Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Bug#622146: nfs-kernel-server: error Encryption type not permitted

124 views
Skip to first unread message

Mc.Sim

unread,
Nov 14, 2011, 10:10:02 AM11/14/11
to
Package: nfs-kernel-server
Version: 1:1.2.4-1~bpo60+1
Severity: normal


Hello!
I have Win2k8 R2 as a domain controller (as KDC for NFS).
There is an NFS client on Debian wheezy: hostname - debian:

root@debian:~# dpkg -l | grep nfs
ii libnfsidmap2 0.24-1 An nfs idmapping library
ii nfs-common 1:1.2.5-2 NFS support files common to client and server
ii nfs-kernel-server 1:1.2.5-2 support for NFS kernel server

There is an NFS server: host name - archiv:

ARCHIV ~ # dpkg -l | grep nfs
ii libnfsidmap2 0.23-2 An nfs idmapping library
ii nfs-common 1:1.2.4-1~bpo60+1 NFS support files common to client and server
ii nfs-kernel-server 1:1.2.4-1~bpo60+1 support for NFS kernel server
ARCHIV ~ # grep -v ^# /etc/exports
/nfs gss/krb5(rw,sync,no_subtree_check)

On both Debian:

ARCHIV ~ # cat /etc/krb5.conf
[libdefaults]
default_realm = SAG.LOCAL

# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
allow_weak_crypto = true

default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
permitted_enctypes = des-cbc-crc

# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true

[realms]
SAG.LOCAL = {
kdc = dc.sag.local
admin_server = dc.sag.local
default_domain = SAG.LOCAL
}

[domain_realm]
.sag.local = SAG.LOCAL
sag.local = SAG.LOCAL

[login]
krb4_convert = true
krb4_get_tickets = false
===================================================
I tried to uncomment
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
and comment:
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
permitted_enctypes = des-cbc-crc

but always when trying to connect to the server,
root@debian:~# mount -vvv -t nfs4 -o sec=krb5 archiv:/nfs /mnt2
mount: fstab path: "/etc/fstab"
mount: mtab path: "/etc/mtab"
mount: lock path: "/etc/mtab~"
mount: temp path: "/etc/mtab.tmp"
mount: UID: 0
mount: eUID: 0
mount: spec: "archiv:/"
mount: node: "/mnt2"
mount: types: "nfs4"
mount: opts: "sec=krb5"
mount: external mount: argv[0] = "/sbin/mount.nfs4"
mount: external mount: argv[1] = "archiv:/"
mount: external mount: argv[2] = "/mnt2"
mount: external mount: argv[3] = "-v"
mount: external mount: argv[4] = "-o"
mount: external mount: argv[5] = "rw,sec=krb5"
mount.nfs4: timeout set for Mon Nov 14 18:40:42 2011
mount.nfs4: trying text-based options 'sec=krb5,addr=10.0.0.6,clientaddr=10.0.0.50'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting archiv:/nfs

I get the error log on client:
Nov 14 18:38:42 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81f9bc data 0xbf81fa3c
Nov 14 18:38:42 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b21c data 0xbf81b29c
Nov 14 18:38:42 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b21c data 0xbf81b29c
Nov 14 18:38:47 debian rpc.gssd[696]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt13)
Nov 14 18:38:47 debian rpc.gssd[696]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Nov 14 18:38:47 debian rpc.gssd[696]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt13)
Nov 14 18:38:47 debian rpc.gssd[696]: process_krb5_upcall: service is '<null>'
Nov 14 18:38:52 debian rpc.gssd[696]: Full hostname for 'archiv.sag.local' is 'archiv.sag.local'
Nov 14 18:38:52 debian rpc.gssd[696]: Full hostname for 'debian.sag.local' is 'debian.sag.local'
Nov 14 18:38:52 debian rpc.gssd[696]: No key table entry found for DEBIAN$@SAG.LOCAL while getting keytab entry for 'DEBIAN$@SAG.LOCAL'
Nov 14 18:38:52 debian rpc.gssd[696]: No key table entry found for root/debian.s...@SAG.LOCAL while getting keytab entry for 'root/debian.s...@SAG.LOCAL'
Nov 14 18:38:52 debian rpc.gssd[696]: Success getting keytab entry for 'nfs/debian.s...@SAG.LOCAL'
Nov 14 18:38:52 debian rpc.gssd[696]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321295320
Nov 14 18:38:52 debian rpc.gssd[696]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321295320
Nov 14 18:38:52 debian rpc.gssd[696]: using FILE:/tmp/krb5cc_machine_SAG.LOCAL as credentials cache for machine creds
Nov 14 18:38:52 debian rpc.gssd[696]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 14 18:38:52 debian rpc.gssd[696]: creating context using fsuid 0 (save_uid 0)
Nov 14 18:38:52 debian rpc.gssd[696]: creating tcp client for server archiv.sag.local
Nov 14 18:38:52 debian rpc.gssd[696]: DEBUG: port already set to 2049
Nov 14 18:38:52 debian rpc.gssd[696]: creating context with server n...@archiv.sag.local
Nov 14 18:39:03 debian rpc.gssd[696]: WARNING: Failed to create krb5 context for user with uid 0 for server archiv.sag.local
Nov 14 18:39:03 debian rpc.gssd[696]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for server archiv.sag.local
Nov 14 18:39:03 debian rpc.gssd[696]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server archiv.sag.local
Nov 14 18:39:08 debian rpc.gssd[696]: Full hostname for 'archiv.sag.local' is 'archiv.sag.local'
Nov 14 18:39:08 debian rpc.gssd[696]: Full hostname for 'debian.sag.local' is 'debian.sag.local'
Nov 14 18:39:08 debian rpc.gssd[696]: No key table entry found for DEBIAN$@SAG.LOCAL while getting keytab entry for 'DEBIAN$@SAG.LOCAL'
Nov 14 18:39:08 debian rpc.gssd[696]: No key table entry found for root/debian.s...@SAG.LOCAL while getting keytab entry for 'root/debian.s...@SAG.LOCAL'
Nov 14 18:39:08 debian rpc.gssd[696]: Success getting keytab entry for 'nfs/debian.s...@SAG.LOCAL'
Nov 14 18:39:08 debian rpc.gssd[696]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321295320
Nov 14 18:39:08 debian rpc.gssd[696]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321295320
Nov 14 18:39:08 debian rpc.gssd[696]: using FILE:/tmp/krb5cc_machine_SAG.LOCAL as credentials cache for machine creds
Nov 14 18:39:08 debian rpc.gssd[696]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 14 18:39:08 debian rpc.gssd[696]: creating context using fsuid 0 (save_uid 0)
Nov 14 18:39:08 debian rpc.gssd[696]: creating tcp client for server archiv.sag.local
Nov 14 18:39:08 debian rpc.gssd[696]: DEBUG: port already set to 2049
Nov 14 18:39:08 debian rpc.gssd[696]: creating context with server n...@archiv.sag.local
Nov 14 18:39:10 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b07c data 0xbf81b0fc
Nov 14 18:39:10 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b07c data 0xbf81b0fc
Nov 14 18:39:10 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b07c data 0xbf81b0fc
Nov 14 18:39:10 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b07c data 0xbf81b0fc
Nov 14 18:39:10 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b07c data 0xbf81b0fc
Nov 14 18:39:10 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b07c data 0xbf81b0fc
Nov 14 18:39:10 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b07c data 0xbf81b0fc
Nov 14 18:39:18 debian rpc.gssd[696]: WARNING: Failed to create krb5 context for user with uid 0 for server archiv.sag.local
Nov 14 18:39:18 debian rpc.gssd[696]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for server archiv.sag.local
Nov 14 18:39:18 debian rpc.gssd[696]: WARNING: Failed to create machine krb5 context with any credentials cache for server archiv.sag.local
Nov 14 18:39:18 debian rpc.gssd[696]: doing error downcall
Nov 14 18:39:18 debian rpc.gssd[696]: Failed to write error downcall!
Nov 14 18:39:18 debian rpc.gssd[696]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt14
Nov 14 18:39:18 debian rpc.gssd[696]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt13

