Debian Bug report logs - #622146
nfs-common: compatibility between squeeze and sid broken

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Rico Rommel <rico@bierrommel.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: nfs-common: compatibility between squeeze and sid broken

Date: Sun, 10 Apr 2011 17:48:57 +0200

Package: nfs-common
Version: 1:1.2.2-4
Severity: normal
Tags: ipv6

After installing nfs-common 1:1.2.3-2 on clients (unstable)  the nfs-kernel-
server in squeeze denies access for kerberized nfs exports.

syslog on the server (squeeze) gives:

rpc.svcgssd[1049]: ERROR: prepare_krb5_rfc_cfx_buffer: not implemented
rpc.svcgssd[1049]: ERROR: failed serializing krb5 context for kernel
rpc.svcgssd[1049]: WARNING: handle_nullreq: serialize_context_for_kernel failed

and

qword_eol: fflush failed: errno 38 (Function not implemented)

A workaround is to upgrade servers version of nfs-kernel-server and nfs-common
to 1:1.2.3-2 and linux-image to 2.6.38, but these packages are not part of
squeeze.



-- System Information:
Debian Release: wheezy/sid
  APT prefers oldstable
  APT policy: (500, 'oldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (101, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages nfs-common depends on:
ii  adduser                  3.112+nmu2      add and remove users and groups
ii  initscripts              2.88dsf-13.1    scripts for initializing and shutt
ii  libc6                    2.11.2-13       Embedded GNU C Library: Shared lib
ii  libcap2                  1:2.20-1        support for getting/setting POSIX.
ii  libcomerr2               1.41.12-2       common error description library
ii  libevent-1.4-2           1.4.13-stable-1 An asynchronous event notification
ii  libgssapi-krb5-2         1.9+dfsg-1      MIT Kerberos runtime libraries - k
ii  libgssglue1              0.2-2           mechanism-switch gssapi library
ii  libk5crypto3             1.9+dfsg-1      MIT Kerberos runtime libraries - C
ii  libkrb5-3                1.9+dfsg-1      MIT Kerberos runtime libraries
ii  libnfsidmap2             0.24-1          An nfs idmapping library
ii  librpcsecgss3            0.19-2          allows secure rpc communication us
ii  libwrap0                 7.6.q-19        Wietse Venema's TCP wrappers libra
ii  lsb-base                 3.2-27          Linux Standard Base 3.2 init scrip
ii  netbase                  4.45            Basic TCP/IP networking system
ii  rpcbind [portmap]        0.2.0-6         converts RPC program numbers into 
ii  ucf                      3.0025+nmu1     Update Configuration File: preserv

nfs-common recommends no packages.

nfs-common suggests no packages.

-- no debconf information

Message #10 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Rico Rommel <rico@bierrommel.de>

To: Ben Hutchings <ben@decadent.org.uk>

Cc: 622146@bugs.debian.org

Subject: Re: Bug#622146: nfs-common: compatibility between squeeze and sid broken

Date: Sun, 10 Apr 2011 18:10:27 +0200

Am Sonntag, 10. April 2011, 17:57:11 schrieb Ben Hutchings:
> On Sun, 2011-04-10 at 17:48 +0200, Rico Rommel wrote:
> > Package: nfs-common
> > Version: 1:1.2.2-4
> > Severity: normal
> > Tags: ipv6
> 
> [...]
> 
> Why ipv6?
> 
> Ben.

I noticed, that nfs-common doesn't depend on librpcsecgss3 anymore and tried a 
rebuild using librpcsecgss3. 
But librpcsecgss3 conflicts with the now used libtirpc1, which provides ipv6 
support to nfs. (as i understood)

Message #15 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: Rico Rommel <rico@bierrommel.de>, 622146@bugs.debian.org

Subject: Re: Bug#622146: nfs-common: compatibility between squeeze and sid broken

Date: Sun, 10 Apr 2011 16:57:11 +0100

[Message part 1 (text/plain, inline)]

On Sun, 2011-04-10 at 17:48 +0200, Rico Rommel wrote:
> Package: nfs-common
> Version: 1:1.2.2-4
> Severity: normal
> Tags: ipv6
[...]

Why ipv6?

Ben.

-- 
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@debian.org>

To: Rico Rommel <rico@bierrommel.de>, 622146@bugs.debian.org

Subject: Re: Bug#622146: nfs-common: compatibility between squeeze and sid broken

Date: Sun, 10 Apr 2011 20:09:36 +0200

On 04/10/2011 06:10 PM, Rico Rommel wrote:
> Am Sonntag, 10. April 2011, 17:57:11 schrieb Ben Hutchings:
>> On Sun, 2011-04-10 at 17:48 +0200, Rico Rommel wrote:
>>> Package: nfs-common
>>> Version: 1:1.2.2-4
>>> Severity: normal
>>> Tags: ipv6
>>
>> [...]
>>
>> Why ipv6?
>>
>> Ben.
> 
> I noticed, that nfs-common doesn't depend on librpcsecgss3 anymore and tried a 
> rebuild using librpcsecgss3. 
> But librpcsecgss3 conflicts with the now used libtirpc1, which provides ipv6 
> support to nfs. (as i understood)

Does removing librpcsecgss3 solve the problem?

Cheers

Luk

Message #27 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Rico Rommel <rico@bierrommel.de>

To: Luk Claes <luk@debian.org>

Cc: 622146@bugs.debian.org

Subject: Re: Bug#622146: nfs-common: compatibility between squeeze and sid broken

Date: Sun, 10 Apr 2011 20:45:11 +0200

[Message part 1 (text/plain, inline)]

Am Sonntag, 10. April 2011, 20:09:36 schrieb Luk Claes:
> On 04/10/2011 06:10 PM, Rico Rommel wrote:
> > Am Sonntag, 10. April 2011, 17:57:11 schrieb Ben Hutchings:
> >> On Sun, 2011-04-10 at 17:48 +0200, Rico Rommel wrote:
> >>> Package: nfs-common
> >>> Version: 1:1.2.2-4
> >>> Severity: normal
> >>> Tags: ipv6
> >> 
> >> [...]
> >> 
> >> Why ipv6?
> >> 
> >> Ben.
> > 
> > I noticed, that nfs-common doesn't depend on librpcsecgss3 anymore and
> > tried a rebuild using librpcsecgss3.
> > But librpcsecgss3 conflicts with the now used libtirpc1, which provides
> > ipv6 support to nfs. (as i understood)
> 
> Does removing librpcsecgss3 solve the problem?

No, it doesn't make any difference. 
librpcsecgss3 isn't used by nfs-common 1.2.3-2

Rico

[signature.asc (application/pgp-signature, inline)]

Message #32 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@debian.org>

To: Rico Rommel <rico@bierrommel.de>, 622146@bugs.debian.org

Subject: Re: Bug#622146: nfs-common: compatibility between squeeze and sid broken

Date: Mon, 11 Apr 2011 18:28:45 +0200

On 04/10/2011 08:45 PM, Rico Rommel wrote:
> Am Sonntag, 10. April 2011, 20:09:36 schrieb Luk Claes:
>> On 04/10/2011 06:10 PM, Rico Rommel wrote:
>>> Am Sonntag, 10. April 2011, 17:57:11 schrieb Ben Hutchings:
>>>> On Sun, 2011-04-10 at 17:48 +0200, Rico Rommel wrote:

>>> I noticed, that nfs-common doesn't depend on librpcsecgss3 anymore and
>>> tried a rebuild using librpcsecgss3.
>>> But librpcsecgss3 conflicts with the now used libtirpc1, which provides
>>> ipv6 support to nfs. (as i understood)
>>
>> Does removing librpcsecgss3 solve the problem?
> 
> No, it doesn't make any difference. 
> librpcsecgss3 isn't used by nfs-common 1.2.3-2

What kernel version are you using on the clients? If you're not using
sid's kernel, does upgrading to a recent kernel (and rebooting
obviously) solve anything?

If that also does not work, I guess we could prepare an upload
containing support to limit the negotiated enctypes [1] to see if that
helps.

Cheers

Luk

[1]
http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=d6c1b35c6b40243bfd6fba2591c9f8f2653078c0

Cheers

Luk

Message #37 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Rico Rommel <rico@bierrommel.de>

To: Luk Claes <luk@debian.org>

Cc: 622146@bugs.debian.org

Subject: Re: Bug#622146: nfs-common: compatibility between squeeze and sid broken

Date: Mon, 11 Apr 2011 19:14:15 +0200

[Message part 1 (text/plain, inline)]

Am Montag, 11. April 2011, 18:28:45 schrieb Luk Claes:
> On 04/10/2011 08:45 PM, Rico Rommel wrote:
> > Am Sonntag, 10. April 2011, 20:09:36 schrieb Luk Claes:
> >> On 04/10/2011 06:10 PM, Rico Rommel wrote:
> >>> Am Sonntag, 10. April 2011, 17:57:11 schrieb Ben Hutchings:
> >>>> On Sun, 2011-04-10 at 17:48 +0200, Rico Rommel wrote:
> >>> I noticed, that nfs-common doesn't depend on librpcsecgss3 anymore and
> >>> tried a rebuild using librpcsecgss3.
> >>> But librpcsecgss3 conflicts with the now used libtirpc1, which provides
> >>> ipv6 support to nfs. (as i understood)
> >> 
> >> Does removing librpcsecgss3 solve the problem?
> > 
> > No, it doesn't make any difference.
> > librpcsecgss3 isn't used by nfs-common 1.2.3-2
> 
> What kernel version are you using on the clients? If you're not using
> sid's kernel, does upgrading to a recent kernel (and rebooting
> obviously) solve anything?

The clients are running 2.6.38-2 (amd64) from sid.

[signature.asc (application/pgp-signature, inline)]

Message #42 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Clint Adams <clint@debian.org>

To: 622146@bugs.debian.org

Subject: can't use wheezy nfs clients with squeeze server

Date: Sun, 15 May 2011 22:35:59 +0000

I also have this problem.

Message #47 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Alberto Gonzalez Iniesta <agi@inittab.org>

To: 622146@bugs.debian.org

Subject: Same thing happens against lenny nfs servers

Date: Mon, 6 Jun 2011 16:46:55 +0200

Same thing here, against a Lenny nfs server.

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3

Message #52 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Alberto Gonzalez Iniesta <agi@inittab.org>

To: 622146@bugs.debian.org

Subject: (Ugly/temp) workaround

Date: Mon, 6 Jun 2011 17:37:51 +0200

Adding the following line in the [libdefaults] section of /etc/krb5.conf
fixed the problem for me (tm), probably not the best solution, but
works:
permitted_enctypes = des-cbc-md5

I also exported ONLY the DES-CBC-MD5:NORMAL key for my sid host:
kadmin.local: ktadd -k lib.keytab -e DES-CBC-MD5:NORMAL  host/lib
(probably not needed, but just to stay on the ""safe"" side)

HTH,

Alberto
-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3

Message #57 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@debian.org>

To: Alberto Gonzalez Iniesta <agi@inittab.org>, 622146@bugs.debian.org, 622146-submitter@bugs.debian.org

Cc: Sam Hartman <hartmans@debian.org>

Subject: Re: Bug#622146: nfs-common: compatibility between squeeze and sid broken

Date: Tue, 07 Jun 2011 19:01:02 +0200

On 06/06/2011 05:37 PM, Alberto Gonzalez Iniesta wrote:
> Adding the following line in the [libdefaults] section of /etc/krb5.conf
> fixed the problem for me (tm), probably not the best solution, but
> works:
> permitted_enctypes = des-cbc-md5

It's probably better to set enable_weak_crypto=yes, does that work?

> I also exported ONLY the DES-CBC-MD5:NORMAL key for my sid host:
> kadmin.local: ktadd -k lib.keytab -e DES-CBC-MD5:NORMAL  host/lib
> (probably not needed, but just to stay on the ""safe"" side)

Cheers

Luk

Message #65 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@debian.org>

To: 622146@bugs.debian.org

Cc: Alberto Gonzalez Iniesta <agi@inittab.org>, 622146-submitter@bugs.debian.org, Sam Hartman <hartmans@debian.org>

Subject: Re: Bug#622146: nfs-common: compatibility between squeeze and sid broken

Date: Tue, 07 Jun 2011 19:08:00 +0200

On 06/07/2011 07:01 PM, Luk Claes wrote:
> On 06/06/2011 05:37 PM, Alberto Gonzalez Iniesta wrote:
>> Adding the following line in the [libdefaults] section of /etc/krb5.conf
>> fixed the problem for me (tm), probably not the best solution, but
>> works:
>> permitted_enctypes = des-cbc-md5
> 
> It's probably better to set enable_weak_crypto=yes, does that work?

'allow_weak_crypto = true', that is.

>> I also exported ONLY the DES-CBC-MD5:NORMAL key for my sid host:
>> kadmin.local: ktadd -k lib.keytab -e DES-CBC-MD5:NORMAL  host/lib
>> (probably not needed, but just to stay on the ""safe"" side)

Cheers

Luk

Message #73 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@debian.org>

To: Luk Claes <luk@debian.org>

Cc: Alberto Gonzalez Iniesta <agi@inittab.org>, 622146@bugs.debian.org, 622146-submitter@bugs.debian.org

Subject: Re: Bug#622146: nfs-common: compatibility between squeeze and sid broken

Date: Tue, 07 Jun 2011 13:10:23 -0400

>>>>> "Luk" == Luk Claes <luk@debian.org> writes:

    Luk> On 06/06/2011 05:37 PM, Alberto Gonzalez Iniesta wrote:
    >> Adding the following line in the [libdefaults] section of
    >> /etc/krb5.conf fixed the problem for me (tm), probably not the
    >> best solution, but works: permitted_enctypes = des-cbc-md5

    Luk> It's probably better to set enable_weak_crypto=yes, does that
    Luk> work?

Hi.
I think I gave Luk the wrong setting.
It's allow_weak_crypto = yes not enable_weak_crypto = yes.

You should not have to set permitted_enctypes.
Enabling weak_crypto and only setting the des-cbc-crc key with ktadd in
kadmin is supposed to be sufficient.

--Sam

Message #81 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Alberto Gonzalez Iniesta <agi@inittab.org>

To: 622146@bugs.debian.org

Subject: Re: Bug#622146: nfs-common: compatibility between squeeze and sid broken

Date: Tue, 7 Jun 2011 23:19:49 +0200

On Tue, Jun 07, 2011 at 01:10:23PM -0400, Sam Hartman wrote:
> >>>>> "Luk" == Luk Claes <luk@debian.org> writes:
> 
>     Luk> On 06/06/2011 05:37 PM, Alberto Gonzalez Iniesta wrote:
>     >> Adding the following line in the [libdefaults] section of
>     >> /etc/krb5.conf fixed the problem for me (tm), probably not the
>     >> best solution, but works: permitted_enctypes = des-cbc-md5
> 
>     Luk> It's probably better to set enable_weak_crypto=yes, does that
>     Luk> work?
> 
> Hi.
> I think I gave Luk the wrong setting.
> It's allow_weak_crypto = yes not enable_weak_crypto = yes.
> 
> You should not have to set permitted_enctypes.
> Enabling weak_crypto and only setting the des-cbc-crc key with ktadd in
> kadmin is supposed to be sufficient.

