digital signature
Bug#657802: nfs-kernel-server: NFSv4 kerberos mount stopped working after upgrade to 6.0.4 point release
Daniel Kahn Gillmor d...@fifthhorseman.net writes: Recent versions of the nfs userland (1.2.5 and up, i think) rely on getting a report from the kernel about what enctypes the kernel supports. I think that data is usually reported by the kernel in /proc/fs/nfsd/supported_krb5_enctypes, where the enctypes are identified by number, like so: 18,17,16,23,3,1,2 Translation via grep ' ENCTYPE_' /usr/include/krb5/krb5.h with libkrb5-dev installed says that is: ENCTYPE_AES256_CTS_HMAC_SHA1_96 ENCTYPE_AES128_CTS_HMAC_SHA1_96 ENCTYPE_DES3_CBC_SHA1 ENCTYPE_ARCFOUR_HMAC ENCTYPE_DES_CBC_MD5 ENCTYPE_DES_CBC_CRC ENCTYPE_DES_CBC_MD4 which is indeed every enctype that you're ever likely to care about. So just omitting the -e flag would be correct with that set of supported enctypes. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87r4yfy8fs@windlord.stanford.edu
Bug#657802: nfs-kernel-server: NFSv4 kerberos mount stopped working after upgrade to 6.0.4 point release
Package: nfs-kernel-server Version: 1:1.2.2-4squeeze2 Severity: important Hi, after upgrading today to the 6.0.4 point release, kerberized NFSv4 mounting ceased to work. I assume this is related to the upgrade mentioned in the point release anouncement: nfs-utils Allow negotiated enctypes to be limited; The error message is: mainserver rpc.svcgssd[9126]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure. Minor code may provide more information - Encryption type not permitted I'll try to find out more and let you know, but perhaps you already have an idea what went wrong. The setup is a standard (squeeze) setup, details can be found here: http://wiki.debian.org/DebianLAN Best regards, Andi -- System Information: Debian Release: 6.0.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages nfs-kernel-server depends on: ii libblkid1 2.17.2-9 block device id library ii libc6 2.11.3-2 Embedded GNU C Library: Shared lib ii libcomerr2 1.41.12-4stable1 common error description library ii libgssapi-krb5-21.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries - k ii libgssglue1 0.1-4mechanism-switch gssapi library ii libk5crypto31.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries - C ii libkrb5-3 1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries ii libnfsidmap20.23-2 An nfs idmapping library ii librpcsecgss3 0.19-2 allows secure rpc communication us ii libwrap07.6.q-19 Wietse Venema's TCP wrappers libra ii lsb-base3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip ii nfs-common 1:1.2.2-4squeeze2NFS support files common to client ii ucf 3.0025+nmu1 Update Configuration File: preserv nfs-kernel-server recommends no packages. nfs-kernel-server suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120128223609.9869.62753.reportbug@mainserver.intern