And get the error in log on server:
ARCHIV ~ # tailf /var/log/daemon.log
Nov 14 18:26:42 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
Nov 14 18:26:42 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
Nov 14 18:29:30 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
Nov 14 18:29:30 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
Nov 14 18:39:05 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
Nov 14 18:39:20 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
==============================================
In this case, the second mount on the client only after a servise nfs-common restart, because mount hangs and stops due to a timeout.
When I comment on all the settings on the server and client:

# allow_weak_crypto = true
# default_tgs_enctypes = des-cbc-crc
# default_tkt_enctypes = des-cbc-crc
# permitted_enctypes = des-cbc-crc
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# permitted_enctypes = des-cbc-crc

If you try to mount I get on the client-log:

Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd458c data 0xbfcd460c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd458c data 0xbfcd460c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd458c data 0xbfcd460c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd458c data 0xbfcd460c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd458c data 0xbfcd460c
Nov 14 18:50:20 debian rpc.gssd[1730]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt17)
Nov 14 18:50:20 debian rpc.gssd[1730]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Nov 14 18:50:20 debian rpc.gssd[1730]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt17)
Nov 14 18:50:20 debian rpc.gssd[1730]: process_krb5_upcall: service is '<null>'
Nov 14 18:50:20 debian rpc.gssd[1730]: Full hostname for 'archiv.sag.local' is 'archiv.sag.local'
Nov 14 18:50:20 debian rpc.gssd[1730]: Full hostname for 'debian.sag.local' is 'debian.sag.local'
Nov 14 18:50:20 debian rpc.gssd[1730]: No key table entry found for DEBIAN$@SAG.LOCAL while getting keytab entry for 'DEBIAN$@SAG.LOCAL'
Nov 14 18:50:20 debian rpc.gssd[1730]: No key table entry found for root/debian.s...@SAG.LOCAL while getting keytab entry for 'root/debian.s...@SAG.LOCAL'
Nov 14 18:50:20 debian rpc.gssd[1730]: Success getting keytab entry for 'nfs/debian.s...@SAG.LOCAL'
Nov 14 18:50:20 debian rpc.gssd[1730]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 14 18:50:20 debian rpc.gssd[1730]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 14 18:50:20 debian rpc.gssd[1730]: using FILE:/tmp/krb5cc_machine_SAG.LOCAL as credentials cache for machine creds
Nov 14 18:50:20 debian rpc.gssd[1730]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 14 18:50:20 debian rpc.gssd[1730]: creating context using fsuid 0 (save_uid 0)
Nov 14 18:50:20 debian rpc.gssd[1730]: creating tcp client for server archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: DEBUG: port already set to 2049
Nov 14 18:50:20 debian rpc.gssd[1730]: creating context with server n...@archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: WARNING: Failed to create krb5 context for user with uid 0 for server archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for server archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: Full hostname for 'archiv.sag.local' is 'archiv.sag.local'
Nov 14 18:50:20 debian rpc.gssd[1730]: Full hostname for 'debian.sag.local' is 'debian.sag.local'
Nov 14 18:50:20 debian rpc.gssd[1730]: No key table entry found for DEBIAN$@SAG.LOCAL while getting keytab entry for 'DEBIAN$@SAG.LOCAL'
Nov 14 18:50:20 debian rpc.gssd[1730]: No key table entry found for root/debian.s...@SAG.LOCAL while getting keytab entry for 'root/debian.s...@SAG.LOCAL'
Nov 14 18:50:20 debian rpc.gssd[1730]: Success getting keytab entry for 'nfs/debian.s...@SAG.LOCAL'
Nov 14 18:50:20 debian rpc.gssd[1730]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 14 18:50:20 debian rpc.gssd[1730]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 14 18:50:20 debian rpc.gssd[1730]: using FILE:/tmp/krb5cc_machine_SAG.LOCAL as credentials cache for machine creds
Nov 14 18:50:20 debian rpc.gssd[1730]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 14 18:50:20 debian rpc.gssd[1730]: creating context using fsuid 0 (save_uid 0)
Nov 14 18:50:20 debian rpc.gssd[1730]: creating tcp client for server archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: DEBUG: port already set to 2049
Nov 14 18:50:20 debian rpc.gssd[1730]: creating context with server n...@archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: WARNING: Failed to create krb5 context for user with uid 0 for server archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for server archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: WARNING: Failed to create machine krb5 context with any credentials cache for server archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: doing error downcall
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc data 0xbfcd413c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc data 0xbfcd413c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc data 0xbfcd413c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc data 0xbfcd413c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc data 0xbfcd413c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc data 0xbfcd413c
Nov 14 18:50:20 debian rpc.gssd[1730]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt17

And I get message on server-log:

Nov 14 18:50:23 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No supported encryption types (config file error?)
Nov 14 18:50:23 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No supported encryption types (config file error?)

Help me, please for this problem.

p.s. On the client (hostname debian) as an NFS server is installed and if I run:
root@debian:~# grep -v ^# /etc/exports
/nfs gss/krb5(rw,sync,fsid=0,crossmnt,no_subtree_check)
root@debian:~# mount -v -t nfs4 -o sec=krb5 debian:/ /mnt
mount.nfs4: timeout set for Mon Nov 14 18:58:10 2011
mount.nfs4: trying text-based options 'sec=krb5,addr=10.0.0.50,clientaddr=10.0.0.50'
debian:/ on /mnt type nfs4 (rw,sec=krb5)
root@debian:~# mount | grep nfs
nfsd on /proc/fs/nfsd type nfsd (rw)
rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
debian:/ on /mnt type nfs4 (rw,sec=krb5,addr=10.0.0.50,clientaddr=10.0.0.50)





-- Package-specific info:
-- rpcinfo --
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 56885 status
100024 1 tcp 42127 status
100021 1 udp 42119 nlockmgr
100021 3 udp 42119 nlockmgr
100021 4 udp 42119 nlockmgr
100021 1 tcp 38382 nlockmgr
100021 3 tcp 38382 nlockmgr
100021 4 tcp 38382 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100005 1 udp 42843 mountd
100005 1 tcp 50330 mountd
100005 2 udp 55182 mountd
100005 2 tcp 44541 mountd
100005 3 udp 50955 mountd
100005 3 tcp 44805 mountd
-- /etc/default/nfs-kernel-server --
RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS=--manage-gids
NEED_SVCGSSD=yes
RPCSVCGSSDOPTS=yes
-- /etc/exports --
/nfs gss/krb5(rw,sync,no_subtree_check)
-- /proc/fs/nfs/exports --
# Version 1.1
# Path Client(Flags) # IPs

-- System Information:
Debian Release: 6.0.3
APT prefers stable
APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages nfs-kernel-server depends on:
ii libblkid1 2.17.2-9 block device id library
ii libc6 2.13-21 Embedded GNU C Library: Shared lib
ii libcomerr2 1.41.12-4stable1 common error description library
ii libgssapi-krb5-2 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - k
ii libgssglue1 0.1-4 mechanism-switch gssapi library
ii libk5crypto3 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - C
ii libkrb5-3 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries
ii libnfsidmap2 0.23-2 An nfs idmapping library
ii libtirpc1 0.2.2-5 transport-independent RPC library
ii libwrap0 7.6.q-19 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii nfs-common 1:1.2.4-1~bpo60+1 NFS support files common to client
ii ucf 3.0025+nmu1 Update Configuration File: preserv

nfs-kernel-server recommends no packages.

nfs-kernel-server suggests no packages.