I have both set:
allow_weak_crypto=true
permitted_enctypes = des-cbc-md5

And only the... wait I have des-cbc-md5 IIRC, not des-cbc-crc. I'll
check that tomorrow. 

But it's not working after the last upgrade. When I posted yesterday I
was running a sid versión from a couple of weeks ago. Probably 1.9,
sorry can't remember now.

Regards,

Alberto

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3

Message #86 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Alberto Gonzalez Iniesta <agi@inittab.org>

To: 622146@bugs.debian.org

Subject: Not working...

Date: Wed, 8 Jun 2011 12:23:13 +0200

Ok, got tired of this now. I don't know how it worked a couple of days
ago, I'm not able to get it to work now. Either with 1.9 or 1.9.1.

Only the des-cbc-md5 or des-cbc-crc keys in the client's keytab, with both:
allow_weak_crypto = yes
permitted_enctypes = des-cbc-(md5|crc)

Or just with allow_weak_crypto

No way to mount, with the known errors on the server.
I'll play with this again in some days, sshfs will do the job for the
time being.


-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3

Message #91 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@debian.org>

To: Luk Claes <luk@debian.org>

Cc: Alberto Gonzalez Iniesta <agi@inittab.org>, 622146@bugs.debian.org, 622146-submitter@bugs.debian.org

Subject: Re: Bug#622146: nfs-common: compatibility between squeeze and sid broken

Date: Wed, 08 Jun 2011 14:10:32 -0400

Hi.
I was missing some context here.

My suspicion is that things will work
if you add
permitted_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
to the configuration of the nfs server

And make sure that the nfs principal on the NFS server has nothing but a
des-cbc-crc key in the KDC database.
That is
kadmin.local: getprinc nfs/machine_name
should only list DES keys.

If you satisfy all of these conditions then I *think* that a sid client
can connect to a squeeze server.

It may also work to make the following config changes on the client:

default_tgs_enctypes = des-cbc-crc

and no config changes on the server.


Clearly, this is all non-ideal.
Once we confirm what's going on, we can look into backporting some fixes
to this issue introduced into MIT Kerberos and nfs-utils.


--Sam

Message #99 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Alberto Gonzalez Iniesta <agi@inittab.org>

To: Sam Hartman <hartmans@debian.org>, 622146@bugs.debian.org

Subject: Re: Bug#622146: nfs-common: compatibility between squeeze and sid broken

Date: Thu, 9 Jun 2011 13:04:46 +0200

On Wed, Jun 08, 2011 at 02:10:32PM -0400, Sam Hartman wrote:
> Hi.
> I was missing some context here.
> 
> My suspicion is that things will work
> if you add
> permitted_enctypes = des-cbc-crc
> default_tgs_enctypes = des-cbc-crc
> to the configuration of the nfs server
> 
> And make sure that the nfs principal on the NFS server has nothing but a
> des-cbc-crc key in the KDC database.
> That is
> kadmin.local: getprinc nfs/machine_name
> should only list DES keys.
Hi Sam,

Thanks for looking into this.
I'd rather not touch anything in the server, since +100 clients are
using it.

> If you satisfy all of these conditions then I *think* that a sid client
> can connect to a squeeze server.

Humm, the server is (right now) lenny in my case.

> It may also work to make the following config changes on the client:
> 
> default_tgs_enctypes = des-cbc-crc
> 
> and no config changes on the server.

Did that, no luck :-(

I really wonder how I make it work last time...

Now I have (not working):

agi@lib:~$ grep cbc /etc/krb5.conf 
	permitted_enctypes = des-cbc-crc
	default_tgs_enctypes = des-cbc-crc
agi@lib:~$ grep weak /etc/krb5.conf
        allow_weak_crypto = yes

And only the des-cbc-crc:normal key on this hosts' keytab.

Regards,

Alberto

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3

Message #104 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@debian.org>

To: Alberto Gonzalez Iniesta <agi@inittab.org>

Cc: 622146@bugs.debian.org

Subject: Re: Bug#622146: nfs-common: compatibility between squeeze and sid broken

Date: Thu, 09 Jun 2011 09:08:32 -0400

OK, I have no clue nor really any interest in debugging DES.

There is a real bug here introduced in krb5 1.7 which added enctype
negotiation . I'd expect that to create some problems for sid clients
talking to squeeze servers.  There's a solution to that which involves
backporting the nfs-utils patch mentioned earlier in this bug to squeeze
and backporting a krb5 patch that depends on to squeeze.  I'm certainly
happy to backport the krb5 patch if the stable release managers approve.

However, that won't help you. I don't understand how you're seeing that
issue because the code that causes the problem is introduced into krb5
1.7 and lenny has krb5 1.6. If the server doesn't support the
negotiation feature, it is not used.

Message #109 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Tom Boven <tom.boven@telenet.be>

To: Debian Bug Tracking System <622146@bugs.debian.org>

Subject: nfs-common: Also problem between wheezy and sid

Date: Sat, 18 Jun 2011 10:26:12 +0200

Package: nfs-common
Version: 1:1.2.3-2
Followup-For: Bug #622146


At my pc I'm running sid and my server is running wheezy (on a 2.6.32-5-xen-amd64 kernel). I've upgrade it to all latest packages today and I can confirm that with this configuration the issue also exists. I'll try a more recent kernel to see what effect it has on this.


-- Package-specific info:
-- rpcinfo --
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  49727  status
    100024    1   tcp  60755  status
-- /etc/default/nfs-common --
NEED_STATD=
STATDOPTS=
RPCGSSDOPTS=""
NEED_IDMAPD=yes
NEED_GSSD=yes
-- /etc/idmapd.conf --
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = THUIS.LAN
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
-- /etc/fstab --

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (400, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=nl_BE.utf8, LC_CTYPE=nl_BE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages nfs-common depends on:
ii  adduser                  3.113           add and remove users and groups
ii  initscripts              2.88dsf-13.10   scripts for initializing and shutt
ii  libc6                    2.13-7          Embedded GNU C Library: Shared lib
ii  libcap2                  1:2.21-1        support for getting/setting POSIX.
ii  libcomerr2               1.41.12-4       common error description library
ii  libevent-1.4-2           1.4.13-stable-1 An asynchronous event notification
ii  libgssapi-krb5-2         1.9.1+dfsg-1+b1 MIT Kerberos runtime libraries - k
ii  libgssglue1              0.2-3           mechanism-switch gssapi library
ii  libk5crypto3             1.9.1+dfsg-1+b1 MIT Kerberos runtime libraries - C
ii  libkrb5-3                1.9.1+dfsg-1+b1 MIT Kerberos runtime libraries
ii  libnfsidmap2             0.24-1          An nfs idmapping library
ii  libtirpc1                0.2.2-2         transport-independent RPC library
ii  libwrap0                 7.6.q-19        Wietse Venema's TCP wrappers libra
ii  lsb-base                 3.2-27          Linux Standard Base 3.2 init scrip
ii  netbase                  4.45            Basic TCP/IP networking system
ii  rpcbind                  0.2.0-6         converts RPC program numbers into 
ii  ucf                      3.0025+nmu2     Update Configuration File: preserv

Versions of packages nfs-common recommends:
ii  python                        2.6.6-14   interactive high-level object-orie

nfs-common suggests no packages.

-- no debconf information

Message #114 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: 622146@bugs.debian.org

Cc: Sam Hartman <hartmans@debian.org>

Subject: Re: nfs-common: compatibility between squeeze and sid broken

Date: Tue, 19 Jul 2011 10:40:40 -0700

[Message part 1 (text/plain, inline)]

Hi Sam,

I've also run into this bug, in the context of preparing to update nfs-utils
in Ubuntu for IPv6 support.  My NFS server is running squeeze, and updating
causes the client and server to fail to negotiate as described.

It seems that it's possible to work around it by adding this single line to
the server:

        permitted_enctypes = des-cbc-crc

in addition to the 'allow_weak_crypto = true' that was already there.

But what's confusing is that before this change, I had a DES3 *only* key for
this server, and everything was working!  How could that be if the server
didn't support the DES3?

To work around this problem locally without having to set permitted_enctypes
for all other services on the NFS server, I've added a new separate
krb5.conf file under /etc, and am setting KRB5_CONFIG in
/etc/init.d/nfs-kernel-server to point to that path.

You mention that fixing this properly requires backporting patches to both
nfs-utils and krb5.  Could you provide a reference for the krb5 patch?  (I
assume the nfs-utils one is the one Luk already linked to)  I'm potentially
willing to help with getting this int a stable update.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

[signature.asc (application/pgp-signature, inline)]

Message #119 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@debian.org>

To: Steve Langasek <vorlon@debian.org>

Cc: 622146@bugs.debian.org

Subject: Re: nfs-common: compatibility between squeeze and sid broken

Date: Tue, 19 Jul 2011 14:31:36 -0400

[Message part 1 (text/plain, inline)]

>>>>> "Steve" == Steve Langasek <vorlon@debian.org> writes:

    Steve> Hi Sam, I've also run into this bug, in the context of
    Steve> preparing to update nfs-utils in Ubuntu for IPv6 support.  My
    Steve> NFS server is running squeeze, and updating causes the client
    Steve> and server to fail to negotiate as described.

Your nfs server is squeeze and your client was squeeze but is now more
than squeeze?

(substitute ubuntu releases with pre-ipv6 nfs-utils as appropriate for
squeeze?)

R24603 in MIT upstream subversion.

See attached.

I'm happy to interact with SRM for the krb5 side of it.  However, the
bug as reported didn't seem to be this one because the server involved
was older than squeeze.

so I didn't actually have any users rrequesting a solution to a problem
I knew how to solve.  If you have a problem that this krb5 patch and the
mentioned nfs-utils patch solve then we definitely should propose a
backport to SRM.  I'll be happy to prepare krb5 packages.

[0001-ticket-6852.patch (text/x-diff, inline)]

From 82affd78ac2c2b13bacf8e004f13f2d0dba5acea Mon Sep 17 00:00:00 2001
From: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue, 25 Jan 2011 00:23:48 +0000
Subject: [PATCH] ticket: 6852
 subject: Make gss_krb5_set_allowable_enctypes work for the acceptor
 target_version: 1.9.1
 tags: pullup

With the addition of enctype negotiation in 1.7, a gss-krb5 acceptor
can choose an enctype for the acceptor subkey other than the one in
the keytab.  If the resulting security context will be exported and
re-imported by another gss-krb5 implementation (such as one in the
kernel), the acceptor needs a way to restrict the set of negotiated
enctypes to those supported by the other implementation.  We had that
functionality for the initiator already in the form of
gss_krb5_set_allowable_enctypes; this change makes it work for the
acceptor as well.


git-svn-id: svn://anonsvn.mit.edu/svn/krb5/trunk@24603 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/gssapi/krb5/accept_sec_context.c |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 9d40f68..c3cb2f1 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -623,6 +623,15 @@ kg_accept_krb5(minor_status, context_handle,
         goto fail;
     }
 
+    /* Limit the encryption types negotiated (if requested). */
+    if (cred->req_enctypes) {
+        if ((code = krb5_set_default_tgs_enctypes(context,
+                                                  cred->req_enctypes))) {
+            major_status = GSS_S_FAILURE;
+            goto fail;
+        }
+    }
+
     if ((code = krb5_rd_req(context, &auth_context, &ap_req,
                             cred->default_identity ? NULL : cred->name->princ,
                             cred->keytab,
-- 
1.7.4.1

Message #124 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Sam Hartman <hartmans@debian.org>

Cc: 622146@bugs.debian.org

Subject: Re: nfs-common: compatibility between squeeze and sid broken

Date: Tue, 19 Jul 2011 14:19:03 -0700

[Message part 1 (text/plain, inline)]

On Tue, Jul 19, 2011 at 02:31:36PM -0400, Sam Hartman wrote:
> >>>>> "Steve" == Steve Langasek <vorlon@debian.org> writes:

>     Steve> Hi Sam, I've also run into this bug, in the context of
>     Steve> preparing to update nfs-utils in Ubuntu for IPv6 support.  My
>     Steve> NFS server is running squeeze, and updating causes the client
>     Steve> and server to fail to negotiate as described.

> Your nfs server is squeeze and your client was squeeze but is now more
> than squeeze?

> (substitute ubuntu releases with pre-ipv6 nfs-utils as appropriate for
> squeeze?)

Yes - Ubuntu currently has an nfs-utils package based on 1:1.2.2-4 (precisely
the version in squeeze), and I'm in the process of updating it to 1.2.4.

> R24603 in MIT upstream subversion.

> See attached.

Thanks!

> I'm happy to interact with SRM for the krb5 side of it.  However, the
> bug as reported didn't seem to be this one because the server involved
> was older than squeeze.

Oh, the original report said that the problem happened with a squeeze
server.  Only agi reported it with a lenny server.

> so I didn't actually have any users rrequesting a solution to a problem
> I knew how to solve.  If you have a problem that this krb5 patch and the
> mentioned nfs-utils patch solve then we definitely should propose a
> backport to SRM.  I'll be happy to prepare krb5 packages.

So the originally linked patch for nfs-utils,
<http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=d6c1b35c6b40243bfd6fba2591c9f8f2653078c0>,
doesn't apply cleanly against the nfs-utils 1.2.2 in squeeze; it appears to
have some prerequisites. (The number of args to gssd_acquire_cred has
changed.)  Anyone know which commits we need here?  Or should I just rewrite
gssd_acquire_cred(NULL, GSS_C_NT_HOSTBASED_SERVICE) to
gssd_acquire_cred(NULL)?

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

[signature.asc (application/pgp-signature, inline)]

Message #129 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@debian.org>

To: Steve Langasek <vorlon@debian.org>

Cc: 622146@bugs.debian.org

Subject: Re: nfs-common: compatibility between squeeze and sid broken

Date: Tue, 19 Jul 2011 17:42:34 -0400

I don't have checkouts handy, but my strong suspicion is that if someone
is now passing in GSS_C_NT_HOSTBASED_SERVICE into gssd_acquire_cred and
there isn't an argument slot, you can leave it off.
gss_c_nt_hostbased_service has always been the default for gssd.

Message #134 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Sam Hartman <hartmans@debian.org>

Cc: 622146@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: nfs-common: compatibility between squeeze and sid broken

Date: Mon, 1 Aug 2011 01:34:34 -0700

[Message part 1 (text/plain, inline)]

reassign 622146 nfs-kernel-server,src:krb5
found 622146 nfs-kernel-server/1:1.2.2-4
found 622146 src:krb5/1.8.3+dfsg-4
fixed 622146 nfs-kernel-server/1:1.2.4-1
fixed 622146 src:krb5/1.9.1+dfsg-1
tags 622146 patch
thanks

On Tue, Jul 19, 2011 at 05:42:34PM -0400, Sam Hartman wrote:
> I don't have checkouts handy, but my strong suspicion is that if someone
> is now passing in GSS_C_NT_HOSTBASED_SERVICE into gssd_acquire_cred and
> there isn't an argument slot, you can leave it off.
> gss_c_nt_hostbased_service has always been the default for gssd.

Ok, thanks.  I've built packages of nfs-utils and krb5 using the referenced
backported patches, and can confirm that I'm now able to connect
successfully from an nfs-utils 1.2.4 client without having to set
permitted_enctypes on the server.

I've attached the patches for both packages to this mail.  Phil, is it ok
for these to be uploaded to stable-proposed-updates?  This fixes a bug that
makes squeeze kerberized NFS servers unusable with newer clients (e.g.,
wheezy).

