0

I am trying to get NFS4 + Kerberos to work on Debian Squeeze.

I have 3 test machines: nfsserver, nfsclient, nfskerberos

What I've got is:

root@nfsclient:~# mount -v -t nfs4 -o sec=krb5 nfsserver.mydomain.com:/export /import mount.nfs4: timeout set for Fri Apr 5 10:15:33 2013 mount.nfs4: trying text-based options 'sec=krb5,addr=10.10.16.207,clientaddr=10.10.16.208' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting nfsserver.mydomain.com:/export

I think the problem is at nfsclient<->nfskerberos communication. After sniffing network traffic between these systems I see messages like:

error_code: KRB5KDC_ERR_ETYPE_NOSUPP (14) [...] e-text: BAD_ENCRYPTION_TYPE

[Only nfsclient communicates with nfskerberos. There is no traffic from nfsserver at nfskerberos.]

kinit -k on nfsclient works OK, though:

root@nfsclient:~# kinit -k nfs/nfsclient.mydomain.com root@nfsclient:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: nfs/[email protected] Valid starting Expires Service principal 04/05/13 11:44:55 04/05/13 21:44:55 krbtgt/[email protected] renew until 04/06/13 11:44:55

But kinit does AS-REQ and mount request does TGS-REQ.

I tried many kinds of encryption types like:

  • des-cbc-crc:normal
  • aes256-cts-hmac-sha1-96:normal (this one works with kinit)
  • des3-hmac-sha1:normal
  • ...

On nfskerberos, in kdc configuration I have:

[kdcdefaults] kdc_ports = 750,88 [realms] MYDOMAIN.COM = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 default_principal_flags = +preauth }

Conversation between nfsclient and nfskerberos:

No. Time Source Destination Protocol Length Info 7 11.128679 10.10.16.208 10.10.16.209 KRB5 808 TGS-REQ [ cut lower level protocols data ] Kerberos TGS-REQ Pvno: 5 MSG Type: TGS-REQ (12) padata: PA-TGS-REQ Type: PA-TGS-REQ (1) Value: 6e82025630820252a003020105a10302010ea20703050000... AP-REQ Pvno: 5 MSG Type: AP-REQ (14) Padding: 0 APOptions: 00000000 0... .... .... .... .... .... .... .... = reserved: RESERVED bit off .0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the session key to encrypt the ticket ..0. .... .... .... .... .... .... .... = Mutual required: Mutual authentication is NOT required Ticket Tkt-vno: 5 Realm: MYDOMAIN.COM Server Name (Service and Instance): krbtgt/MYDOMAIN.COM Name-type: Service and Instance (2) Name: krbtgt Name: MYDOMAIN.COM enc-part aes256-cts-hmac-sha1-96 Encryption type: aes256-cts-hmac-sha1-96 (18) Kvno: 1 enc-part: c03dbd56915263874441e07531f689fa16ed7593a8118741... Authenticator aes256-cts-hmac-sha1-96 Encryption type: aes256-cts-hmac-sha1-96 (18) Authenticator data: bae42b08eb935796e3dd31d9d34f5a4cc419b6594be7a8ed... KDC_REQ_BODY Padding: 0 KDCOptions: 50810000 (Forwardable, Proxiable, Renewable, Canonicalize) .1.. .... .... .... .... .... .... .... = Forwardable: FORWARDABLE tickets are allowed/requested ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket ...1 .... .... .... .... .... .... .... = Proxiable: PROXIABLE tickets are allowed/requested .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated .... .... 1... .... .... .... .... .... = Renewable: This ticket is RENEWABLE .... .... ...0 .... .... .... .... .... = Opt HW Auth: False .... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation) .... .... .... ...1 .... .... .... .... = Canonicalize: This is a request for a CANONICALIZED ticket .... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled .... .... .... .... .... .... ...0 .... = Renewable OK: We do NOT accept renewed tickets .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey .... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket .... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket Realm: MYDOMAIN.COM Server Name (Service and Host): nfs/nfsserver.mydomain.com Name-type: Service and Host (3) Name: nfs Name: nfsserver.mydomain.com till: 2013-04-05 17:58:28 (UTC) Nonce: 1365155889 Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5 des-cbc-md4 Encryption type: aes256-cts-hmac-sha1-96 (18) Encryption type: aes128-cts-hmac-sha1-96 (17) Encryption type: des3-cbc-sha1 (16) Encryption type: rc4-hmac (23) Encryption type: des-cbc-crc (1) Encryption type: des-cbc-md5 (3) Encryption type: des-cbc-md4 (2) No. Time Source Destination Protocol Length Info 8 11.130891 10.10.16.209 10.10.16.208 KRB5 244 KRB Error: KRB5KDC_ERR_ETYPE_NOSUPP [ cut lower level protocols data ] Kerberos KRB-ERROR Pvno: 5 MSG Type: KRB-ERROR (30) ctime: 2013-04-05 09:58:09 (UTC) stime: 2013-04-05 09:58:09 (UTC) susec: 588499 error_code: KRB5KDC_ERR_ETYPE_NOSUPP (14) Client Realm: MYDOMAIN.COM Client Name (Principal): nfs/nfsclient.mydomain.com Name-type: Principal (1) Name: nfs Name: nfsclient.mydomain.com Realm: MYDOMAIN.COM Server Name (Service and Host): nfs/nfsserver.mydomain.com Name-type: Service and Host (3) Name: nfs Name: nfsserver.mydomain.com e-text: BAD_ENCRYPTION_TYPE
Improve this question
5
  • 14 EType is rsaES-OAEP-ENV-OID. ietf.org/assignments/kerberos-parameters/… Commented Apr 5, 2013 at 11:08
  • Hmm... Are you sure the number in brackets (14) is EType and not just an error code? Commented Apr 5, 2013 at 11:50
  • Encryption types proposed by nfsclient (from sniffed packets) are: Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5 des-cbc-md4 Commented Apr 5, 2013 at 12:00
  • Actually I think you are correct. That probably is not the etype. However, if you run WireShark, you should be able to drill-down into the TGT/AS requests, and the supported etypes should be listed. Commented Apr 5, 2013 at 12:03
  • I finally managed to get this part to work (turned out default values was just enough :) ). Unfortunately another thing arose which was: Apr 5 16:31:46 nfsserver rpc.svcgssd[2047]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure. Minor code may provide more information - Encryption type not permitted (on the nfsserver side). After few more hours I installed Debian 7 as nfsserver. Seems it went a little bit further but still without success... :-Q Commented Apr 5, 2013 at 17:47