-- no debconf information



--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Luk Claes

unread,
Nov 14, 2011, 10:40:02 AM11/14/11
to
On 11/14/2011 04:57 PM, Mc.Sim wrote:

> Hello!

Hi

> I have Win2k8 R2 as a domain controller (as KDC for NFS).
> There is an NFS client on Debian wheezy: hostname - debian:

> I tried to uncomment
> # default_tgs_enctypes = des3-hmac-sha1
> # default_tkt_enctypes = des3-hmac-sha1
> # permitted_enctypes = des3-hmac-sha1
> and comment:
> default_tgs_enctypes = des-cbc-crc
> default_tkt_enctypes = des-cbc-crc
> permitted_enctypes = des-cbc-crc

Why would that work without changing anything in your Kerberos keytabs?

> but always when trying to connect to the server,
> root@debian:~# mount -vvv -t nfs4 -o sec=krb5 archiv:/nfs /mnt2

> And get the error in log on server:
> ARCHIV ~ # tailf /var/log/daemon.log
> Nov 14 18:26:42 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:26:42 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:29:30 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:29:30 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:39:05 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:39:20 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permitted

Expected when des3-hmac-sha1 is not in keytab.

> ==============================================
> In this case, the second mount on the client only after a servise nfs-common restart, because mount hangs and stops due to a timeout.
> When I comment on all the settings on the server and client:
>
> # allow_weak_crypto = true
> # default_tgs_enctypes = des-cbc-crc
> # default_tkt_enctypes = des-cbc-crc
> # permitted_enctypes = des-cbc-crc
> # default_tgs_enctypes = des3-hmac-sha1
> # default_tkt_enctypes = des3-hmac-sha1
> # permitted_enctypes = des3-hmac-sha1
> # permitted_enctypes = des-cbc-crc

> And I get message on server-log:
>
> Nov 14 18:50:23 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No supported encryption types (config file error?)
> Nov 14 18:50:23 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No supported encryption types (config file error?)
>
> Help me, please for this problem.

This will only work if you have other possibilities in the Kerberos keytab.

> p.s. On the client (hostname debian) as an NFS server is installed and if I run:
> root@debian:~# grep -v ^# /etc/exports
> /nfs gss/krb5(rw,sync,fsid=0,crossmnt,no_subtree_check)
> root@debian:~# mount -v -t nfs4 -o sec=krb5 debian:/ /mnt
> mount.nfs4: timeout set for Mon Nov 14 18:58:10 2011
> mount.nfs4: trying text-based options 'sec=krb5,addr=10.0.0.50,clientaddr=10.0.0.50'
> debian:/ on /mnt type nfs4 (rw,sec=krb5)
> root@debian:~# mount | grep nfs
> nfsd on /proc/fs/nfsd type nfsd (rw)
> rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
> debian:/ on /mnt type nfs4 (rw,sec=krb5,addr=10.0.0.50,clientaddr=10.0.0.50)

So it worked, I guess that's the initial scenario where you are using
des-cbc-crc?

I myself have little to no experience with Kerberos, but I would try
klist to see what's in your keytabs (/etc/krb5.keytab) and related tools
to add entries to the keytab when needed. This does not look like an NFS
problem to me or am I mistaken?

Cheers

Luk

Kramarenko A. Maxim

unread,
Nov 14, 2011, 12:40:02 PM11/14/11
to
Luk Claes <l...@debian.org> писал(а) в своём письме Mon, 14 Nov 2011
19:36:41 +0400:

> On 11/14/2011 04:57 PM, Mc.Sim wrote:
>
>
> Why would that work without changing anything in your Kerberos keytabs?
keytab contains both types of encryption. (example below in the text)

>
>> Nov 14 18:39:20 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in
>> handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified
>> GSS failure. Minor code may provide more information) - Encryption
>> type not permitted
>
> Expected when des3-hmac-sha1 is not in keytab.
>
>> Nov 14 18:50:23 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in
>> handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified
>> GSS failure. Minor code may provide more information) - No supported
>> encryption types (config file error?)
>>
>> Help me, please for this problem.
>
> This will only work if you have other possibilities in the Kerberos
> keytab.
Yes, the other encryption types are present in keytab ...

>
>> p.s. On the client (hostname debian) as an NFS server is installed and
>> if I run:
>> root@debian:~# grep -v ^# /etc/exports
>> /nfs gss/krb5(rw,sync,fsid=0,crossmnt,no_subtree_check)
>> root@debian:~# mount -v -t nfs4 -o sec=krb5 debian:/ /mnt
>> root@debian:~# mount | grep nfs
>> debian:/ on /mnt type nfs4
>> (rw,sec=krb5,addr=10.0.0.50,clientaddr=10.0.0.50)
>
> So it worked, I guess that's the initial scenario where you are using
> des-cbc-crc?
>
> I myself have little to no experience with Kerberos, but I would try
> klist to see what's in your keytabs (/etc/krb5.keytab) and related tools
> to add entries to the keytab when needed. This does not look like an NFS
> problem to me or am I mistaken?
>
According to the documentation (
http://technet.microsoft.com/en-us/library/dd560670(v=ws.10).aspx ), Win
2k8 R2 does not support DES-CBC-MD5 & DES-CBC-CRC.
As I understand it, probably for this error when uncommented parameters

>> # default_tgs_enctypes = des-cbc-crc
>> # default_tkt_enctypes = des-cbc-crc
>> # permitted_enctypes = des-cbc-crc
or
>> # default_tgs_enctypes = des3-hmac-sha1
>> # default_tkt_enctypes = des3-hmac-sha1
>> # permitted_enctypes = des3-hmac-sha1

But in the keytab there are other types of encryption:
root@debian:~# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
3 nfs/debian.s...@SAG.LOCAL (des-cbc-crc)
3 nfs/debian.s...@SAG.LOCAL (des-cbc-md5)
3 nfs/debian.s...@SAG.LOCAL (arcfour-hmac)
3 nfs/debian.s...@SAG.LOCAL (aes256-cts-hmac-sha1-96)
3 nfs/debian.s...@SAG.LOCAL (aes128-cts-hmac-sha1-96)
===========================================
kinit gets the correct tickets from the KDC on client only commented
parameters:
==========================================
root@debian:~# vim /etc/krb5.conf
root@debian:~# grep des /etc/krb5.conf
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
permitted_enctypes = des-cbc-crc
root@debian:~# kinit -k nfs/debian.sag.local
kinit: KDC has no support for encryption type while getting initial
credentials
root@debian:~# vim /etc/krb5.conf
root@debian:~# grep des /etc/krb5.conf
default_tgs_enctypes = des3-hmac-sha1
default_tkt_enctypes = des3-hmac-sha1
permitted_enctypes = des3-hmac-sha1
# default_tgs_enctypes = des-cbc-crc
# default_tkt_enctypes = des-cbc-crc
# permitted_enctypes = des-cbc-crc
root@debian:~# kinit -k nfs/debian.sag.local
kinit: KDC has no support for encryption type while getting initial
credentials
root@debian:~# vim /etc/krb5.conf
root@debian:~# grep des /etc/krb5.conf
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# default_tgs_enctypes = des-cbc-crc
# default_tkt_enctypes = des-cbc-crc
# permitted_enctypes = des-cbc-crc
root@debian:~# kinit -k nfs/debian.sag.local
root@debian:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/debian.s...@SAG.LOCAL