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

[krb5-622146.diff (text/x-diff, attachment)]

[nfs-utils-622146.diff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #153 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@debian.org>

To: Steve Langasek <vorlon@debian.org>

Cc: 622146@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: nfs-common: compatibility between squeeze and sid broken

Date: Mon, 01 Aug 2011 09:03:43 -0400

If I get an ack from SRM i'll do the krb5 upload.

Message #156 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Philipp Kern <pkern@debian.org>

To: Steve Langasek <vorlon@debian.org>, Sam Hartman <hartmans@debian.org>, 622146@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: nfs-common: compatibility between squeeze and sid broken

Date: Wed, 3 Aug 2011 23:42:02 +0200

[Message part 1 (text/plain, inline)]

On Mon, Aug 01, 2011 at 01:34:34AM -0700, Steve Langasek wrote:
> On Tue, Jul 19, 2011 at 05:42:34PM -0400, Sam Hartman wrote:
> > I don't have checkouts handy, but my strong suspicion is that if someone
> > is now passing in GSS_C_NT_HOSTBASED_SERVICE into gssd_acquire_cred and
> > there isn't an argument slot, you can leave it off.
> > gss_c_nt_hostbased_service has always been the default for gssd.
> 
> Ok, thanks.  I've built packages of nfs-utils and krb5 using the referenced
> backported patches, and can confirm that I'm now able to connect
> successfully from an nfs-utils 1.2.4 client without having to set
> permitted_enctypes on the server.

Why is the nfs-utils patch needed again?  To be able to run nfs-utils
in squeeze with a newer kernel?

Kind regards
Philipp Kern

[signature.asc (application/pgp-signature, inline)]

Message #161 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@debian.org>

To: Philipp Kern <pkern@debian.org>

Cc: Steve Langasek <vorlon@debian.org>, 622146@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: nfs-common: compatibility between squeeze and sid broken

Date: Wed, 03 Aug 2011 18:05:51 -0400

>>>>> "Philipp" == Philipp Kern <pkern@debian.org> writes:

    Philipp> On Mon, Aug 01, 2011 at 01:34:34AM -0700, Steve Langasek wrote:
    >> On Tue, Jul 19, 2011 at 05:42:34PM -0400, Sam Hartman wrote:
> > I don't have checkouts handy, but my strong suspicion is that if
    >> someone > is now passing in GSS_C_NT_HOSTBASED_SERVICE into
    >> gssd_acquire_cred and > there isn't an argument slot, you can
    >> leave it off.  > gss_c_nt_hostbased_service has always been the
    >> default for gssd.
    >> 
    >> Ok, thanks.  I've built packages of nfs-utils and krb5 using the
    >> referenced backported patches, and can confirm that I'm now able
    >> to connect successfully from an nfs-utils 1.2.4 client without
    >> having to set permitted_enctypes on the server.

    Philipp> Why is the nfs-utils patch needed again?  To be able to run
    Philipp> nfs-utils in squeeze with a newer kernel?

No.  The issue is that sid clients will ask a squeeze server to do
something the squeeze kernel can't handle.  However, rather than asking
the kernel you ask the nfs-utils userspace.  The squeeze krb5 can handle
the new encryption type and so it negotiates something, tries to stuff
it into the kernel, and doesn't even know how to do that.

The krb5 patch revises an existing API which allows userspace to tell
krb5 about the kernel capabilities to apply to the server as well as the
client.

the nfs-utils patch tells the server userspace code to call that
existing API which is only called on the client in squeeze.

The failure mode is that without both patches, squeeze servers fail to
work with sid clients running sid kernels.

--Sam

Message #164 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Philipp Kern <pkern@debian.org>

To: Steve Langasek <vorlon@debian.org>, Sam Hartman <hartmans@debian.org>, 622146@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: nfs-common: compatibility between squeeze and sid broken

Date: Fri, 5 Aug 2011 19:09:56 +0200

[Message part 1 (text/plain, inline)]

On Mon, Aug 01, 2011 at 01:34:34AM -0700, Steve Langasek wrote:
> On Tue, Jul 19, 2011 at 05:42:34PM -0400, Sam Hartman wrote:
> > I don't have checkouts handy, but my strong suspicion is that if someone
> > is now passing in GSS_C_NT_HOSTBASED_SERVICE into gssd_acquire_cred and
> > there isn't an argument slot, you can leave it off.
> > gss_c_nt_hostbased_service has always been the default for gssd.
> 
> Ok, thanks.  I've built packages of nfs-utils and krb5 using the referenced
> backported patches, and can confirm that I'm now able to connect
> successfully from an nfs-utils 1.2.4 client without having to set
> permitted_enctypes on the server.
> 
> I've attached the patches for both packages to this mail.  Phil, is it ok
> for these to be uploaded to stable-proposed-updates?  This fixes a bug that
> makes squeeze kerberized NFS servers unusable with newer clients (e.g.,
> wheezy).

Please go ahead.  I really hope that the regression potential is low
for existing clients.  Let's hope we find it out before the point
release.  (The change in nfs-utils is streching the guidelines a bit.)

Kind regards
Philipp Kern

[signature.asc (application/pgp-signature, inline)]

Message #169 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@debian.org>

To: Philipp Kern <pkern@debian.org>

Cc: 622146@bugs.debian.org, Steve Langasek <vorlon@debian.org>, debian-release@lists.debian.org

Subject: Re: Bug#622146: nfs-common: compatibility between squeeze and sid broken

Date: Mon, 08 Aug 2011 20:08:51 -0400

I expect to get to the krb5 package in a day or so. I expect nfs-utils
will want to up its build-depends on krb5 to 1.8.3+dfsg-4squeeze2

Message #174 received at 622146@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Philipp Kern <pkern@debian.org>

Cc: Steve Langasek <vorlon@debian.org>, Sam Hartman <hartmans@debian.org>, 622146@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: nfs-common: compatibility between squeeze and sid broken

Date: Sun, 04 Sep 2011 16:35:58 +0100

On Fri, 2011-08-05 at 19:09 +0200, Philipp Kern wrote:
> On Mon, Aug 01, 2011 at 01:34:34AM -0700, Steve Langasek wrote:
> > I've attached the patches for both packages to this mail.  Phil, is it ok
> > for these to be uploaded to stable-proposed-updates?  This fixes a bug that
> > makes squeeze kerberized NFS servers unusable with newer clients (e.g.,
> > wheezy).
> 
> Please go ahead.  I really hope that the regression potential is low
> for existing clients.  Let's hope we find it out before the point
> release.  (The change in nfs-utils is streching the guidelines a bit.)

The krb5 package was uploaded and I've (somewhat belatedly) marked it
for acceptance at the next dinstall.  What's the status of the nfs-utils
upload?

Regards,

Adam

Message #179 received at 622146-close@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@debian.org>

To: 622146-close@bugs.debian.org

Subject: Bug#622146: fixed in krb5 1.8.3+dfsg-4squeeze2

Date: Sun, 04 Sep 2011 19:56:46 +0000

Source: krb5
Source-Version: 1.8.3+dfsg-4squeeze2

We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive:

krb5-admin-server_1.8.3+dfsg-4squeeze2_i386.deb
  to main/k/krb5/krb5-admin-server_1.8.3+dfsg-4squeeze2_i386.deb
krb5-doc_1.8.3+dfsg-4squeeze2_all.deb
  to main/k/krb5/krb5-doc_1.8.3+dfsg-4squeeze2_all.deb
krb5-kdc-ldap_1.8.3+dfsg-4squeeze2_i386.deb
  to main/k/krb5/krb5-kdc-ldap_1.8.3+dfsg-4squeeze2_i386.deb
krb5-kdc_1.8.3+dfsg-4squeeze2_i386.deb
  to main/k/krb5/krb5-kdc_1.8.3+dfsg-4squeeze2_i386.deb
krb5-multidev_1.8.3+dfsg-4squeeze2_i386.deb
  to main/k/krb5/krb5-multidev_1.8.3+dfsg-4squeeze2_i386.deb
krb5-pkinit_1.8.3+dfsg-4squeeze2_i386.deb
  to main/k/krb5/krb5-pkinit_1.8.3+dfsg-4squeeze2_i386.deb
krb5-user_1.8.3+dfsg-4squeeze2_i386.deb
  to main/k/krb5/krb5-user_1.8.3+dfsg-4squeeze2_i386.deb
krb5_1.8.3+dfsg-4squeeze2.diff.gz
  to main/k/krb5/krb5_1.8.3+dfsg-4squeeze2.diff.gz
krb5_1.8.3+dfsg-4squeeze2.dsc
  to main/k/krb5/krb5_1.8.3+dfsg-4squeeze2.dsc
libgssapi-krb5-2_1.8.3+dfsg-4squeeze2_i386.deb
  to main/k/krb5/libgssapi-krb5-2_1.8.3+dfsg-4squeeze2_i386.deb
libgssrpc4_1.8.3+dfsg-4squeeze2_i386.deb
  to main/k/krb5/libgssrpc4_1.8.3+dfsg-4squeeze2_i386.deb
libk5crypto3_1.8.3+dfsg-4squeeze2_i386.deb
  to main/k/krb5/libk5crypto3_1.8.3+dfsg-4squeeze2_i386.deb
libkadm5clnt-mit7_1.8.3+dfsg-4squeeze2_i386.deb
  to main/k/krb5/libkadm5clnt-mit7_1.8.3+dfsg-4squeeze2_i386.deb
libkadm5srv-mit7_1.8.3+dfsg-4squeeze2_i386.deb
  to main/k/krb5/libkadm5srv-mit7_1.8.3+dfsg-4squeeze2_i386.deb
libkdb5-4_1.8.3+dfsg-4squeeze2_i386.deb
  to main/k/krb5/libkdb5-4_1.8.3+dfsg-4squeeze2_i386.deb
libkrb5-3_1.8.3+dfsg-4squeeze2_i386.deb
  to main/k/krb5/libkrb5-3_1.8.3+dfsg-4squeeze2_i386.deb
libkrb5-dbg_1.8.3+dfsg-4squeeze2_i386.deb
  to main/k/krb5/libkrb5-dbg_1.8.3+dfsg-4squeeze2_i386.deb
libkrb5-dev_1.8.3+dfsg-4squeeze2_i386.deb
  to main/k/krb5/libkrb5-dev_1.8.3+dfsg-4squeeze2_i386.deb
libkrb53_1.8.3+dfsg-4squeeze2_all.deb
  to main/k/krb5/libkrb53_1.8.3+dfsg-4squeeze2_all.deb
libkrb5support0_1.8.3+dfsg-4squeeze2_i386.deb
  to main/k/krb5/libkrb5support0_1.8.3+dfsg-4squeeze2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 622146@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sam Hartman <hartmans@debian.org> (supplier of updated krb5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 09 Aug 2011 10:53:59 -0400
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-multidev libkrb5-dev libkrb5-dbg krb5-pkinit krb5-doc libkrb5-3 libgssapi-krb5-2 libgssrpc4 libkadm5srv-mit7 libkadm5clnt-mit7 libk5crypto3 libkdb5-4 libkrb5support0 libkrb53
Architecture: source all i386
Version: 1.8.3+dfsg-4squeeze2
Distribution: stable
Urgency: low
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Sam Hartman <hartmans@debian.org>
Description: 
 krb5-admin-server - MIT Kerberos master server (kadmind)
 krb5-doc   - Documentation for MIT Kerberos
 krb5-kdc   - MIT Kerberos key server (KDC)
 krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
 krb5-multidev - Development files for MIT Kerberos without Heimdal conflict
 krb5-pkinit - PKINIT plugin for MIT Kerberos
 krb5-user  - Basic programs to authenticate using MIT Kerberos
 libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
 libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
 libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
 libkadm5clnt-mit7 - MIT Kerberos runtime libraries - Administration Clients
 libkadm5srv-mit7 - MIT Kerberos runtime libraries - KDC and Admin Server
 libkdb5-4  - MIT Kerberos runtime libraries - Kerberos database
 libkrb5-3  - MIT Kerberos runtime libraries
 libkrb5-dbg - Debugging files for MIT Kerberos
 libkrb5-dev - Headers and development libraries for MIT Kerberos
 libkrb53   - transitional package for MIT Kerberos libraries
 libkrb5support0 - MIT Kerberos runtime libraries - Support library
Closes: 622146
Changes: 
 krb5 (1.8.3+dfsg-4squeeze2) stable; urgency=low
 .
   * Upstream ticket 6852: permit gss_set_allowable_enctypes to restirct
     acceptor enctypes. Required in order to permit newer than squeeze
     clients to talk to a squeeze nfs server without degrading security
     for non-nfs applications on the box, Closes: #622146
Checksums-Sha1: 
 ee1444befef982f3223f3f493430a4266dde0512 1610 krb5_1.8.3+dfsg-4squeeze2.dsc
 fd817286d9a5a90fd620427c12fce081a20f05a1 105232 krb5_1.8.3+dfsg-4squeeze2.diff.gz
 937bc52291d4528a50daf44463cdf52acf23a841 2255782 krb5-doc_1.8.3+dfsg-4squeeze2_all.deb
 9236a243401d9794a0c73c7d77821e429c0e4f57 1373270 libkrb53_1.8.3+dfsg-4squeeze2_all.deb
 df3bf5da7fe2ee0dd4fc273d4d64622090002fe9 129904 krb5-user_1.8.3+dfsg-4squeeze2_i386.deb
 b7b1b620b5b605649bf198027d46a8c1dad84170 202532 krb5-kdc_1.8.3+dfsg-4squeeze2_i386.deb
 6483c5b9bd14721c301730e875957aa2d3f68fcc 112612 krb5-kdc-ldap_1.8.3+dfsg-4squeeze2_i386.deb
 2c494da5314d81497791a14176e0b9c0b7e3c626 106292 krb5-admin-server_1.8.3+dfsg-4squeeze2_i386.deb
 5900bfb55470ef72dac73fbd652c0aa5949502e8 104334 krb5-multidev_1.8.3+dfsg-4squeeze2_i386.deb
 a3b5d87969cb98bcc2f4ce91198734fc223d281f 36828 libkrb5-dev_1.8.3+dfsg-4squeeze2_i386.deb
 e3cc03b72c10e9bde9032f03496ec24a0dfb1fd7 1611474 libkrb5-dbg_1.8.3+dfsg-4squeeze2_i386.deb
 a75d88a35e3a8747fd8209fcf614316baaaa9860 75332 krb5-pkinit_1.8.3+dfsg-4squeeze2_i386.deb
 2f77671dc17c47ae83c12cf66faac22169863714 356844 libkrb5-3_1.8.3+dfsg-4squeeze2_i386.deb
 5852805851c5567655c839dbf648b33ad2741384 123190 libgssapi-krb5-2_1.8.3+dfsg-4squeeze2_i386.deb
 bf4fa2e3479776b45232a8456dd3ec84ae83c0f0 77640 libgssrpc4_1.8.3+dfsg-4squeeze2_i386.deb
 9847a813b03b797baf6e867fe9829af8f08ca3b7 74740 libkadm5srv-mit7_1.8.3+dfsg-4squeeze2_i386.deb
 98dedfb658ef6c79146d44b189f2d6b5dd0cef29 61350 libkadm5clnt-mit7_1.8.3+dfsg-4squeeze2_i386.deb
 2381ae709ca19277bf0db0a8157efc8e66c5655b 98486 libk5crypto3_1.8.3+dfsg-4squeeze2_i386.deb
 0aaf3ae4510f9486fe263ea20622cd408a02dd28 61336 libkdb5-4_1.8.3+dfsg-4squeeze2_i386.deb
 7d71a6ebc8193008796b526909fb61b26854727a 44030 libkrb5support0_1.8.3+dfsg-4squeeze2_i386.deb
Checksums-Sha256: 
 f90b5a3c8b214150df50895cc64d75fc619fb0bdc04c1732767abd1752ada2ba 1610 krb5_1.8.3+dfsg-4squeeze2.dsc
 b4a79817ce86db126e1c9907993cc263cd830ddfbcfa11df9c992e0b508414a5 105232 krb5_1.8.3+dfsg-4squeeze2.diff.gz
 f8f8ad8ecd2c975f217d7128bbe5fb6da61a5f8a0b1c0b1fd04a013d62dfd74f 2255782 krb5-doc_1.8.3+dfsg-4squeeze2_all.deb
 03d9e15c8e9ec831864bb803da87ab28c825d89361b0b2882c856318ebfc0b7e 1373270 libkrb53_1.8.3+dfsg-4squeeze2_all.deb
 2871b48a5090d9836a716aae30938b38babbfa459e366243458581d71b3414c6 129904 krb5-user_1.8.3+dfsg-4squeeze2_i386.deb
 2f4684993b62d543d45a96c8b2ed6aa6ca87045e795609bdbb3ba394ae560190 202532 krb5-kdc_1.8.3+dfsg-4squeeze2_i386.deb
 db372bbbe41cf9df2cebc9e154f792ec78df953b1865ea72f5b085e694ffd81d 112612 krb5-kdc-ldap_1.8.3+dfsg-4squeeze2_i386.deb
 ca097d14fb8d8f8864e41658339c3aba02bc12b070c40437d76f77209a8bf5c0 106292 krb5-admin-server_1.8.3+dfsg-4squeeze2_i386.deb
 aa65dbc54737c7e93b53eee8610d47d84c47ae9beb21b8b5c30bedbcc5ec34a9 104334 krb5-multidev_1.8.3+dfsg-4squeeze2_i386.deb
 d66616f23fd9051ca0bf25bb10659720e894bb677ab68c543571ecf5b278c61e 36828 libkrb5-dev_1.8.3+dfsg-4squeeze2_i386.deb
 2896dd7b6b26cb90ecc73992c054fe2edea30f1fd908a7dfef7983a230547569 1611474 libkrb5-dbg_1.8.3+dfsg-4squeeze2_i386.deb
 e4f2c8f2d989c9c71e6a77afdf79604a0a879125b474419c4b0348685f2b5152 75332 krb5-pkinit_1.8.3+dfsg-4squeeze2_i386.deb
 816e79f7c9c68424ad2cf3a1a66a1194b9ffefe96a7068be2d60bc645e88fae4 356844 libkrb5-3_1.8.3+dfsg-4squeeze2_i386.deb
 7106d37c18168c565393b8189196f032703c27903b996ce4d5b279a489bdc897 123190 libgssapi-krb5-2_1.8.3+dfsg-4squeeze2_i386.deb
 82ad3f0c357f4a9648b65af98547b7108c901808cf846d774f0db8581a19ece9 77640 libgssrpc4_1.8.3+dfsg-4squeeze2_i386.deb
 b8b7c4475a0ed56ab1a3fcd04dc0020a32534d5e3be984246eecbfda2705e773 74740 libkadm5srv-mit7_1.8.3+dfsg-4squeeze2_i386.deb
 7cf63c179e088516c10107755bc6a89ed355cb1eebca08180e2c3cd592f6d6d4 61350 libkadm5clnt-mit7_1.8.3+dfsg-4squeeze2_i386.deb
 87e29e205d969270f36189da99a90087840f41fd00a8907ba44a7f37d29115d3 98486 libk5crypto3_1.8.3+dfsg-4squeeze2_i386.deb
 4239abe513f91e50942bc0ca8fb4ebfddd1595130a2f2b3b5fb9ab29150c559c 61336 libkdb5-4_1.8.3+dfsg-4squeeze2_i386.deb
 574ead58543def910a1f801839e161552ec2be7703e1f8f0e1b34a44805268a9 44030 libkrb5support0_1.8.3+dfsg-4squeeze2_i386.deb
Files: 
 1a793ea324460a474bd9e5066a692ef7 1610 net standard krb5_1.8.3+dfsg-4squeeze2.dsc
 bfd3c4374f87e5e4447d193a3d0f5433 105232 net standard krb5_1.8.3+dfsg-4squeeze2.diff.gz
 b7ebe4092f6482b742d4ef0b97955acd 2255782 doc optional krb5-doc_1.8.3+dfsg-4squeeze2_all.deb
 ebe84f553135e6922ddbb9a77731fb1c 1373270 oldlibs extra libkrb53_1.8.3+dfsg-4squeeze2_all.deb
 bed335fb31a1267f58ec9abd79508642 129904 net optional krb5-user_1.8.3+dfsg-4squeeze2_i386.deb
 dbc072dec5214186e22cfa278146069e 202532 net optional krb5-kdc_1.8.3+dfsg-4squeeze2_i386.deb
 edebbe86db96fe50fa6329e96ed1b80f 112612 net extra krb5-kdc-ldap_1.8.3+dfsg-4squeeze2_i386.deb
 843350236384d9685be9e7b951b125e7 106292 net optional krb5-admin-server_1.8.3+dfsg-4squeeze2_i386.deb
 1d8c2a1307e0fd0536772e1fff1d11e4 104334 libdevel optional krb5-multidev_1.8.3+dfsg-4squeeze2_i386.deb
 fc49665a8dddb3b31eb6ebec076dcfe2 36828 libdevel extra libkrb5-dev_1.8.3+dfsg-4squeeze2_i386.deb
 2e4a744cc3bdb191813781c1de52fbcd 1611474 debug extra libkrb5-dbg_1.8.3+dfsg-4squeeze2_i386.deb
 9ce694b79ed1d259dbf838ad47758a6f 75332 net extra krb5-pkinit_1.8.3+dfsg-4squeeze2_i386.deb
 72959dc99b16eacd76337cc63836f318 356844 libs standard libkrb5-3_1.8.3+dfsg-4squeeze2_i386.deb
 5569da071412e2dd1f5609752621a0a4 123190 libs standard libgssapi-krb5-2_1.8.3+dfsg-4squeeze2_i386.deb
 ba143a4c71c10978b5126f41121818b5 77640 libs standard libgssrpc4_1.8.3+dfsg-4squeeze2_i386.deb
 7270bd787b3a70e3030d054e65aaa01e 74740 libs standard libkadm5srv-mit7_1.8.3+dfsg-4squeeze2_i386.deb
 b6706ae978d8232247e39a4e173fff00 61350 libs standard libkadm5clnt-mit7_1.8.3+dfsg-4squeeze2_i386.deb
 8694a65e3785c873f053ce9dbec8094c 98486 libs standard libk5crypto3_1.8.3+dfsg-4squeeze2_i386.deb
 1393f6d0330bcd69d9318fe6a69df034 61336 libs standard libkdb5-4_1.8.3+dfsg-4squeeze2_i386.deb
 8eec30157dd7dbc397396b0a3fb2561c 44030 libs standard libkrb5support0_1.8.3+dfsg-4squeeze2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk5BUfkACgkQ/I12czyGJg/1DwCfUa7+EnUNOGYyrC09JkgVMgh8
JBoAoIcCZx/pWGXs3fZKB1FwVY2Pz7bS
=++VF
-----END PGP SIGNATURE-----