1 Answer 1

Reset to default
2

In case someone goes the same way:

The original problem was solved by adding allow_weak_crypto = true to /etc/krb5.conf.

Next I was facing another issue, which was:

Apr 5 16:31:46 nfsserver rpc.svcgssd[2047]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure. Minor code may provide more information - Encryption type not permitted

Somebody had already described it before: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=637660 but nevertheless I did not find any solution, so I decided to try Debian Wheezy as nfsserver.

Wheeze seemed to go a bit further with GSS authentication but stuck on mount requests with something like this on the nfsserver side:

Apr 8 14:10:31 nfsserver7 rpc.svcgssd[3924]: leaving poll Apr 8 14:10:31 nfsserver7 rpc.svcgssd[3924]: handling null request Apr 8 14:10:31 nfsserver7 rpc.svcgssd[3924]: svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from the kernel Apr 8 14:10:31 nfsserver7 rpc.svcgssd[3924]: sname = nfs/[email protected] Apr 8 14:10:31 nfsserver7 rpc.svcgssd[3924]: DEBUG: serialize_krb5_ctx: lucid version! Apr 8 14:10:31 nfsserver7 rpc.svcgssd[3924]: prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and length 8 Apr 8 14:10:31 nfsserver7 rpc.svcgssd[3924]: doing downcall Apr 8 14:10:31 nfsserver7 rpc.svcgssd[3924]: mech: krb5, hndl len: 4, ctx len 85, timeout: 1365455915 (32884 from now), clnt: [email protected], uid: -1, gid: -1, num aux grps: 0: Apr 8 14:10:31 nfsserver7 rpc.svcgssd[3924]: sending null reply Apr 8 14:10:31 nfsserver7 rpc.svcgssd[3924]: writing message: \x \x6082024606092a864886f71201020201006e82023530820231a003020105a10302010ea20703050020000000a38201596182015530820151a003020105a10d1b0b504152502e474f562e504ca2283026a003020103a11f301d1b036e66731b166e6673736572766572372e706172702e676f762e706ca382010f3082010ba003020112a103020102a281fe0481fbe088a06336ffcc607f9efbafa64f0504ea442ac6a5eb234a0e3c1a332b2648702e8eb0827c0b921fffaa232f093eca19df57ac14fb2f4cf1d7f86ae10c021c86aebd0f1a66916224445b872f05ff741b7978d5aeec8d446527f7aeca27858ce588914c046e321ff37a6db5d1c1b20871657bfafd180f0d1c591efef73ed31a09a04966e869888718da74ac226642c46b78a05f1621f4b1c4fe0dc59f6fa75a6a7feee6e81ee0eb9e4c6d01223b2725fecd7699efc4dc362df32383af681da948431fd3b39c8907a938a3729cff7c89407033341ba3c1f77d96accfe7c66446e1f76a936faa3c44a021a14a96658f89071ed66d4d9a6c6953698000a481be3081bba003020101a281b30481b057d186fa3e7ec53c26efe3535d3d447732da00abd0683e66fb93f457ec19a86fdd5050e2bb054dc721c1235d3156f41465e5a66c23ba5bb9201c4d38edbe92b7265b60c8f49329ffc398af58c0af2228aa1cfc2cc4968b2913abd18f0189996ebe9c57d649925bebc3efe1c53b2c86a5d51a86f7f58bd9d2d80271973190f2e258418581d5f5e1687ea0997ef7350e90061335be1e15b978b03fea21ba697d90f3c88397375cff94a9342306d642dc2a 1365423091 0 0 \x01000000 \x607006092a864886f71201020202006f61305fa003020105a10302010fa2533051a003020101a24a044882577e0441254f6c05add73796908deb02b7f61d90d7ed5bd54f67bb72e7ea2f8898ae1a6eb6e8fe631753b01bc9340dc4cdabf1b1985c449d28b4e9568aa85259f2cc591628a696 Apr 8 14:10:31 nfsserver7 rpc.svcgssd[3924]: finished handling null request Apr 8 14:10:31 nfsserver7 rpc.svcgssd[3924]: entering poll

Again there was some people who already dealt with this issue: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=682709 but the only working solution suggested by them was installing older version of nfs-(common|kernel-server).

This worked for me too.

What I learned is: setting up NFS + Kerberos is no joy. ;-)

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.