Valid starting Expires Service principal
11/14/11 20:33:18 11/15/11 06:33:21 krbtgt/SAG....@SAG.LOCAL
renew until 11/15/11 20:33:18
=======================
...and on server:
=======================
ARCHIV ~ # vim /etc/krb5.conf
ARCHIV ~ # grep des /etc/krb5.conf
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
permitted_enctypes = des-cbc-crc
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
ARCHIV ~ # kinit -k nfs/archiv.sag.local
kinit: KDC has no support for encryption type while getting initial
credentials
ARCHIV ~ # vim /etc/krb5.conf
ARCHIV ~ # grep des /etc/krb5.conf
# default_tgs_enctypes = des-cbc-crc
# default_tkt_enctypes = des-cbc-crc
# permitted_enctypes = des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1
default_tkt_enctypes = des3-hmac-sha1
permitted_enctypes = des3-hmac-sha1
ARCHIV ~ # kinit -k nfs/archiv.sag.local
kinit: KDC has no support for encryption type while getting initial
credentials
ARCHIV ~ # vim /etc/krb5.conf
ARCHIV ~ # kinit -k nfs/archiv.sag.local
ARCHIV ~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/archiv.s...@SAG.LOCAL

Valid starting Expires Service principal
11/14/11 21:05:29 11/15/11 07:05:29 krbtgt/SAG....@SAG.LOCAL
renew until 11/15/11 21:05:29

However, NFS does not work for any given parameters. :(


> Cheers
>
> Luk
>
>
>

P.s.
Luk Claes <l...@debian.org> писал(а) в своём письме Mon, 14 Nov 2011
19:39:06 +0400:

> On 11/14/2011 04:35 PM, "Крамаренко Максим" wrote:
>> Здравствуйте!
>> Ваше письмо получено.
>Unfortunately I don't understand Russian, can you please translate?
>Cheers
>Luk
Sorry! This e-mail answering service. I have it turned off.

Best Regards

Russ Allbery

unread,
Nov 14, 2011, 1:30:02 PM11/14/11
to
I don't know what's going on with the NFS portion of this, since I don't
use NFS at all, but I can tell you a few things about the Kerberos end.

"Kramarenko A. Maxim" <mc-s...@ya.ru> writes:

> But in the keytab there are other types of encryption:
> root@debian:~# klist -ke
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 3 nfs/debian.s...@SAG.LOCAL (des-cbc-crc)
> 3 nfs/debian.s...@SAG.LOCAL (des-cbc-md5)
> 3 nfs/debian.s...@SAG.LOCAL (arcfour-hmac)
> 3 nfs/debian.s...@SAG.LOCAL (aes256-cts-hmac-sha1-96)
> 3 nfs/debian.s...@SAG.LOCAL (aes128-cts-hmac-sha1-96)

For a Windows 2008r2 Active Directory domain controller, the only enctypes
there that are going to work are arcfour-hmac and aes128. (aes256 might
as well in some situations, but I think you have to go to some extra work,
or maybe it's that a lot of Windows clients don't support them.)

> root@debian:~# grep des /etc/krb5.conf
> # default_tgs_enctypes = des3-hmac-sha1
> # default_tkt_enctypes = des3-hmac-sha1
> # permitted_enctypes = des3-hmac-sha1
> default_tgs_enctypes = des-cbc-crc
> default_tkt_enctypes = des-cbc-crc
> permitted_enctypes = des-cbc-crc

You generally don't want to set these parameters, although I realize that
used to be the case for NFS.

The NFS machinery is going to need to support either arcfour-hmac or
aes128, since Windows never supported 3DES, and you don't want to use
plain DES any more (and it has to be specifically enabled on the Windows
side, if they haven't dropped it entirely now). I'm not sure what
enctypes the kernel-level support currently implements.

--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>

Daniel Kahn Gillmor

unread,
Nov 14, 2011, 2:10:02 PM11/14/11
to
On 11/14/2011 01:19 PM, Russ Allbery wrote:

> The NFS machinery is going to need to support either arcfour-hmac or
> aes128, since Windows never supported 3DES, and you don't want to use
> plain DES any more (and it has to be specifically enabled on the Windows
> side, if they haven't dropped it entirely now). I'm not sure what
> enctypes the kernel-level support currently implements.

You'll need the kernel from squeeze-backports or later to get enctypes
other than des-cbc-crc.

I can attest that 2.6.39-3~bpo60+1 works with aes128-cts with SHA-1
HMAC, as long as you're using the nfs-kernel-server from bpo or later.
I haven't tried it against a win2k8 kdc, though.

--dkg

signature.asc

Kramarenko A. Maxim

unread,
Nov 14, 2011, 2:10:02 PM11/14/11
to
Russ Allbery <r...@debian.org> писал(а) в своём письме Mon, 14 Nov 2011
22:19:04 +0400:

> I don't know what's going on with the NFS portion of this, since I don't
> use NFS at all, but I can tell you a few things about the Kerberos end.
>
> For a Windows 2008r2 Active Directory domain controller, the only
> enctypes
> there that are going to work are arcfour-hmac and aes128. (aes256 might
> as well in some situations, but I think you have to go to some extra
> work,
> or maybe it's that a lot of Windows clients don't support them.)
>
> You generally don't want to set these parameters, although I realize that
> used to be the case for NFS.
>
> The NFS machinery is going to need to support either arcfour-hmac or
> aes128, since Windows never supported 3DES, and you don't want to use
> plain DES any more (and it has to be specifically enabled on the Windows
> side, if they haven't dropped it entirely now). I'm not sure what
> enctypes the kernel-level support currently implements.
>
Thank you all for your answers.

Russ,

I absolutely agree with you. Win 2k8 works correctly with the arcfour-hmac
(RC4-HMAC) and AES 128 (not supported by WinXP and younger).
Therefore, the application settings allow_weak_crypto not helping me.
But how can I check the support RC4-HMAC, and AES128, to make sure that
reason the problem?
And how do we know up to what I need to upgrade the kernel to have a
stable system and running NFS?

P.S. But kinit gets the same ticket from KDC? Or kinit does not use the
kernel and uses the tools of userland-level?

P.P.S.:
I also tried to explicitly specify the type of encryption in krb5.conf:
=============
root@debian:~# grep -e rc4 -e des /etc/krb5.conf
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
# default_tgs_enctypes = des-cbc-crc
# default_tkt_enctypes = des-cbc-crc
# permitted_enctypes = des-cbc-crc
root@debian:~# kinit -k nfs/debian.sag.local
root@debian:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/debian.s...@SAG.LOCAL

Valid starting Expires Service principal
11/14/11 22:51:28 11/15/11 08:51:36 krbtgt/SAG....@SAG.LOCAL
renew until 11/15/11 22:51:28
=============
and on server
=============
ARCHIV ~ # vim /etc/krb5.conf
ARCHIV ~ # kinit -k nfs/archiv.sag.local
ARCHIV ~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/archiv.s...@SAG.LOCAL

Valid starting Expires Service principal
11/14/11 22:53:45 11/15/11 08:53:45 krbtgt/SAG....@SAG.LOCAL
renew until 11/15/11 22:53:45
====================
And once again got an error on the server:
===================
Nov 14 22:54:40 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
failure. Minor code may provide more information) - No supported
encryption types (config file error?)
Nov 14 22:54:40 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
failure. Minor code may provide more information) - No supported
encryption types (config file error?)