Message #184 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@debian.org>

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Cc: 622146@bugs.debian.org, Philipp Kern <pkern@debian.org>, Steve Langasek <vorlon@debian.org>, debian-release@lists.debian.org

Subject: Re: Bug#622146: nfs-common: compatibility between squeeze and sid broken

Date: Mon, 05 Sep 2011 12:46:13 -0400

>>>>> "Adam" == Adam D Barratt <adam@adam-barratt.org.uk> writes:


    Adam> The krb5 package was uploaded and I've (somewhat belatedly)
    Adam> marked it for acceptance at the next dinstall.  What's the
    Adam> status of the nfs-utils upload?

My guess is they were waiting for krb5.
Remember they have to increase build-depends for the krb5 you just
accepted.

Message #189 received at 622146@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Sam Hartman <hartmans@debian.org>

Cc: 622146@bugs.debian.org, Philipp Kern <pkern@debian.org>, Steve Langasek <vorlon@debian.org>, debian-release@lists.debian.org

Subject: Re: Bug#622146: nfs-common: compatibility between squeeze and sid broken

Date: Mon, 12 Sep 2011 19:24:52 +0100

On Mon, 2011-09-05 at 12:46 -0400, Sam Hartman wrote:
> >>>>> "Adam" == Adam D Barratt <adam@adam-barratt.org.uk> writes:
> 
> 
>     Adam> The krb5 package was uploaded and I've (somewhat belatedly)
>     Adam> marked it for acceptance at the next dinstall.  What's the
>     Adam> status of the nfs-utils upload?
> 
> My guess is they were waiting for krb5.
> Remember they have to increase build-depends for the krb5 you just
> accepted.

If it requires a versioned build-dependency, then both packages could
just have been uploaded at the same time.  Even if we accepted them both
from p-u-NEW together, the buildds would have put nfs-common in to the
"build-deps uninstallable" state until the necessary version of krb5 was
available.

Regards,

Adam

Message #192 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Philipp Kern <pkern@debian.org>

To: Sam Hartman <hartmans@debian.org>

Cc: 622146@bugs.debian.org, Steve Langasek <vorlon@debian.org>, debian-release@lists.debian.org

Subject: Re: Bug#622146: nfs-common: compatibility between squeeze and sid broken

Date: Mon, 3 Oct 2011 19:20:12 +0200

[Message part 1 (text/plain, inline)]

On Mon, Sep 05, 2011 at 12:46:13PM -0400, Sam Hartman wrote:
> >>>>> "Adam" == Adam D Barratt <adam@adam-barratt.org.uk> writes:
>     Adam> The krb5 package was uploaded and I've (somewhat belatedly)
>     Adam> marked it for acceptance at the next dinstall.  What's the
>     Adam> status of the nfs-utils upload?
> My guess is they were waiting for krb5.
> Remember they have to increase build-depends for the krb5 you just
> accepted.

AFAICS this now missed the 6.0.3 point release.

Kind regards,
Philipp Kern
-- 
 .''`.  Philipp Kern                        Debian Developer
: :' :  http://philkern.de                         Stable Release Manager
`. `'   xmpp:phil@0x539.de                         Wanna-Build Admin
  `-    finger pkern/key@db.debian.org

[signature.asc (application/pgp-signature, inline)]

Message #197 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@debian.org>

To: Philipp Kern <pkern@debian.org>

Cc: Sam Hartman <hartmans@debian.org>, 622146@bugs.debian.org, Steve Langasek <vorlon@debian.org>, debian-release@lists.debian.org, 622146-submitter@bugs.debian.org

Subject: Re: Bug#622146: nfs-common: compatibility between squeeze and sid broken

Date: Mon, 03 Oct 2011 22:04:00 +0200

On 10/03/2011 07:20 PM, Philipp Kern wrote:
> On Mon, Sep 05, 2011 at 12:46:13PM -0400, Sam Hartman wrote:
>>>>>>> "Adam" == Adam D Barratt <adam@adam-barratt.org.uk> writes:
>>     Adam> The krb5 package was uploaded and I've (somewhat belatedly)
>>     Adam> marked it for acceptance at the next dinstall.  What's the
>>     Adam> status of the nfs-utils upload?
>> My guess is they were waiting for krb5.
>> Remember they have to increase build-depends for the krb5 you just
>> accepted.
> 
> AFAICS this now missed the 6.0.3 point release.

Upstream did some changes related to this which should fix it in
unstable for the squeeze -> 2.6.35 kernel range. Kernels afterwards
should not have the problem.

It would be good if someone could confirm that it is really fixed in
unstable now.

Cheers

Luk

Message #205 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@debian.org>

To: Luk Claes <luk@debian.org>

Cc: Philipp Kern <pkern@debian.org>, 622146@bugs.debian.org, Steve Langasek <vorlon@debian.org>, debian-release@lists.debian.org, 622146-submitter@bugs.debian.org

Subject: Re: Bug#622146: nfs-common: compatibility between squeeze and sid broken

Date: Wed, 05 Oct 2011 17:05:52 -0400

It should be fixed in unstable by actually supporting the new enctypes.
While ncice, that rather misses the point.

Message #213 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Rob Naccarato <rob@naccy.org>

To: 622146@bugs.debian.org

Subject: This is broken for me.

Date: Sat, 22 Oct 2011 20:53:36 -0400

This doesn't appear to be fixed to me. I get the same problems. I have 
even installed backported kernel (2.6.39-bpo.2-amd64) and nfs-utils 
(1:1.2.4-1~bpo60+1) and I still get these:

Oct 22 20:24:54 blackdog rpc.svcgssd[8502]: ERROR: GSS-API: error in 
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS 
failure.  Minor code may provide more information) - Encryption type not 
permitted

I have turned off and on allow_weak_crypto in both clients and servers 
and I'm at a complete loss as to what to do now.

Can someone advise?

Message #218 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@debian.org>

To: Rob Naccarato <rob@naccy.org>

Cc: 622146@bugs.debian.org

Subject: Re: Bug#622146: This is broken for me.

Date: Sun, 23 Oct 2011 13:18:28 -0400

>>>>> "Rob" == Rob Naccarato <rob@naccy.org> writes:

    Rob> This doesn't appear to be fixed to me. I get the same
    Rob> problems. I have even installed backported kernel
    Rob> (2.6.39-bpo.2-amd64) and nfs-utils (1:1.2.4-1~bpo60+1) and I
    Rob> still get these:

This requires fixes in krb5 and nfs-utils.
krb5 has been fixed, but nothing gets better until the nfs-utils fix.

Message #223 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Rob Naccarato <rob@naccy.org>

To: Sam Hartman <hartmans@debian.org>

Cc: 622146@bugs.debian.org

Subject: Re: Bug#622146: This is broken for me.

Date: Sun, 23 Oct 2011 14:25:16 -0400

On 11-10-23 01:18 PM, Sam Hartman wrote:
>>>>>> "Rob" == Rob Naccarato<rob@naccy.org>  writes:
>
>      Rob>  This doesn't appear to be fixed to me. I get the same
>      Rob>  problems. I have even installed backported kernel
>      Rob>  (2.6.39-bpo.2-amd64) and nfs-utils (1:1.2.4-1~bpo60+1) and I
>      Rob>  still get these:
>
> This requires fixes in krb5 and nfs-utils.
> krb5 has been fixed, but nothing gets better until the nfs-utils fix.

So, nfs-utils 1.2.5, then? When's that suppose to be available?

I imagine this is a pretty critical issue for people. It is for me, at 
least.

Message #228 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Rob Naccarato <rob@naccy.org>, 622146@bugs.debian.org

Cc: Sam Hartman <hartmans@debian.org>

Subject: Re: Bug#622146: This is broken for me.