--
Best Regards

Kramarenko A. Maxim

unread,
Nov 14, 2011, 3:30:02 PM11/14/11
to
Daniel Kahn Gillmor <d...@fifthhorseman.net> писал(а) в своём письме Mon,
14 Nov 2011 23:05:36 +0400:
Thank you for your reply.
Daniel,

I updated the kernel to:
ARCHIV ~ # uname -a
Linux ARCHIV 2.6.39-bpo.2-686-pae #1 SMP Thu Aug 4 11:02:22 UTC 2011 i686
GNU/Linux

But the error appears again and unable to mount.
client:
==============
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si
0xbfcd458c data 0xbfcd460c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si
0xbfcd458c data 0xbfcd460c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si
0xbfcd458c data 0xbfcd460c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si
0xbfcd458c data 0xbfcd460c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si
0xbfcd458c data 0xbfcd460c
Nov 15 00:06:32 debian rpc.gssd[1730]: handling gssd upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt1f)
Nov 15 00:06:32 debian rpc.gssd[1730]: handle_gssd_upcall: 'mech=krb5
uid=0 enctypes=18,17,16,23,3,1,2 '
Nov 15 00:06:32 debian rpc.gssd[1730]: handling krb5 upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt1f)
Nov 15 00:06:32 debian rpc.gssd[1730]: process_krb5_upcall: service is
'<null>'
Nov 15 00:06:32 debian rpc.gssd[1730]: Full hostname for
'archiv.sag.local' is 'archiv.sag.local'
Nov 15 00:06:32 debian rpc.gssd[1730]: Full hostname for
'debian.sag.local' is 'debian.sag.local'
Nov 15 00:06:32 debian rpc.gssd[1730]: No key table entry found for
DEBIAN$@SAG.LOCAL while getting keytab entry for 'DEBIAN$@SAG.LOCAL'
Nov 15 00:06:32 debian rpc.gssd[1730]: No key table entry found for
root/debian.s...@SAG.LOCAL while getting keytab entry for
'root/debian.s...@SAG.LOCAL'
Nov 15 00:06:32 debian rpc.gssd[1730]: Success getting keytab entry for
'nfs/debian.s...@SAG.LOCAL'
Nov 15 00:06:32 debian rpc.gssd[1730]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 15 00:06:32 debian rpc.gssd[1730]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 15 00:06:32 debian rpc.gssd[1730]: using
FILE:/tmp/krb5cc_machine_SAG.LOCAL as credentials cache for machine creds
Nov 15 00:06:32 debian rpc.gssd[1730]: using environment variable to
select krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 15 00:06:32 debian rpc.gssd[1730]: creating context using fsuid 0
(save_uid 0)
Nov 15 00:06:32 debian rpc.gssd[1730]: creating tcp client for server
archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: DEBUG: port already set to 2049
Nov 15 00:06:32 debian rpc.gssd[1730]: creating context with server
n...@archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: WARNING: Failed to create krb5
context for user with uid 0 for server archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: WARNING: Failed to create machine
krb5 context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for
server archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: WARNING: Machine cache is
prematurely expired or corrupted trying to recreate cache for server
archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: Full hostname for
'archiv.sag.local' is 'archiv.sag.local'
Nov 15 00:06:32 debian rpc.gssd[1730]: Full hostname for
'debian.sag.local' is 'debian.sag.local'
Nov 15 00:06:32 debian rpc.gssd[1730]: No key table entry found for
DEBIAN$@SAG.LOCAL while getting keytab entry for 'DEBIAN$@SAG.LOCAL'
Nov 15 00:06:32 debian rpc.gssd[1730]: No key table entry found for
root/debian.s...@SAG.LOCAL while getting keytab entry for
'root/debian.s...@SAG.LOCAL'
Nov 15 00:06:32 debian rpc.gssd[1730]: Success getting keytab entry for
'nfs/debian.s...@SAG.LOCAL'
Nov 15 00:06:32 debian rpc.gssd[1730]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 15 00:06:32 debian rpc.gssd[1730]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 15 00:06:32 debian rpc.gssd[1730]: using
FILE:/tmp/krb5cc_machine_SAG.LOCAL as credentials cache for machine creds
Nov 15 00:06:32 debian rpc.gssd[1730]: using environment variable to
select krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 15 00:06:32 debian rpc.gssd[1730]: creating context using fsuid 0
(save_uid 0)
Nov 15 00:06:32 debian rpc.gssd[1730]: creating tcp client for server
archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: DEBUG: port already set to 2049
Nov 15 00:06:32 debian rpc.gssd[1730]: creating context with server
n...@archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: WARNING: Failed to create krb5
context for user with uid 0 for server archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: WARNING: Failed to create machine
krb5 context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for
server archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: WARNING: Failed to create machine
krb5 context with any credentials cache for server archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: doing error downcall
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si
0xbfcd40bc data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si
0xbfcd40bc data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si
0xbfcd40bc data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si
0xbfcd40bc data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si
0xbfcd40bc data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si
0xbfcd40bc data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si
0xbfcd40bc data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: destroying client
/var/lib/nfs/rpc_pipefs/nfs/clnt20
Nov 15 00:06:32 debian rpc.gssd[1730]: destroying client
/var/lib/nfs/rpc_pipefs/nfs/clnt1f
===============
... and server:
===============
Nov 15 00:06:34 archiv rpc.svcgssd[1097]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
failure. Minor code may provide more information) - No supported
encryption types (config file error?)
Nov 15 00:06:34 archiv rpc.svcgssd[1097]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
failure. Minor code may provide more information) - No supported
encryption types (config file error?)


have any ideas?

--
Best Rgards

Russ Allbery

unread,
Nov 14, 2011, 3:40:01 PM11/14/11
to
"Kramarenko A. Maxim" <mc-s...@ya.ru> writes:

> P.S. But kinit gets the same ticket from KDC? Or kinit does not use the
> kernel and uses the tools of userland-level?

The NFS server, client, and KDC all have to agree on a single encryption
type, and the encryption type of the service ticket issued by the KDC to
the client has to be in an encryption type that the NFS server supports.

> root@debian:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: nfs/debian.s...@SAG.LOCAL

> Valid starting Expires Service principal
> 11/14/11 22:51:28 11/15/11 08:51:36 krbtgt/SAG....@SAG.LOCAL
> renew until 11/15/11 22:51:28

It would be more interesting to run klist -e after attempting to contact
the server, so that you can see what the encryption type of the service
ticket for the NFS server was.