Date: Sun, 23 Oct 2011 17:16:59 -0400

[Message part 1 (text/plain, inline)]

On 10/23/2011 02:25 PM, Rob Naccarato wrote:
> On 11-10-23 01:18 PM, Sam Hartman wrote:
>>>>>>> "Rob" == Rob Naccarato<rob@naccy.org>  writes:
>>
>>      Rob>  This doesn't appear to be fixed to me. I get the same
>>      Rob>  problems. I have even installed backported kernel
>>      Rob>  (2.6.39-bpo.2-amd64) and nfs-utils (1:1.2.4-1~bpo60+1) and I
>>      Rob>  still get these:
>>
>> This requires fixes in krb5 and nfs-utils.
>> krb5 has been fixed, but nothing gets better until the nfs-utils fix.
> 
> So, nfs-utils 1.2.5, then? When's that suppose to be available?
> 
> I imagine this is a pretty critical issue for people. It is for me, at
> least.

I'm the current backporter of nfs-utils.  I use 1:1.2.4-1~bpo60+1 with
the squeeze-backports kernel (nfs server and nfs clients both use these
versions) and a squeeze kdc configured with:

        supported_enctypes = aes128-cts:normal

I'm able to use kerberized (sec=krb5p) nfsv4 mounts in this arrangement.
 Could you clarify how your configuration differs from what i've
described above so i could be sure what might need changing?

Regards,

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Message #233 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Rob Naccarato <rob@naccy.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Cc: 622146@bugs.debian.org, Sam Hartman <hartmans@debian.org>

Subject: Re: Bug#622146: This is broken for me.

Date: Mon, 24 Oct 2011 09:42:33 -0400

On Sun, Oct 23, 2011 at 05:16:59PM -0400, Daniel Kahn Gillmor wrote:
> On 10/23/2011 02:25 PM, Rob Naccarato wrote:
> > On 11-10-23 01:18 PM, Sam Hartman wrote:
> >>>>>>> "Rob" == Rob Naccarato<rob@naccy.org>  writes:
> >>
> >>      Rob>  This doesn't appear to be fixed to me. I get the same
> >>      Rob>  problems. I have even installed backported kernel
> >>      Rob>  (2.6.39-bpo.2-amd64) and nfs-utils (1:1.2.4-1~bpo60+1) and I
> >>      Rob>  still get these:
> >>
> >> This requires fixes in krb5 and nfs-utils.
> >> krb5 has been fixed, but nothing gets better until the nfs-utils fix.
> > 
> > So, nfs-utils 1.2.5, then? When's that suppose to be available?
> > 
> > I imagine this is a pretty critical issue for people. It is for me, at
> > least.
> 
> I'm the current backporter of nfs-utils.  I use 1:1.2.4-1~bpo60+1 with
> the squeeze-backports kernel (nfs server and nfs clients both use these
> versions) and a squeeze kdc configured with:
> 
>         supported_enctypes = aes128-cts:normal
> 
> I'm able to use kerberized (sec=krb5p) nfsv4 mounts in this arrangement.
>  Could you clarify how your configuration differs from what i've
> described above so i could be sure what might need changing?

Ok, here we go.

        supported_enctypes = aes256-cts:normal arcfour-hmac:normal \
	des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm \
	des:onlyrealm des:afs3 aes128-cts:normal

Client (khan) attempting to use sec=krb5.
root@khan:/# klist -e -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   2 host/khan.some.domain.ca@NACCY.ORG (AES-256 CTS mode with 96-bit SHA-1
   HMAC) 
   2 host/khan.some.domain.ca@NACCY.ORG (ArcFour with HMAC/md5) 
   2 host/khan.some.domain.ca@NACCY.ORG (Triple DES cbc mode with HMAC/sha1) 
   2 host/khan.some.domain.ca@NACCY.ORG (DES cbc mode with CRC-32) 
   2 nfs/khan.some.domain.ca@NACCY.ORG (AES-256 CTS mode with 96-bit SHA-1
   HMAC) 
   2 nfs/khan.some.domain.ca@NACCY.ORG (ArcFour with HMAC/md5) 
   2 nfs/khan.some.domain.ca@NACCY.ORG (Triple DES cbc mode with HMAC/sha1) 
   2 nfs/khan.some.domain.ca@NACCY.ORG (DES cbc mode with CRC-32) 

/etc/fstab:
	blackdog:/      /shares         nfs4    _netdev,auto,sec=krb5,acl 0 0


Server (blackdog), with kdc, exporting nfs4, when I attempt to mount the above:

Oct 24 09:32:36 blackdog rpc.svcgssd[22979]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
failure.  Minor code may provide more information) - Encryption type not
permitted

Both machines, client and server have:

linux-image-2.6.39-bpo.2-amd64
nfs-kernel-server 1:1.2.4-1~bpo60+1

Both machines, client and server have in krb5.conf:

allow_weak_crypto = true


Thanks.

Message #238 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Rob Naccarato <rob@naccy.org>

Cc: 622146@bugs.debian.org, Sam Hartman <hartmans@debian.org>

Subject: Re: Bug#622146: This is broken for me.

Date: Mon, 24 Oct 2011 12:00:17 -0400

[Message part 1 (text/plain, inline)]

On 10/24/2011 09:42 AM, Rob Naccarato wrote:

>         supported_enctypes = aes256-cts:normal arcfour-hmac:normal \
> 	des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm \
> 	des:onlyrealm des:afs3 aes128-cts:normal
> 
> Client (khan) attempting to use sec=krb5.
> root@khan:/# klist -e -k /etc/krb5.keytab
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    2 host/khan.some.domain.ca@NACCY.ORG (AES-256 CTS mode with 96-bit SHA-1
>    HMAC) 
>    2 host/khan.some.domain.ca@NACCY.ORG (ArcFour with HMAC/md5) 
>    2 host/khan.some.domain.ca@NACCY.ORG (Triple DES cbc mode with HMAC/sha1) 
>    2 host/khan.some.domain.ca@NACCY.ORG (DES cbc mode with CRC-32) 
>    2 nfs/khan.some.domain.ca@NACCY.ORG (AES-256 CTS mode with 96-bit SHA-1
>    HMAC) 
>    2 nfs/khan.some.domain.ca@NACCY.ORG (ArcFour with HMAC/md5) 
>    2 nfs/khan.some.domain.ca@NACCY.ORG (Triple DES cbc mode with HMAC/sha1) 
>    2 nfs/khan.some.domain.ca@NACCY.ORG (DES cbc mode with CRC-32) 

this appears to have everything *but* aes128-cts:normal, fwiw.

My example client has:


0 example:~# klist -e -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   2 host/example.example.org@EXAMPLE.ORG (AES-128 CTS mode with 96-bit
SHA-1 HMAC)
0 example:~#

> /etc/fstab:
> 	blackdog:/      /shares         nfs4    _netdev,auto,sec=krb5,acl 0 0
> 


0 example:~# grep nfs /etc/fstab
nfshost:/ /usr/local/data nfs4 sec=krb5p,fsc 0 0
0 example:~#

i don't think the fsc is relevant to this discussion -- and i can't
imagine that the difference between krb5 and krb5p is the issue.

> Server (blackdog), with kdc, exporting nfs4, when I attempt to mount the above:
> 
> Oct 24 09:32:36 blackdog rpc.svcgssd[22979]: ERROR: GSS-API: error in
> handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
> failure.  Minor code may provide more information) - Encryption type not
> permitted

can you show the same klist on blackdog?  here's what i've got on my server:

0 nfshost:~# klist -e -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   8 nfs/nfshost.example.org@EXAMPLE.ORG (AES-128 CTS mode with 96-bit
SHA-1 HMAC)
0 nfshost:~#


> Both machines, client and server have:
> 
> linux-image-2.6.39-bpo.2-amd64
> nfs-kernel-server 1:1.2.4-1~bpo60+1

you shouldn't need nfs-kernel-server on the client -- what version of
nfs-common do you have on the client?

> Both machines, client and server have in krb5.conf:
> 
> allow_weak_crypto = true

A useful test might be to *reduce* the number of supported_enctypes to a
select one or two, then change the keys for the client and the server
(and for any user account using krb5 authentication) and re-try.

hth,

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Message #243 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Rob Naccarato <rob@naccy.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Cc: 622146@bugs.debian.org, Sam Hartman <hartmans@debian.org>

Subject: Re: Bug#622146: This is broken for me.

Date: Mon, 24 Oct 2011 15:09:47 -0400

On Mon, Oct 24, 2011 at 12:00:17PM -0400, Daniel Kahn Gillmor wrote:
> On 10/24/2011 09:42 AM, Rob Naccarato wrote:
> 
> >         supported_enctypes = aes256-cts:normal arcfour-hmac:normal \
> > 	des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm \
> > 	des:onlyrealm des:afs3 aes128-cts:normal
> > 
> > Client (khan) attempting to use sec=krb5.
> > root@khan:/# klist -e -k /etc/krb5.keytab
> > Keytab name: WRFILE:/etc/krb5.keytab
> > KVNO Principal
> > ----
> > --------------------------------------------------------------------------
> >    2 host/khan.some.domain.ca@NACCY.ORG (AES-256 CTS mode with 96-bit SHA-1
> >    HMAC) 
> >    2 host/khan.some.domain.ca@NACCY.ORG (ArcFour with HMAC/md5) 
> >    2 host/khan.some.domain.ca@NACCY.ORG (Triple DES cbc mode with HMAC/sha1) 
> >    2 host/khan.some.domain.ca@NACCY.ORG (DES cbc mode with CRC-32) 
> >    2 nfs/khan.some.domain.ca@NACCY.ORG (AES-256 CTS mode with 96-bit SHA-1
> >    HMAC) 
> >    2 nfs/khan.some.domain.ca@NACCY.ORG (ArcFour with HMAC/md5) 
> >    2 nfs/khan.some.domain.ca@NACCY.ORG (Triple DES cbc mode with HMAC/sha1) 
> >    2 nfs/khan.some.domain.ca@NACCY.ORG (DES cbc mode with CRC-32) 
> 
> this appears to have everything *but* aes128-cts:normal, fwiw.
> 
> My example client has:
> 
> 
> 0 example:~# klist -e -k /etc/krb5.keytab
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    2 host/example.example.org@EXAMPLE.ORG (AES-128 CTS mode with 96-bit
> SHA-1 HMAC)
> 0 example:~#

Fair enough, I now have this on the client:
root@khan:/etc# klist -e -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   4 nfs/khan.some.domain.ca@NACCY.ORG (AES-128 CTS mode with 96-bit SHA-1
   HMAC)
   4 host/khan.some.domain.ca@NACCY.ORG (AES-128 CTS mode with 96-bit SHA-1
   HMAC)

I also have this on the server:

blackdog:/etc# klist -e -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   8 host/blackdog.some.domain.ca@NACCY.ORG (AES-128 CTS mode with 96-bit
   SHA-1 HMAC) 
   7 nfs/blackdog.some.domain.ca@NACCY.ORG (AES-128 CTS mode with 96-bit SHA-1
   HMAC) 


> 
> > /etc/fstab:
> > 	blackdog:/      /shares         nfs4    _netdev,auto,sec=krb5,acl 0 0
> > 
> 
> 
> 0 example:~# grep nfs /etc/fstab
> nfshost:/ /usr/local/data nfs4 sec=krb5p,fsc 0 0
> 0 example:~#
> 
> i don't think the fsc is relevant to this discussion -- and i can't
> imagine that the difference between krb5 and krb5p is the issue.

Yep, and I have no need for the encryption across the wire, either.

> 
> > Server (blackdog), with kdc, exporting nfs4, when I attempt to mount the above:
> > 
> > Oct 24 09:32:36 blackdog rpc.svcgssd[22979]: ERROR: GSS-API: error in
> > handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
> > failure.  Minor code may provide more information) - Encryption type not
> > permitted
> 
> can you show the same klist on blackdog?  here's what i've got on my server:
> 
> 0 nfshost:~# klist -e -k /etc/krb5.keytab
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    8 nfs/nfshost.example.org@EXAMPLE.ORG (AES-128 CTS mode with 96-bit
> SHA-1 HMAC)
> 0 nfshost:~#

Yup, shown above.


> 
> > Both machines, client and server have:
> > 
> > linux-image-2.6.39-bpo.2-amd64
> > nfs-kernel-server 1:1.2.4-1~bpo60+1
> 
> you shouldn't need nfs-kernel-server on the client -- what version of
> nfs-common do you have on the client?
>

nfs-common 1:1.2.4-1~bpo60+1


> > Both machines, client and server have in krb5.conf:
> > 
> > allow_weak_crypto = true
> 
> A useful test might be to *reduce* the number of supported_enctypes to a
> select one or two, then change the keys for the client and the server
> (and for any user account using krb5 authentication) and re-try.

So, reduce the list to, say, just aes128-cts:normal? Should I also remove the
allow_weak_crypto option?

Message #248 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Rob Naccarato <rob@naccy.org>, 622146@bugs.debian.org

Cc: Sam Hartman <hartmans@debian.org>

Subject: Re: Bug#622146: This is broken for me.

Date: Mon, 24 Oct 2011 16:26:10 -0400

[Message part 1 (text/plain, inline)]

On 10/24/2011 03:09 PM, Rob Naccarato wrote:
> Fair enough, I now have this on the client:
> root@khan:/etc# klist -e -k /etc/krb5.keytab
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    4 nfs/khan.some.domain.ca@NACCY.ORG (AES-128 CTS mode with 96-bit SHA-1
>    HMAC)
>    4 host/khan.some.domain.ca@NACCY.ORG (AES-128 CTS mode with 96-bit SHA-1
>    HMAC)

this looks reasonable to me (funnily, i also have a machine named khan!)

> I also have this on the server:
> 
> blackdog:/etc# klist -e -k /etc/krb5.keytab
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    8 host/blackdog.some.domain.ca@NACCY.ORG (AES-128 CTS mode with 96-bit
>    SHA-1 HMAC) 
>    7 nfs/blackdog.some.domain.ca@NACCY.ORG (AES-128 CTS mode with 96-bit SHA-1
>    HMAC) 

this also looks reasonable to me (there's no need for the kvno to match
between the credentials for the two different principals)

>> you shouldn't need nfs-kernel-server on the client -- what version of
>> nfs-common do you have on the client?
> 
> nfs-common 1:1.2.4-1~bpo60+1

ok, that matches my setup.

>> A useful test might be to *reduce* the number of supported_enctypes to a
>> select one or two, then change the keys for the client and the server
>> (and for any user account using krb5 authentication) and re-try.
> 
> So, reduce the list to, say, just aes128-cts:normal? Should I also remove the
> allow_weak_crypto option?

yes, that's what i would try -- it appears to be currently working for
me.  Perhaps someone more experienced with krb5 and nfs than i am can
also weigh in with suggestions.

Regards,

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Message #253 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Rob Naccarato <rob@naccy.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Cc: 622146@bugs.debian.org, Sam Hartman <hartmans@debian.org>

Subject: Re: Bug#622146: This is broken for me.

Date: Mon, 24 Oct 2011 17:43:03 -0400

On Mon, Oct 24, 2011 at 04:26:10PM -0400, Daniel Kahn Gillmor wrote:
> On 10/24/2011 03:09 PM, Rob Naccarato wrote:
> > 
> > nfs-common 1:1.2.4-1~bpo60+1
> 
> ok, that matches my setup.
> 
> >> A useful test might be to *reduce* the number of supported_enctypes to a
> >> select one or two, then change the keys for the client and the server
> >> (and for any user account using krb5 authentication) and re-try.
> > 
> > So, reduce the list to, say, just aes128-cts:normal? Should I also remove the
> > allow_weak_crypto option?
> 
> yes, that's what i would try -- it appears to be currently working for
> me.  Perhaps someone more experienced with krb5 and nfs than i am can
> also weigh in with suggestions.

Alright, my kdc.conf contains:

	 supported_enctypes = aes128-cts:normal

Both client and server krb5.conf's have allow_weak_crypto commented out.

Now I get a different error on the nfs server:

Oct 24 17:39:57 blackdog rpc.svcgssd[28694]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
failure.  Minor code may provide more information) - No supported encryption
types (config file error?)

Message #258 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@debian.org>

To: debian-release@lists.debian.org

Cc: Sam Hartman <hartmans@debian.org>, 622146@bugs.debian.org, Steve Langasek <vorlon@debian.org>

Subject: Re: Bug#622146: nfs-common: compatibility between squeeze and sid broken

Date: Wed, 26 Oct 2011 09:05:24 +0200

On 09/12/2011 08:24 PM, Adam D. Barratt wrote:
> On Mon, 2011-09-05 at 12:46 -0400, Sam Hartman wrote:
>>>>>>> "Adam" == Adam D Barratt <adam@adam-barratt.org.uk> writes:
>>
>>
>>     Adam> The krb5 package was uploaded and I've (somewhat belatedly)
>>     Adam> marked it for acceptance at the next dinstall.  What's the
>>     Adam> status of the nfs-utils upload?
>>
>> My guess is they were waiting for krb5.
>> Remember they have to increase build-depends for the krb5 you just
>> accepted.
> 
> If it requires a versioned build-dependency, then both packages could
> just have been uploaded at the same time.  Even if we accepted them both
> from p-u-NEW together, the buildds would have put nfs-common in to the
> "build-deps uninstallable" state until the necessary version of krb5 was
> available.

Anyway, uploaded now.

Cheers

Luk

Message #263 received at 622146@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Luk Claes <luk@debian.org>

Cc: debian-release@lists.debian.org, Sam Hartman <hartmans@debian.org>, 622146@bugs.debian.org, Steve Langasek <vorlon@debian.org>

Subject: Re: Bug#622146: nfs-common: compatibility between squeeze and sid broken

Date: Sat, 29 Oct 2011 15:27:02 +0100

On Wed, 2011-10-26 at 09:05 +0200, Luk Claes wrote:
[...]
> >>>>>>> "Adam" == Adam D Barratt <adam@adam-barratt.org.uk> writes:
> >>
> >>
> >>     Adam> The krb5 package was uploaded and I've (somewhat belatedly)
> >>     Adam> marked it for acceptance at the next dinstall.  What's the
> >>     Adam> status of the nfs-utils upload?
[...]
> Anyway, uploaded now.

Flagged for acceptance at the next dinstall; thanks.

Regards,

Adam

Message #268 received at 622146-close@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@debian.org>

To: 622146-close@bugs.debian.org

Subject: Bug#622146: fixed in nfs-utils 1:1.2.2-4squeeze1

Date: Sat, 29 Oct 2011 19:53:17 +0000

Source: nfs-utils
Source-Version: 1:1.2.2-4squeeze1

We believe that the bug you reported is fixed in the latest version of
nfs-utils, which is due to be installed in the Debian FTP archive:

nfs-common_1.2.2-4squeeze1_i386.deb
  to main/n/nfs-utils/nfs-common_1.2.2-4squeeze1_i386.deb
nfs-kernel-server_1.2.2-4squeeze1_i386.deb
  to main/n/nfs-utils/nfs-kernel-server_1.2.2-4squeeze1_i386.deb
nfs-utils_1.2.2-4squeeze1.debian.tar.bz2
  to main/n/nfs-utils/nfs-utils_1.2.2-4squeeze1.debian.tar.bz2
nfs-utils_1.2.2-4squeeze1.dsc
  to main/n/nfs-utils/nfs-utils_1.2.2-4squeeze1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 622146@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luk Claes <luk@debian.org> (supplier of updated nfs-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 26 Oct 2011 08:47:44 +0200
Source: nfs-utils
Binary: nfs-kernel-server nfs-common
Architecture: source i386
Version: 1:1.2.2-4squeeze1
Distribution: stable
Urgency: low
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: Luk Claes <luk@debian.org>
Description: 
 nfs-common - NFS support files common to client and server
 nfs-kernel-server - support for NFS kernel server
Closes: 622146
Changes: 
 nfs-utils (1:1.2.2-4squeeze1) stable; urgency=low
 .
   * Build with patch d6c1b35c6b40243bfd6fba2591c9f8f2653078c0 from upstream
     (Closes: #622146)
Checksums-Sha1: 
 1b00634039af06845c28abac67ef1095a57577db 1502 nfs-utils_1.2.2-4squeeze1.dsc
 02674871e8011c4e4655c0c649af76dd3eadd0cd 38629 nfs-utils_1.2.2-4squeeze1.debian.tar.bz2
 e4e0eb751a6ae961429a87704203ff9f74726c92 158738 nfs-kernel-server_1.2.2-4squeeze1_i386.deb
 4d90873f029485c6cc494b641800577b35ec335d 227672 nfs-common_1.2.2-4squeeze1_i386.deb
Checksums-Sha256: 
 551fffdc6b4579a13e860800c8cd6a3c1ee5138060203d13d1943e748fde725b 1502 nfs-utils_1.2.2-4squeeze1.dsc
 57679e4ce4d701d0dfa6cfce9d1993ecd4a3fe4ed810c70fa298cc54111d8e54 38629 nfs-utils_1.2.2-4squeeze1.debian.tar.bz2
 8db5dd9908f877df2b5b2ddfd92bcca3e5a3c1e517b3a5ad8571f8da890638da 158738 nfs-kernel-server_1.2.2-4squeeze1_i386.deb
 95739228ee45d713e401e2ec30bc26b333208b4ab7e8088c395a434565b60e78 227672 nfs-common_1.2.2-4squeeze1_i386.deb
Files: 
 1f78e72a2322b1e4bb4ec1da97a13ed7 1502 net standard nfs-utils_1.2.2-4squeeze1.dsc
 72c2a76a81c1fda8ce89a7bae746baf0 38629 net standard nfs-utils_1.2.2-4squeeze1.debian.tar.bz2
 ee8c536becd3e73fe20bf0a3cf09fc99 158738 net optional nfs-kernel-server_1.2.2-4squeeze1_i386.deb
 ca2253f54c86c556daede3304c702c89 227672 net standard nfs-common_1.2.2-4squeeze1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk6nsNMACgkQ5UTeB5t8Mo22IwCgmRHMtuodK2w5TPyVJCjLaTEi
j6kAoIE769gET8WsrlntiUqB8zeNk7d3
=/004
-----END PGP SIGNATURE-----

Message #273 received at 622146@bugs.debian.org (full text, mbox, reply):

From: "Mc.Sim" <mc-sim85@ya.ru>

To: Debian Bug Tracking System <622146@bugs.debian.org>

Subject: nfs-kernel-server: error Encryption type not permitted

Date: Mon, 14 Nov 2011 18:57:04 +0300

Package: nfs-kernel-server
Version: 1:1.2.4-1~bpo60+1
Severity: normal


Hello!
I have Win2k8 R2 as a domain controller (as KDC for NFS).
There is an NFS client on Debian wheezy: hostname - debian:

root@debian:~# dpkg -l | grep nfs
ii  libnfsidmap2                       0.24-1                           An nfs idmapping library
ii  nfs-common                         1:1.2.5-2                        NFS support files common to client and server
ii  nfs-kernel-server                  1:1.2.5-2                        support for NFS kernel server

There is an NFS server: host name - archiv:

ARCHIV ~ # dpkg -l | grep nfs
ii  libnfsidmap2                       0.23-2                       An nfs idmapping library
ii  nfs-common                         1:1.2.4-1~bpo60+1            NFS support files common to client and server
ii  nfs-kernel-server                  1:1.2.4-1~bpo60+1            support for NFS kernel server
ARCHIV ~ # grep -v ^# /etc/exports
/nfs    gss/krb5(rw,sync,no_subtree_check)

On both Debian:

ARCHIV ~ # cat /etc/krb5.conf
[libdefaults]
        default_realm = SAG.LOCAL

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
allow_weak_crypto = true

        default_tgs_enctypes = des-cbc-crc
        default_tkt_enctypes = des-cbc-crc
        permitted_enctypes = des-cbc-crc

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true

[realms]
        SAG.LOCAL = {
                kdc = dc.sag.local
                admin_server = dc.sag.local
                default_domain = SAG.LOCAL
        }

[domain_realm]
        .sag.local = SAG.LOCAL
        sag.local = SAG.LOCAL

[login]
        krb4_convert = true
        krb4_get_tickets = false
===================================================
I tried to uncomment
#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1
and comment:
        default_tgs_enctypes = des-cbc-crc
        default_tkt_enctypes = des-cbc-crc
        permitted_enctypes = des-cbc-crc

but always when trying to connect to the server,
root@debian:~#  mount -vvv -t nfs4 -o sec=krb5 archiv:/nfs /mnt2
mount: fstab path: "/etc/fstab"
mount: mtab path:  "/etc/mtab"
mount: lock path:  "/etc/mtab~"
mount: temp path:  "/etc/mtab.tmp"
mount: UID:        0
mount: eUID:       0
mount: spec:  "archiv:/"
mount: node:  "/mnt2"
mount: types: "nfs4"
mount: opts:  "sec=krb5"
mount: external mount: argv[0] = "/sbin/mount.nfs4"
mount: external mount: argv[1] = "archiv:/"
mount: external mount: argv[2] = "/mnt2"
mount: external mount: argv[3] = "-v"
mount: external mount: argv[4] = "-o"
mount: external mount: argv[5] = "rw,sec=krb5"
mount.nfs4: timeout set for Mon Nov 14 18:40:42 2011
mount.nfs4: trying text-based options 'sec=krb5,addr=10.0.0.6,clientaddr=10.0.0.50'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting archiv:/nfs

I get the error log on client:
Nov 14 18:38:42 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81f9bc data 0xbf81fa3c
Nov 14 18:38:42 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b21c data 0xbf81b29c
Nov 14 18:38:42 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b21c data 0xbf81b29c
Nov 14 18:38:47 debian rpc.gssd[696]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt13)
Nov 14 18:38:47 debian rpc.gssd[696]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Nov 14 18:38:47 debian rpc.gssd[696]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt13)
Nov 14 18:38:47 debian rpc.gssd[696]: process_krb5_upcall: service is '<null>'
Nov 14 18:38:52 debian rpc.gssd[696]: Full hostname for 'archiv.sag.local' is 'archiv.sag.local'
Nov 14 18:38:52 debian rpc.gssd[696]: Full hostname for 'debian.sag.local' is 'debian.sag.local'
Nov 14 18:38:52 debian rpc.gssd[696]: No key table entry found for DEBIAN$@SAG.LOCAL while getting keytab entry for 'DEBIAN$@SAG.LOCAL'
Nov 14 18:38:52 debian rpc.gssd[696]: No key table entry found for root/debian.sag.local@SAG.LOCAL while getting keytab entry for 'root/debian.sag.local@SAG.LOCAL'
Nov 14 18:38:52 debian rpc.gssd[696]: Success getting keytab entry for 'nfs/debian.sag.local@SAG.LOCAL'
Nov 14 18:38:52 debian rpc.gssd[696]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321295320
Nov 14 18:38:52 debian rpc.gssd[696]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321295320
Nov 14 18:38:52 debian rpc.gssd[696]: using FILE:/tmp/krb5cc_machine_SAG.LOCAL as credentials cache for machine creds
Nov 14 18:38:52 debian rpc.gssd[696]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 14 18:38:52 debian rpc.gssd[696]: creating context using fsuid 0 (save_uid 0)
Nov 14 18:38:52 debian rpc.gssd[696]: creating tcp client for server archiv.sag.local
Nov 14 18:38:52 debian rpc.gssd[696]: DEBUG: port already set to 2049
Nov 14 18:38:52 debian rpc.gssd[696]: creating context with server nfs@archiv.sag.local
Nov 14 18:39:03 debian rpc.gssd[696]: WARNING: Failed to create krb5 context for user with uid 0 for server archiv.sag.local
Nov 14 18:39:03 debian rpc.gssd[696]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for server archiv.sag.local
Nov 14 18:39:03 debian rpc.gssd[696]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server archiv.sag.local
Nov 14 18:39:08 debian rpc.gssd[696]: Full hostname for 'archiv.sag.local' is 'archiv.sag.local'
Nov 14 18:39:08 debian rpc.gssd[696]: Full hostname for 'debian.sag.local' is 'debian.sag.local'
Nov 14 18:39:08 debian rpc.gssd[696]: No key table entry found for DEBIAN$@SAG.LOCAL while getting keytab entry for 'DEBIAN$@SAG.LOCAL'
Nov 14 18:39:08 debian rpc.gssd[696]: No key table entry found for root/debian.sag.local@SAG.LOCAL while getting keytab entry for 'root/debian.sag.local@SAG.LOCAL'
Nov 14 18:39:08 debian rpc.gssd[696]: Success getting keytab entry for 'nfs/debian.sag.local@SAG.LOCAL'
Nov 14 18:39:08 debian rpc.gssd[696]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321295320
Nov 14 18:39:08 debian rpc.gssd[696]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321295320
Nov 14 18:39:08 debian rpc.gssd[696]: using FILE:/tmp/krb5cc_machine_SAG.LOCAL as credentials cache for machine creds
Nov 14 18:39:08 debian rpc.gssd[696]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 14 18:39:08 debian rpc.gssd[696]: creating context using fsuid 0 (save_uid 0)
Nov 14 18:39:08 debian rpc.gssd[696]: creating tcp client for server archiv.sag.local
Nov 14 18:39:08 debian rpc.gssd[696]: DEBUG: port already set to 2049
Nov 14 18:39:08 debian rpc.gssd[696]: creating context with server nfs@archiv.sag.local
Nov 14 18:39:10 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b07c data 0xbf81b0fc
Nov 14 18:39:10 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b07c data 0xbf81b0fc
Nov 14 18:39:10 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b07c data 0xbf81b0fc
Nov 14 18:39:10 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b07c data 0xbf81b0fc
Nov 14 18:39:10 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b07c data 0xbf81b0fc
Nov 14 18:39:10 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b07c data 0xbf81b0fc
Nov 14 18:39:10 debian rpc.gssd[696]: dir_notify_handler: sig 37 si 0xbf81b07c data 0xbf81b0fc
Nov 14 18:39:18 debian rpc.gssd[696]: WARNING: Failed to create krb5 context for user with uid 0 for server archiv.sag.local
Nov 14 18:39:18 debian rpc.gssd[696]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for server archiv.sag.local
Nov 14 18:39:18 debian rpc.gssd[696]: WARNING: Failed to create machine krb5 context with any credentials cache for server archiv.sag.local
Nov 14 18:39:18 debian rpc.gssd[696]: doing error downcall
Nov 14 18:39:18 debian rpc.gssd[696]: Failed to write error downcall!
Nov 14 18:39:18 debian rpc.gssd[696]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt14
Nov 14 18:39:18 debian rpc.gssd[696]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt13