--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>



Kramarenko A. Maxim

unread,
Nov 15, 2011, 12:40:02 AM11/15/11
to
Russ Allbery <r...@debian.org> писал(а) в своём письме Tue, 15 Nov 2011
00:27:01 +0400:

> "Kramarenko A. Maxim" <mc-s...@ya.ru> writes:
>
>
> The NFS server, client, and KDC all have to agree on a single encryption
> type, and the encryption type of the service ticket issued by the KDC to
> the client has to be in an encryption type that the NFS server supports.
KDC supports the types of encryption
(http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx):
AES256-CTS-HMAC-SHA1-96
AES128-CTS-HMAC-SHA1-96
RC4-HMAC
The NFS server is the core:
ARCHIV ~ # uname -a
Linux ARCHIV 2.6.39-bpo.2-686-pae #1 SMP Thu Aug 4 11:02:22 UTC 2011 i686
GNU/Linux
As you said above, it supports:
AES256-CTS-HMAC-SHA1-96
AES128-CTS-HMAC-SHA1-96
RC4-HMAC
The NFS client has a core:
root@debian:~# uname -a
Linux debian 3.0.0-1-486 #1 Sat Aug 27 15:56:48 UTC 2011 i686 GNU/Linux
It is older than the server, respectively, should also support the above
types of encryption.
(If the server and client on the kernel Linux debian 3.0.0-1-486 # 1, then
there is no error ...)

I tried to tune in krb5.conf on the client and server NFS (last letter):
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac

But still there was an error on NFS server:
Nov 14 22:54:40 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
failure. Minor code may provide more information) - No supported
encryption types (config file error?)
Nov 14 22:54:40 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
failure. Minor code may provide more information) - No supported
encryption types (config file error?)


>
> It would be more interesting to run klist -e after attempting to contact
> the server, so that you can see what the encryption type of the service
> ticket for the NFS server was.
>
on client:

root@debian:~# kinit -k nfs/debian.sag.local
root@debian:~# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/debian.s...@SAG.LOCAL

Valid starting Expires Service principal
11/15/11 09:27:22 11/15/11 19:27:30 krbtgt/SAG....@SAG.LOCAL
renew until 11/16/11 09:27:22, Etype (skey, tkt): arcfour-hmac,
arcfour-hmac

...and on server:

ARCHIV ~ # kinit -k nfs/archiv.sag.local
ARCHIV ~ # klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/archiv.s...@SAG.LOCAL

Valid starting Expires Service principal
11/15/11 09:26:37 11/15/11 19:26:42 krbtgt/SAG....@SAG.LOCAL
renew until 11/16/11 09:26:37, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5

--
Best Regards

Russ Allbery

unread,
Nov 15, 2011, 1:00:02 AM11/15/11
to
"Kramarenko A. Maxim" <mc-s...@ya.ru> writes:

>> It would be more interesting to run klist -e after attempting to contact
>> the server, so that you can see what the encryption type of the service
>> ticket for the NFS server was.

> on client:

> root@debian:~# kinit -k nfs/debian.sag.local
> root@debian:~# klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: nfs/debian.s...@SAG.LOCAL

> Valid starting Expires Service principal
> 11/15/11 09:27:22 11/15/11 19:27:30 krbtgt/SAG....@SAG.LOCAL
> renew until 11/16/11 09:27:22, Etype (skey, tkt): arcfour-hmac,
> arcfour-hmac

No, this is the TGT for the client's principal. Rather than running klist
-e immediately after obtaining credentials, run kinit and then try to
access NFS (so that rpc.gssd will obtain a service ticket for the server)
and *then* run klist -e and look at what encryption type the service
ticket for nfs/archiv.s...@SAG.LOCAL has.

--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>



Kramarenko A. Maxim

unread,
Nov 15, 2011, 2:20:01 AM11/15/11
to
Russ Allbery <r...@debian.org> писал(а) в своём письме Tue, 15 Nov 2011
09:54:29 +0400:

> "Kramarenko A. Maxim" <mc-s...@ya.ru> writes:
>
>>> It would be more interesting to run klist -e after attempting to
>>> contact
>>> the server, so that you can see what the encryption type of the service
>>> ticket for the NFS server was.
>
>> on client:
>
>> root@debian:~# kinit -k nfs/debian.sag.local
>> root@debian:~# klist -e
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: nfs/debian.s...@SAG.LOCAL
>
>> Valid starting Expires Service principal
>> 11/15/11 09:27:22 11/15/11 19:27:30 krbtgt/SAG....@SAG.LOCAL
>> renew until 11/16/11 09:27:22, Etype (skey, tkt): arcfour-hmac,
>> arcfour-hmac
>
> No, this is the TGT for the client's principal. Rather than running
> klist
> -e immediately after obtaining credentials, run kinit and then try to
> access NFS (so that rpc.gssd will obtain a service ticket for the server)
> and *then* run klist -e and look at what encryption type the service
> ticket for nfs/archiv.s...@SAG.LOCAL has.
>

It's done.
On client mount and klist:

root@debian:~# mount -vvv -t nfs4 -o sec=krb5 archiv:/nfs /mnt2
mount: fstab path: "/etc/fstab"
mount: mtab path: "/etc/mtab"
mount: lock path: "/etc/mtab~"
mount: temp path: "/etc/mtab.tmp"
mount: UID: 0
mount: eUID: 0
mount: spec: "archiv:/nfs"
mount: node: "/mnt2"
mount: types: "nfs4"
mount: opts: "sec=krb5"
mount: external mount: argv[0] = "/sbin/mount.nfs4"
mount: external mount: argv[1] = "archiv:/nfs"
mount: external mount: argv[2] = "/mnt2"
mount: external mount: argv[3] = "-v"
mount: external mount: argv[4] = "-o"
mount: external mount: argv[5] = "rw,sec=krb5"
mount.nfs4: timeout set for Tue Nov 15 11:09:25 2011
mount.nfs4: trying text-based options
'sec=krb5,addr=10.0.0.6,clientaddr=10.0.0.50'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting archiv:/nfs
root@debian:~# ls -la /tmp/
итого 8
drwxrwxrwt 4 root root 100 Ноя 15 11:07 .
drwxr-xr-x 24 root root 4096 Ноя 14 16:55 ..
drwxrwxrwt 2 root root 40 Ноя 14 12:28 .ICE-unix
-rw------- 1 root root 2444 Ноя 15 11:07 krb5cc_machine_SAG.LOCAL
drwxrwxrwt 2 root root 40 Ноя 14 12:28 .X11-unix
root@debian:~# klist -e /tmp/krb5cc_machine_SAG.LOCAL
Ticket cache: FILE:/tmp/krb5cc_machine_SAG.LOCAL
Default principal: nfs/debian.s...@SAG.LOCAL

Valid starting Expires Service principal
11/15/11 11:07:25 11/15/11 21:07:28 krbtgt/SAG....@SAG.LOCAL
renew until 11/16/11 11:07:25, Etype (skey, tkt): arcfour-hmac,
arcfour-hmac
11/15/11 11:07:28 11/15/11 21:07:28 nfs/archiv.s...@SAG.LOCAL
renew until 11/16/11 11:07:25, Etype (skey, tkt): arcfour-hmac,
arcfour-hmac