And get the error in log on server:
ARCHIV ~ # tailf /var/log/daemon.log
Nov 14 18:26:42 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Encryption type not permitted
Nov 14 18:26:42 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Encryption type not permitted
Nov 14 18:29:30 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Encryption type not permitted
Nov 14 18:29:30 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Encryption type not permitted
Nov 14 18:39:05 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Encryption type not permitted
Nov 14 18:39:20 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Encryption type not permitted
==============================================
In this case, the second mount on the client only after a servise nfs-common restart, because mount hangs and stops due to a timeout.
When I comment on all the settings on the server and client:

#	allow_weak_crypto = true
#        default_tgs_enctypes = des-cbc-crc
#        default_tkt_enctypes = des-cbc-crc
#        permitted_enctypes = des-cbc-crc
#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1
#       permitted_enctypes = des-cbc-crc

If you try to mount I get on the client-log:

Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd458c data 0xbfcd460c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd458c data 0xbfcd460c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd458c data 0xbfcd460c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd458c data 0xbfcd460c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd458c data 0xbfcd460c
Nov 14 18:50:20 debian rpc.gssd[1730]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt17)
Nov 14 18:50:20 debian rpc.gssd[1730]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Nov 14 18:50:20 debian rpc.gssd[1730]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt17)
Nov 14 18:50:20 debian rpc.gssd[1730]: process_krb5_upcall: service is '<null>'
Nov 14 18:50:20 debian rpc.gssd[1730]: Full hostname for 'archiv.sag.local' is 'archiv.sag.local'
Nov 14 18:50:20 debian rpc.gssd[1730]: Full hostname for 'debian.sag.local' is 'debian.sag.local'
Nov 14 18:50:20 debian rpc.gssd[1730]: No key table entry found for DEBIAN$@SAG.LOCAL while getting keytab entry for 'DEBIAN$@SAG.LOCAL'
Nov 14 18:50:20 debian rpc.gssd[1730]: No key table entry found for root/debian.sag.local@SAG.LOCAL while getting keytab entry for 'root/debian.sag.local@SAG.LOCAL'
Nov 14 18:50:20 debian rpc.gssd[1730]: Success getting keytab entry for 'nfs/debian.sag.local@SAG.LOCAL'
Nov 14 18:50:20 debian rpc.gssd[1730]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 14 18:50:20 debian rpc.gssd[1730]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 14 18:50:20 debian rpc.gssd[1730]: using FILE:/tmp/krb5cc_machine_SAG.LOCAL as credentials cache for machine creds
Nov 14 18:50:20 debian rpc.gssd[1730]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 14 18:50:20 debian rpc.gssd[1730]: creating context using fsuid 0 (save_uid 0)
Nov 14 18:50:20 debian rpc.gssd[1730]: creating tcp client for server archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: DEBUG: port already set to 2049
Nov 14 18:50:20 debian rpc.gssd[1730]: creating context with server nfs@archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: WARNING: Failed to create krb5 context for user with uid 0 for server archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for server archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: Full hostname for 'archiv.sag.local' is 'archiv.sag.local'
Nov 14 18:50:20 debian rpc.gssd[1730]: Full hostname for 'debian.sag.local' is 'debian.sag.local'
Nov 14 18:50:20 debian rpc.gssd[1730]: No key table entry found for DEBIAN$@SAG.LOCAL while getting keytab entry for 'DEBIAN$@SAG.LOCAL'
Nov 14 18:50:20 debian rpc.gssd[1730]: No key table entry found for root/debian.sag.local@SAG.LOCAL while getting keytab entry for 'root/debian.sag.local@SAG.LOCAL'
Nov 14 18:50:20 debian rpc.gssd[1730]: Success getting keytab entry for 'nfs/debian.sag.local@SAG.LOCAL'
Nov 14 18:50:20 debian rpc.gssd[1730]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 14 18:50:20 debian rpc.gssd[1730]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 14 18:50:20 debian rpc.gssd[1730]: using FILE:/tmp/krb5cc_machine_SAG.LOCAL as credentials cache for machine creds
Nov 14 18:50:20 debian rpc.gssd[1730]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 14 18:50:20 debian rpc.gssd[1730]: creating context using fsuid 0 (save_uid 0)
Nov 14 18:50:20 debian rpc.gssd[1730]: creating tcp client for server archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: DEBUG: port already set to 2049
Nov 14 18:50:20 debian rpc.gssd[1730]: creating context with server nfs@archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: WARNING: Failed to create krb5 context for user with uid 0 for server archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for server archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: WARNING: Failed to create machine krb5 context with any credentials cache for server archiv.sag.local
Nov 14 18:50:20 debian rpc.gssd[1730]: doing error downcall
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc data 0xbfcd413c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc data 0xbfcd413c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc data 0xbfcd413c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc data 0xbfcd413c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc data 0xbfcd413c
Nov 14 18:50:20 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc data 0xbfcd413c
Nov 14 18:50:20 debian rpc.gssd[1730]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt17

And I get message on server-log:

Nov 14 18:50:23 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - No supported encryption types (config file error?)
Nov 14 18:50:23 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - No supported encryption types (config file error?)

Help me, please for this problem.

p.s. On the client (hostname debian) as an NFS server is installed and if I run:
root@debian:~# grep -v ^# /etc/exports
/nfs        gss/krb5(rw,sync,fsid=0,crossmnt,no_subtree_check)
root@debian:~# mount -v -t nfs4 -o sec=krb5 debian:/ /mnt
mount.nfs4: timeout set for Mon Nov 14 18:58:10 2011
mount.nfs4: trying text-based options 'sec=krb5,addr=10.0.0.50,clientaddr=10.0.0.50'
debian:/ on /mnt type nfs4 (rw,sec=krb5)
root@debian:~# mount | grep nfs
nfsd on /proc/fs/nfsd type nfsd (rw)
rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
debian:/ on /mnt type nfs4 (rw,sec=krb5,addr=10.0.0.50,clientaddr=10.0.0.50)





-- Package-specific info:
-- rpcinfo --
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  56885  status
    100024    1   tcp  42127  status
    100021    1   udp  42119  nlockmgr
    100021    3   udp  42119  nlockmgr
    100021    4   udp  42119  nlockmgr
    100021    1   tcp  38382  nlockmgr
    100021    3   tcp  38382  nlockmgr
    100021    4   tcp  38382  nlockmgr
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100005    1   udp  42843  mountd
    100005    1   tcp  50330  mountd
    100005    2   udp  55182  mountd
    100005    2   tcp  44541  mountd
    100005    3   udp  50955  mountd
    100005    3   tcp  44805  mountd
-- /etc/default/nfs-kernel-server --
RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS=--manage-gids
NEED_SVCGSSD=yes
RPCSVCGSSDOPTS=yes
-- /etc/exports --
/nfs	gss/krb5(rw,sync,no_subtree_check)
-- /proc/fs/nfs/exports --
# Version 1.1
# Path Client(Flags) # IPs

-- System Information:
Debian Release: 6.0.3
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages nfs-kernel-server depends on:
ii  libblkid1           2.17.2-9             block device id library
ii  libc6               2.13-21              Embedded GNU C Library: Shared lib
ii  libcomerr2          1.41.12-4stable1     common error description library
ii  libgssapi-krb5-2    1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - k
ii  libgssglue1         0.1-4                mechanism-switch gssapi library
ii  libk5crypto3        1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - C
ii  libkrb5-3           1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries
ii  libnfsidmap2        0.23-2               An nfs idmapping library
ii  libtirpc1           0.2.2-5              transport-independent RPC library
ii  libwrap0            7.6.q-19             Wietse Venema's TCP wrappers libra
ii  lsb-base            3.2-23.2squeeze1     Linux Standard Base 3.2 init scrip
ii  nfs-common          1:1.2.4-1~bpo60+1    NFS support files common to client
ii  ucf                 3.0025+nmu1          Update Configuration File: preserv

nfs-kernel-server recommends no packages.

nfs-kernel-server suggests no packages.

-- no debconf information

Message #278 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@debian.org>

To: "Mc.Sim" <mc-sim85@ya.ru>, 622146@bugs.debian.org

Subject: Re: Bug#622146: nfs-kernel-server: error Encryption type not permitted

Date: Mon, 14 Nov 2011 16:36:41 +0100

On 11/14/2011 04:57 PM, Mc.Sim wrote:

> Hello!

Hi

> I have Win2k8 R2 as a domain controller (as KDC for NFS).
> There is an NFS client on Debian wheezy: hostname - debian:

> I tried to uncomment
> #       default_tgs_enctypes = des3-hmac-sha1
> #       default_tkt_enctypes = des3-hmac-sha1
> #       permitted_enctypes = des3-hmac-sha1
> and comment:
>         default_tgs_enctypes = des-cbc-crc
>         default_tkt_enctypes = des-cbc-crc
>         permitted_enctypes = des-cbc-crc

Why would that work without changing anything in your Kerberos keytabs?

> but always when trying to connect to the server,
> root@debian:~#  mount -vvv -t nfs4 -o sec=krb5 archiv:/nfs /mnt2

> And get the error in log on server:
> ARCHIV ~ # tailf /var/log/daemon.log
> Nov 14 18:26:42 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:26:42 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:29:30 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:29:30 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:39:05 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:39:20 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Encryption type not permitted

Expected when des3-hmac-sha1 is not in keytab.

> ==============================================
> In this case, the second mount on the client only after a servise nfs-common restart, because mount hangs and stops due to a timeout.
> When I comment on all the settings on the server and client:
> 
> #	allow_weak_crypto = true
> #        default_tgs_enctypes = des-cbc-crc
> #        default_tkt_enctypes = des-cbc-crc
> #        permitted_enctypes = des-cbc-crc
> #       default_tgs_enctypes = des3-hmac-sha1
> #       default_tkt_enctypes = des3-hmac-sha1
> #       permitted_enctypes = des3-hmac-sha1
> #       permitted_enctypes = des-cbc-crc

> And I get message on server-log:
> 
> Nov 14 18:50:23 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - No supported encryption types (config file error?)
> Nov 14 18:50:23 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - No supported encryption types (config file error?)
> 
> Help me, please for this problem.

This will only work if you have other possibilities in the Kerberos keytab.

> p.s. On the client (hostname debian) as an NFS server is installed and if I run:
> root@debian:~# grep -v ^# /etc/exports
> /nfs        gss/krb5(rw,sync,fsid=0,crossmnt,no_subtree_check)
> root@debian:~# mount -v -t nfs4 -o sec=krb5 debian:/ /mnt
> mount.nfs4: timeout set for Mon Nov 14 18:58:10 2011
> mount.nfs4: trying text-based options 'sec=krb5,addr=10.0.0.50,clientaddr=10.0.0.50'
> debian:/ on /mnt type nfs4 (rw,sec=krb5)
> root@debian:~# mount | grep nfs
> nfsd on /proc/fs/nfsd type nfsd (rw)
> rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
> debian:/ on /mnt type nfs4 (rw,sec=krb5,addr=10.0.0.50,clientaddr=10.0.0.50)

So it worked, I guess that's the initial scenario where you are using
des-cbc-crc?

I myself have little to no experience with Kerberos, but I would try
klist to see what's in your keytabs (/etc/krb5.keytab) and related tools
to add entries to the keytab when needed. This does not look like an NFS
problem to me or am I mistaken?

Cheers

Luk

Message #283 received at 622146@bugs.debian.org (full text, mbox, reply):

From: "Kramarenko A. Maxim" <mc-sim85@ya.ru>

To: 622146@bugs.debian.org, "Luk Claes" <luk@debian.org>

Cc: mc-sim85@ya.ru

Subject: Re: Bug#622146: nfs-kernel-server: error Encryption type not permitted

Date: Mon, 14 Nov 2011 21:13:23 +0400

Luk Claes <luk@debian.org> писал(а) в своём письме Mon, 14 Nov 2011  
19:36:41 +0400:

> On 11/14/2011 04:57 PM, Mc.Sim wrote:
>
>
> Why would that work without changing anything in your Kerberos keytabs?
keytab contains both types of encryption. (example below in the text)

>
>> Nov 14 18:39:20 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in  
>> handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified  
>> GSS failure.  Minor code may provide more information) - Encryption  
>> type not permitted
>
> Expected when des3-hmac-sha1 is not in keytab.
>
>> Nov 14 18:50:23 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in  
>> handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified  
>> GSS failure.  Minor code may provide more information) - No supported  
>> encryption types (config file error?)
>>
>> Help me, please for this problem.
>
> This will only work if you have other possibilities in the Kerberos  
> keytab.
Yes, the other encryption types are present in keytab ...

>
>> p.s. On the client (hostname debian) as an NFS server is installed and  
>> if I run:
>> root@debian:~# grep -v ^# /etc/exports
>> /nfs        gss/krb5(rw,sync,fsid=0,crossmnt,no_subtree_check)
>> root@debian:~# mount -v -t nfs4 -o sec=krb5 debian:/ /mnt
>> root@debian:~# mount | grep nfs
>> debian:/ on /mnt type nfs4  
>> (rw,sec=krb5,addr=10.0.0.50,clientaddr=10.0.0.50)
>
> So it worked, I guess that's the initial scenario where you are using
> des-cbc-crc?
>
> I myself have little to no experience with Kerberos, but I would try
> klist to see what's in your keytabs (/etc/krb5.keytab) and related tools
> to add entries to the keytab when needed. This does not look like an NFS
> problem to me or am I mistaken?
>
According to the documentation (  
http://technet.microsoft.com/en-us/library/dd560670(v=ws.10).aspx ), Win  
2k8 R2 does not support DES-CBC-MD5 & DES-CBC-CRC.
As I understand it, probably for this error when uncommented parameters

>> #        default_tgs_enctypes = des-cbc-crc
>> #        default_tkt_enctypes = des-cbc-crc
>> #        permitted_enctypes = des-cbc-crc
or
>> #       default_tgs_enctypes = des3-hmac-sha1
>> #       default_tkt_enctypes = des3-hmac-sha1
>> #       permitted_enctypes = des3-hmac-sha1