On NFS server:
ARCHIV ~ # ls -la /tmp/
итого 8
drwxrwxrwt 2 root root 4096 Ноя 15 10:41 .
drwxr-xr-x 24 root root 4096 Ноя 14 23:56 ..
ARCHIV ~ # ps aux | grep rpc
root 805 0.0 0.0 2308 920 ? Ss 00:03 0:00
/sbin/rpcbind -w
root 827 0.0 0.0 0 0 ? S< 00:03 0:00 [rpciod]
root 2089 0.0 0.0 3676 1556 ? Ss 11:04 0:00
/usr/sbin/rpc.svcgssd yes
root 2091 0.0 0.0 2668 636 ? Ss 11:04 0:00
/usr/sbin/rpc.mountd --manage-gids
statd 2132 0.0 0.0 2376 1056 ? Ss 11:05 0:00
/sbin/rpc.statd
root 2144 0.0 0.0 2612 392 ? Ss 11:05 0:00
/usr/sbin/rpc.idmapd
root 2148 0.0 0.0 3440 616 ? Ss 11:05 0:00
/usr/sbin/rpc.gssd -vvv
root 2158 0.0 0.0 3464 752 pts/0 S+ 11:09 0:00 grep
--colour=auto rpc
ARCHIV ~ # tail /var/log/daemon.log
Nov 15 11:04:51 archiv rpc.mountd[1962]: Caught signal 15, un-registering
and exiting.
Nov 15 11:04:52 archiv rpc.mountd[2091]: Version 1.2.4 starting
Nov 15 11:04:59 archiv rpc.gssd[2010]: exiting on signal 15
Nov 15 11:04:59 archiv rpc.statd[1994]: Caught signal 15, un-registering
and exiting
Nov 15 11:05:00 archiv rpc.statd[2132]: Version 1.2.4 starting
Nov 15 11:05:00 archiv sm-notify[2133]: Version 1.2.4 starting
Nov 15 11:05:00 archiv sm-notify[2133]: Already notifying clients; Exiting!
Nov 15 11:05:00 archiv rpc.gssd[2148]: beginning poll
Nov 15 11:07:28 archiv rpc.svcgssd[2089]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
failure. Minor code may provide more information) - No supported
encryption types (config file error?)
Nov 15 11:07:28 archiv rpc.svcgssd[2089]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
failure. Minor code may provide more information) - No supported
encryption types (config file error?)

On the server /tmp/krb5cc_machine_REALM not been established.
When I tried to "locally" on the NFS server to mount the exported
directory, the file has been created:

ARCHIV ~ # mount -v -t nfs4 -o sec=krb5 archiv:/nfs /mnt
mount.nfs4: timeout set for Tue Nov 15 11:14:04 2011
mount.nfs4: trying text-based options
'sec=krb5,addr=10.0.0.6,clientaddr=10.0.0.6'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting archiv:/nfs
ARCHIV ~ # ls -la /tmp/
итого 12
drwxrwxrwt 2 root root 4096 Ноя 15 11:12 .
drwxr-xr-x 24 root root 4096 Ноя 14 23:56 ..
-rw------- 1 root root 2444 Ноя 15 11:12 krb5cc_machine_SAG.LOCAL
ARCHIV ~ # klist -e /tmp/krb5cc_machine_SAG.LOCAL
Ticket cache: FILE:/tmp/krb5cc_machine_SAG.LOCAL
Default principal: nfs/archiv.s...@SAG.LOCAL

Valid starting Expires Service principal
11/15/11 11:12:04 11/15/11 21:12:09 krbtgt/SAG....@SAG.LOCAL
renew until 11/16/11 11:12:04, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
11/15/11 11:12:09 11/15/11 21:12:09 nfs/archiv.s...@SAG.LOCAL
renew until 11/16/11 11:12:04, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5


--
Best Regards



Russ Allbery

unread,
Nov 15, 2011, 2:30:01 AM11/15/11
to
"Kramarenko A. Maxim" <mc-s...@ya.ru> writes:

> root@debian:~# klist -e /tmp/krb5cc_machine_SAG.LOCAL
> Ticket cache: FILE:/tmp/krb5cc_machine_SAG.LOCAL
> Default principal: nfs/debian.s...@SAG.LOCAL

> Valid starting Expires Service principal
> 11/15/11 11:07:25 11/15/11 21:07:28 krbtgt/SAG....@SAG.LOCAL
> renew until 11/16/11 11:07:25, Etype (skey, tkt): arcfour-hmac,
> arcfour-hmac
> 11/15/11 11:07:28 11/15/11 21:07:28 nfs/archiv.s...@SAG.LOCAL
> renew until 11/16/11 11:07:25, Etype (skey, tkt): arcfour-hmac,
> arcfour-hmac

Okay, well, so much for that theory. I was hoping that for some reason
you were getting service tickets that weren't arcfour-hmac for some
reason, but you are, so I don't get why they wouldn't match.

> Nov 15 11:07:28 archiv rpc.svcgssd[2089]: ERROR: GSS-API: error in
> handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
> failure. Minor code may provide more information) - No supported
> encryption types (config file error?)

The only thing that I can think of at this point is that the underlying
GSS-API implementation behind rpc.svcgssd isn't supporting arcfour-hmac
for some reason. Maybe you don't have the backported version of
everything and your daemon still only supports DES somehow?

--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>



Kramarenko A. Maxim

unread,
Nov 15, 2011, 3:00:02 AM11/15/11
to
Russ Allbery <r...@debian.org> писал(а) в своём письме Tue, 15 Nov 2011 11:21:05 +0400:

> "Kramarenko A. Maxim" <mc-s...@ya.ru> writes:
>
> The only thing that I can think of at this point is that the underlying
> GSS-API implementation behind rpc.svcgssd isn't supporting arcfour-hmac
> for some reason. Maybe you don't have the backported version of
> everything and your daemon still only supports DES somehow?
>
These are versions of the software on the NFS server:

ARCHIV ~ # dpkg -l | grep krb
ii krb5-config 2.2 Configuration files for Kerberos Version 5
ii krb5-user 1.8.3+dfsg-4squeeze2 Basic programs to authenticate using MIT Kerberos
ii libgssapi-krb5-2 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries
ii libkrb5support0 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - Support library
ARCHIV ~ # dpkg -l | grep gss
ii libgssapi-krb5-2 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libgssglue1 0.1-4 mechanism-switch gssapi library
ii libgssrpc4 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - GSS enabled ONCRPC
ii librpcsecgss3 0.19-2 allows secure rpc communication using the rpcsec_gss protocol
ARCHIV ~ # dpkg -l | grep -i mit
ii krb5-user 1.8.3+dfsg-4squeeze2 Basic programs to authenticate using MIT Kerberos
ii libgssapi-krb5-2 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libgssrpc4 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - GSS enabled ONCRPC
ii libk5crypto3 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - Crypto Library
ii libkadm5clnt-mit7 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - Administration Clients
rc libkadm5srv-mit7 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - KDC and Admin Server
rc libkdb5-4 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - Kerberos database
ii libkrb5-3 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries
ii libkrb5support0 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - Support library
ARCHIV ~ # dpkg -l | grep -i nfs
ii liblockfile1 1.08-4 NFS-safe locking library, includes dotlockfile program
ii libnfsidmap2 0.23-2 An nfs idmapping library
ii nfs-common 1:1.2.4-1~bpo60+1 NFS support files common to client and server
ii nfs-kernel-server 1:1.2.4-1~bpo60+1 support for NFS kernel server

Can cost from backporting upgrade krb5-user?

--
Best Regards,
Mc.Sim.
http://www.k-max.name/

Kramarenko A. Maxim

unread,
Nov 17, 2011, 2:30:01 AM11/17/11
to
I upgraded krb5-user from the repository, backports, but the error remained the same:

ARCHIV ~ # dpkg -l | grep -i mit
ii krb5-user 1.9.1+dfsg-3 Basic programs to authenticate using MIT Ke
ii libgssapi-krb5-2 1.9.1+dfsg-3 MIT Kerberos runtime libraries - krb5 GSS-A
ii libgssrpc4 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - GSS enable
ii libk5crypto3 1.9.1+dfsg-3 MIT Kerberos runtime libraries - Crypto Lib
ii libkadm5clnt-mit7 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - Administra
ii libkadm5clnt-mit8 1.9.1+dfsg-3 MIT Kerberos runtime libraries - Administra
rc libkadm5srv-mit7 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - KDC and Ad
ii libkadm5srv-mit8 1.9.1+dfsg-3 MIT Kerberos runtime libraries - KDC and Ad
rc libkdb5-4 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - Kerberos d
ii libkdb5-5 1.9.1+dfsg-3 MIT Kerberos runtime libraries - Kerberos d
ii libkrb5-3 1.9.1+dfsg-3 MIT Kerberos runtime libraries
ii libkrb5support0 1.9.1+dfsg-3 MIT Kerberos runtime libraries - Support li
ARCHIV ~ # echo startingmount >> /var/log/daemon.log
ARCHIV ~ # mount -v -t nfs4 -o sec=krb5 archiv:/nfs /mnt
mount.nfs4: timeout set for Thu Nov 17 11:22:49 2011
mount.nfs4: trying text-based options 'sec=krb5,addr=10.0.0.6,clientaddr=10.0.0.6'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting archiv:/nfs
ARCHIV ~ # grep -A500 startingmount /var/log/daemon.log
startingmount
Nov 17 11:20:49 archiv rpc.gssd[846]: dir_notify_handler: sig 37 si 0xbfd397ec data 0xbfd3986c
Nov 17 11:20:49 archiv rpc.gssd[846]: dir_notify_handler: sig 37 si 0xbfd3618c data 0xbfd3620c
Nov 17 11:20:49 archiv rpc.gssd[846]: dir_notify_handler: sig 37 si 0xbfd3809c data 0xbfd3811c
Nov 17 11:20:49 archiv rpc.gssd[846]: dir_notify_handler: sig 37 si 0xbfd397ec data 0xbfd3986c
Nov 17 11:20:49 archiv rpc.gssd[846]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt6)
Nov 17 11:20:49 archiv rpc.gssd[846]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Nov 17 11:20:49 archiv rpc.gssd[846]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt6)
Nov 17 11:20:49 archiv rpc.gssd[846]: process_krb5_upcall: service is '<null>'
Nov 17 11:20:49 archiv rpc.gssd[846]: Full hostname for 'archiv.SAG.local' is 'archiv.sag.local'
Nov 17 11:20:49 archiv rpc.gssd[846]: Full hostname for 'archiv.sag.local' is 'archiv.sag.local'
Nov 17 11:20:49 archiv rpc.gssd[846]: Key table entry not found while getting keytab entry for 'ARCHIV$@SAG.LOCAL'
Nov 17 11:20:49 archiv rpc.gssd[846]: Key table entry not found while getting keytab entry for 'root/archiv.s...@SAG.LOCAL'
Nov 17 11:20:49 archiv rpc.gssd[846]: Success getting keytab entry for 'nfs/archiv.s...@SAG.LOCAL'
Nov 17 11:20:49 archiv rpc.gssd[846]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321546655
Nov 17 11:20:49 archiv rpc.gssd[846]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321546655
Nov 17 11:20:49 archiv rpc.gssd[846]: using FILE:/tmp/krb5cc_machine_SAG.LOCAL as credentials cache for machine creds
Nov 17 11:20:49 archiv rpc.gssd[846]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 17 11:20:49 archiv rpc.gssd[846]: creating context using fsuid 0 (save_uid 0)
Nov 17 11:20:49 archiv rpc.gssd[846]: creating tcp client for server archiv.SAG.local
Nov 17 11:20:49 archiv rpc.gssd[846]: DEBUG: port already set to 2049
Nov 17 11:20:49 archiv rpc.gssd[846]: creating context with server n...@archiv.SAG.local
Nov 17 11:20:49 archiv rpc.svcgssd[13849]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No supported encryption types (config file error?)
Nov 17 11:20:49 archiv rpc.gssd[846]: WARNING: Failed to create krb5 context for user with uid 0 for server archiv.SAG.local
Nov 17 11:20:49 archiv rpc.gssd[846]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for server archiv.SAG.local
Nov 17 11:20:49 archiv rpc.gssd[846]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server archiv.SAG.local
Nov 17 11:20:49 archiv rpc.gssd[846]: Full hostname for 'archiv.SAG.local' is 'archiv.sag.local'
Nov 17 11:20:49 archiv rpc.gssd[846]: Full hostname for 'archiv.sag.local' is 'archiv.sag.local'
Nov 17 11:20:49 archiv rpc.gssd[846]: Key table entry not found while getting keytab entry for 'ARCHIV$@SAG.LOCAL'
Nov 17 11:20:49 archiv rpc.gssd[846]: Key table entry not found while getting keytab entry for 'root/archiv.s...@SAG.LOCAL'
Nov 17 11:20:49 archiv rpc.gssd[846]: Success getting keytab entry for 'nfs/archiv.s...@SAG.LOCAL'
Nov 17 11:20:49 archiv rpc.gssd[846]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321546655
Nov 17 11:20:49 archiv rpc.gssd[846]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321546655
Nov 17 11:20:49 archiv rpc.gssd[846]: using FILE:/tmp/krb5cc_machine_SAG.LOCAL as credentials cache for machine creds
Nov 17 11:20:49 archiv rpc.gssd[846]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 17 11:20:49 archiv rpc.gssd[846]: creating context using fsuid 0 (save_uid 0)
Nov 17 11:20:49 archiv rpc.gssd[846]: creating tcp client for server archiv.SAG.local
Nov 17 11:20:49 archiv rpc.gssd[846]: DEBUG: port already set to 2049
Nov 17 11:20:49 archiv rpc.gssd[846]: creating context with server n...@archiv.SAG.local
Nov 17 11:20:49 archiv rpc.svcgssd[13849]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No supported encryption types (config file error?)
Nov 17 11:20:49 archiv rpc.gssd[846]: WARNING: Failed to create krb5 context for user with uid 0 for server archiv.SAG.local
Nov 17 11:20:49 archiv rpc.gssd[846]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for server archiv.SAG.local
Nov 17 11:20:49 archiv rpc.gssd[846]: WARNING: Failed to create machine krb5 context with any credentials cache for server archiv.SAG.local
Nov 17 11:20:49 archiv rpc.gssd[846]: doing error downcall
Nov 17 11:20:49 archiv rpc.gssd[846]: dir_notify_handler: sig 37 si 0xbfd397ec data 0xbfd3986c
Nov 17 11:20:49 archiv rpc.gssd[846]: dir_notify_handler: sig 37 si 0xbfd397ec data 0xbfd3986c
Nov 17 11:20:49 archiv rpc.gssd[846]: dir_notify_handler: sig 37 si 0xbfd397ec data 0xbfd3986c
Nov 17 11:20:49 archiv rpc.gssd[846]: dir_notify_handler: sig 37 si 0xbfd397ec data 0xbfd3986c
Nov 17 11:20:49 archiv rpc.gssd[846]: dir_notify_handler: sig 37 si 0xbfd397ec data 0xbfd3986c
Nov 17 11:20:49 archiv rpc.gssd[846]: dir_notify_handler: sig 37 si 0xbfd397ec data 0xbfd3986c
Nov 17 11:20:49 archiv rpc.gssd[846]: dir_notify_handler: sig 37 si 0xbfd397ec data 0xbfd3986c
Nov 17 11:20:49 archiv rpc.gssd[846]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt7
Nov 17 11:20:49 archiv rpc.gssd[846]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt6
ARCHIV ~ #

May have someone else any advice?


--
Best Regards,
Mc.Sim.
http://www.k-max.name/



0 new messages