But in the keytab there are other types of encryption:
root@debian:~# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----  
--------------------------------------------------------------------------
   3 nfs/debian.sag.local@SAG.LOCAL (des-cbc-crc)
   3 nfs/debian.sag.local@SAG.LOCAL (des-cbc-md5)
   3 nfs/debian.sag.local@SAG.LOCAL (arcfour-hmac)
   3 nfs/debian.sag.local@SAG.LOCAL (aes256-cts-hmac-sha1-96)
   3 nfs/debian.sag.local@SAG.LOCAL (aes128-cts-hmac-sha1-96)
===========================================
kinit gets the correct tickets from the KDC on client only commented  
parameters:
==========================================
root@debian:~# vim /etc/krb5.conf
root@debian:~# grep des /etc/krb5.conf
#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1
        default_tgs_enctypes = des-cbc-crc
        default_tkt_enctypes = des-cbc-crc
        permitted_enctypes = des-cbc-crc
root@debian:~# kinit -k  nfs/debian.sag.local
kinit: KDC has no support for encryption type while getting initial  
credentials
root@debian:~# vim /etc/krb5.conf
root@debian:~# grep des /etc/krb5.conf
       default_tgs_enctypes = des3-hmac-sha1
       default_tkt_enctypes = des3-hmac-sha1
       permitted_enctypes = des3-hmac-sha1
#       default_tgs_enctypes = des-cbc-crc
#       default_tkt_enctypes = des-cbc-crc
#       permitted_enctypes = des-cbc-crc
root@debian:~# kinit -k  nfs/debian.sag.local
kinit: KDC has no support for encryption type while getting initial  
credentials
root@debian:~# vim /etc/krb5.conf
root@debian:~# grep des /etc/krb5.conf
#      default_tgs_enctypes = des3-hmac-sha1
#      default_tkt_enctypes = des3-hmac-sha1
#      permitted_enctypes = des3-hmac-sha1
#       default_tgs_enctypes = des-cbc-crc
#       default_tkt_enctypes = des-cbc-crc
#       permitted_enctypes = des-cbc-crc
root@debian:~# kinit -k  nfs/debian.sag.local
root@debian:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/debian.sag.local@SAG.LOCAL

Valid starting     Expires            Service principal
11/14/11 20:33:18  11/15/11 06:33:21  krbtgt/SAG.LOCAL@SAG.LOCAL
        renew until 11/15/11 20:33:18
=======================
...and on server:
=======================
ARCHIV ~ # vim /etc/krb5.conf
ARCHIV ~ # grep des /etc/krb5.conf
        default_tgs_enctypes = des-cbc-crc
        default_tkt_enctypes = des-cbc-crc
        permitted_enctypes = des-cbc-crc
#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1
ARCHIV ~ # kinit -k nfs/archiv.sag.local
kinit: KDC has no support for encryption type while getting initial  
credentials
ARCHIV ~ # vim /etc/krb5.conf
ARCHIV ~ # grep des /etc/krb5.conf
#       default_tgs_enctypes = des-cbc-crc
#        default_tkt_enctypes = des-cbc-crc
#        permitted_enctypes = des-cbc-crc
        default_tgs_enctypes = des3-hmac-sha1
        default_tkt_enctypes = des3-hmac-sha1
        permitted_enctypes = des3-hmac-sha1
ARCHIV ~ # kinit -k nfs/archiv.sag.local
kinit: KDC has no support for encryption type while getting initial  
credentials
ARCHIV ~ # vim /etc/krb5.conf
ARCHIV ~ # kinit -k nfs/archiv.sag.local
ARCHIV ~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/archiv.sag.local@SAG.LOCAL

Valid starting     Expires            Service principal
11/14/11 21:05:29  11/15/11 07:05:29  krbtgt/SAG.LOCAL@SAG.LOCAL
        renew until 11/15/11 21:05:29

However, NFS does not work for any given parameters. :(


> Cheers
>
> Luk
>
>
>

P.s.
Luk Claes <luk@debian.org> писал(а) в своём письме Mon, 14 Nov 2011  
19:39:06 +0400:

> On 11/14/2011 04:35 PM, "Крамаренко Максим" wrote:
>> Здравствуйте!
>> Ваше письмо получено.
>Unfortunately I don't understand Russian, can you please translate?
>Cheers
>Luk
Sorry! This e-mail answering service. I have it turned off.

Best Regards

Message #288 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: "Kramarenko A. Maxim" <mc-sim85@ya.ru>

Cc: 622146@bugs.debian.org, "Luk Claes" <luk@debian.org>

Subject: Re: Bug#622146: nfs-kernel-server: error Encryption type not permitted

Date: Mon, 14 Nov 2011 10:19:04 -0800

I don't know what's going on with the NFS portion of this, since I don't
use NFS at all, but I can tell you a few things about the Kerberos end.

"Kramarenko A. Maxim" <mc-sim85@ya.ru> writes:

> But in the keytab there are other types of encryption:
> root@debian:~# klist -ke
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ---- 
> --------------------------------------------------------------------------
>    3 nfs/debian.sag.local@SAG.LOCAL (des-cbc-crc)
>    3 nfs/debian.sag.local@SAG.LOCAL (des-cbc-md5)
>    3 nfs/debian.sag.local@SAG.LOCAL (arcfour-hmac)
>    3 nfs/debian.sag.local@SAG.LOCAL (aes256-cts-hmac-sha1-96)
>    3 nfs/debian.sag.local@SAG.LOCAL (aes128-cts-hmac-sha1-96)

For a Windows 2008r2 Active Directory domain controller, the only enctypes
there that are going to work are arcfour-hmac and aes128.  (aes256 might
as well in some situations, but I think you have to go to some extra work,
or maybe it's that a lot of Windows clients don't support them.)

> root@debian:~# grep des /etc/krb5.conf
> #       default_tgs_enctypes = des3-hmac-sha1
> #       default_tkt_enctypes = des3-hmac-sha1
> #       permitted_enctypes = des3-hmac-sha1
>         default_tgs_enctypes = des-cbc-crc
>         default_tkt_enctypes = des-cbc-crc
>         permitted_enctypes = des-cbc-crc

You generally don't want to set these parameters, although I realize that
used to be the case for NFS.

The NFS machinery is going to need to support either arcfour-hmac or
aes128, since Windows never supported 3DES, and you don't want to use
plain DES any more (and it has to be specifically enabled on the Windows
side, if they haven't dropped it entirely now).  I'm not sure what
enctypes the kernel-level support currently implements.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Message #293 received at 622146@bugs.debian.org (full text, mbox, reply):

From: "Kramarenko A. Maxim" <mc-sim85@ya.ru>

To: "Russ Allbery" <rra@debian.org>, 622146@bugs.debian.org

Cc: "Luk Claes" <luk@debian.org>, "mc-sim85@ya.ru" <mc-sim85@ya.ru>

Subject: Re: Bug#622146: nfs-kernel-server: error Encryption type not permitted

Date: Mon, 14 Nov 2011 22:59:57 +0400

Russ Allbery <rra@debian.org> писал(а) в своём письме Mon, 14 Nov 2011  
22:19:04 +0400:

> I don't know what's going on with the NFS portion of this, since I don't
> use NFS at all, but I can tell you a few things about the Kerberos end.
>
> For a Windows 2008r2 Active Directory domain controller, the only  
> enctypes
> there that are going to work are arcfour-hmac and aes128.  (aes256 might
> as well in some situations, but I think you have to go to some extra  
> work,
> or maybe it's that a lot of Windows clients don't support them.)
>
> You generally don't want to set these parameters, although I realize that
> used to be the case for NFS.
>
> The NFS machinery is going to need to support either arcfour-hmac or
> aes128, since Windows never supported 3DES, and you don't want to use
> plain DES any more (and it has to be specifically enabled on the Windows
> side, if they haven't dropped it entirely now).  I'm not sure what
> enctypes the kernel-level support currently implements.
>
Thank you all for your answers.

Russ,

I absolutely agree with you. Win 2k8 works correctly with the arcfour-hmac  
(RC4-HMAC) and AES 128 (not supported by WinXP and younger).
Therefore, the application settings allow_weak_crypto not helping me.
But how can I check the support RC4-HMAC, and AES128, to make sure that  
reason the problem?
And how do we know up to what I need to upgrade the kernel to have a  
stable system and running NFS?

P.S. But kinit gets the same ticket from KDC? Or kinit does not use the  
kernel and uses the tools of userland-level?

P.P.S.:
I also tried to explicitly specify the type of encryption in krb5.conf:
=============
root@debian:~# grep -e rc4 -e des /etc/krb5.conf
#      default_tgs_enctypes = des3-hmac-sha1
#      default_tkt_enctypes = des3-hmac-sha1
#      permitted_enctypes = des3-hmac-sha1
        default_tkt_enctypes = rc4-hmac
        default_tgs_enctypes = rc4-hmac
        permitted_enctypes = rc4-hmac
#       default_tgs_enctypes = des-cbc-crc
#       default_tkt_enctypes = des-cbc-crc
#       permitted_enctypes = des-cbc-crc
root@debian:~# kinit -k  nfs/debian.sag.local
root@debian:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/debian.sag.local@SAG.LOCAL

Valid starting     Expires            Service principal
11/14/11 22:51:28  11/15/11 08:51:36  krbtgt/SAG.LOCAL@SAG.LOCAL
        renew until 11/15/11 22:51:28
=============
and on server
=============
ARCHIV ~ # vim /etc/krb5.conf
ARCHIV ~ # kinit -k nfs/archiv.sag.local
ARCHIV ~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/archiv.sag.local@SAG.LOCAL

Valid starting     Expires            Service principal
11/14/11 22:53:45  11/15/11 08:53:45  krbtgt/SAG.LOCAL@SAG.LOCAL
        renew until 11/15/11 22:53:45
====================
And once again got an error on the server:
===================
Nov 14 22:54:40 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in  
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS  
failure.  Minor code may provide more information) - No supported  
encryption types (config file error?)
Nov 14 22:54:40 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in  
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS  
failure.  Minor code may provide more information) - No supported  
encryption types (config file error?)


-- 
Best Regards

Message #298 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Russ Allbery <rra@debian.org>, 622146@bugs.debian.org

Cc: "Kramarenko A. Maxim" <mc-sim85@ya.ru>, Luk Claes <luk@debian.org>

Subject: Re: Bug#622146: nfs-kernel-server: error Encryption type not permitted

Date: Mon, 14 Nov 2011 14:05:36 -0500

[Message part 1 (text/plain, inline)]

On 11/14/2011 01:19 PM, Russ Allbery wrote:

> The NFS machinery is going to need to support either arcfour-hmac or
> aes128, since Windows never supported 3DES, and you don't want to use
> plain DES any more (and it has to be specifically enabled on the Windows
> side, if they haven't dropped it entirely now).  I'm not sure what
> enctypes the kernel-level support currently implements.

You'll need the kernel from squeeze-backports or later to get enctypes
other than des-cbc-crc.

I can attest that 2.6.39-3~bpo60+1 works with aes128-cts with SHA-1
HMAC, as long as you're using the nfs-kernel-server from bpo or later.
I haven't tried it against a win2k8 kdc, though.

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Message #303 received at 622146@bugs.debian.org (full text, mbox, reply):

From: "Kramarenko A. Maxim" <mc-sim85@ya.ru>

To: "Russ Allbery" <rra@debian.org>, 622146@bugs.debian.org, "Daniel Kahn Gillmor" <dkg@fifthhorseman.net>

Cc: "Luk Claes" <luk@debian.org>, "mc-sim85@ya.ru" <mc-sim85@ya.ru>

Subject: Re: Bug#622146: nfs-kernel-server: error Encryption type not permitted

Date: Tue, 15 Nov 2011 00:17:49 +0400

Daniel Kahn Gillmor <dkg@fifthhorseman.net> писал(а) в своём письме Mon,  
14 Nov 2011 23:05:36 +0400:

> On 11/14/2011 01:19 PM, Russ Allbery wrote:
>
>
> You'll need the kernel from squeeze-backports or later to get enctypes
> other than des-cbc-crc.
>
> I can attest that 2.6.39-3~bpo60+1 works with aes128-cts with SHA-1
> HMAC, as long as you're using the nfs-kernel-server from bpo or later.
> I haven't tried it against a win2k8 kdc, though.
>
> 	--dkg
>
>
Thank you for your reply.
Daniel,

I updated the kernel to:
ARCHIV ~ # uname -a
Linux ARCHIV 2.6.39-bpo.2-686-pae #1 SMP Thu Aug 4 11:02:22 UTC 2011 i686  
GNU/Linux

But the error appears again and unable to mount.
client:
==============
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si  
0xbfcd458c data 0xbfcd460c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si  
0xbfcd458c data 0xbfcd460c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si  
0xbfcd458c data 0xbfcd460c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si  
0xbfcd458c data 0xbfcd460c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si  
0xbfcd458c data 0xbfcd460c
Nov 15 00:06:32 debian rpc.gssd[1730]: handling gssd upcall  
(/var/lib/nfs/rpc_pipefs/nfs/clnt1f)
Nov 15 00:06:32 debian rpc.gssd[1730]: handle_gssd_upcall: 'mech=krb5  
uid=0 enctypes=18,17,16,23,3,1,2 '
Nov 15 00:06:32 debian rpc.gssd[1730]: handling krb5 upcall  
(/var/lib/nfs/rpc_pipefs/nfs/clnt1f)
Nov 15 00:06:32 debian rpc.gssd[1730]: process_krb5_upcall: service is  
'<null>'
Nov 15 00:06:32 debian rpc.gssd[1730]: Full hostname for  
'archiv.sag.local' is 'archiv.sag.local'
Nov 15 00:06:32 debian rpc.gssd[1730]: Full hostname for  
'debian.sag.local' is 'debian.sag.local'
Nov 15 00:06:32 debian rpc.gssd[1730]: No key table entry found for  
DEBIAN$@SAG.LOCAL while getting keytab entry for 'DEBIAN$@SAG.LOCAL'
Nov 15 00:06:32 debian rpc.gssd[1730]: No key table entry found for  
root/debian.sag.local@SAG.LOCAL while getting keytab entry for  
'root/debian.sag.local@SAG.LOCAL'
Nov 15 00:06:32 debian rpc.gssd[1730]: Success getting keytab entry for  
'nfs/debian.sag.local@SAG.LOCAL'
Nov 15 00:06:32 debian rpc.gssd[1730]: INFO: Credentials in CC  
'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 15 00:06:32 debian rpc.gssd[1730]: INFO: Credentials in CC  
'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 15 00:06:32 debian rpc.gssd[1730]: using  
FILE:/tmp/krb5cc_machine_SAG.LOCAL as credentials cache for machine creds
Nov 15 00:06:32 debian rpc.gssd[1730]: using environment variable to  
select krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 15 00:06:32 debian rpc.gssd[1730]: creating context using fsuid 0  
(save_uid 0)
Nov 15 00:06:32 debian rpc.gssd[1730]: creating tcp client for server  
archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: DEBUG: port already set to 2049
Nov 15 00:06:32 debian rpc.gssd[1730]: creating context with server  
nfs@archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: WARNING: Failed to create krb5  
context for user with uid 0 for server archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: WARNING: Failed to create machine  
krb5 context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for  
server archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: WARNING: Machine cache is  
prematurely expired or corrupted trying to recreate cache for server  
archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: Full hostname for  
'archiv.sag.local' is 'archiv.sag.local'
Nov 15 00:06:32 debian rpc.gssd[1730]: Full hostname for  
'debian.sag.local' is 'debian.sag.local'
Nov 15 00:06:32 debian rpc.gssd[1730]: No key table entry found for  
DEBIAN$@SAG.LOCAL while getting keytab entry for 'DEBIAN$@SAG.LOCAL'
Nov 15 00:06:32 debian rpc.gssd[1730]: No key table entry found for  
root/debian.sag.local@SAG.LOCAL while getting keytab entry for  
'root/debian.sag.local@SAG.LOCAL'
Nov 15 00:06:32 debian rpc.gssd[1730]: Success getting keytab entry for  
'nfs/debian.sag.local@SAG.LOCAL'
Nov 15 00:06:32 debian rpc.gssd[1730]: INFO: Credentials in CC  
'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 15 00:06:32 debian rpc.gssd[1730]: INFO: Credentials in CC  
'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 15 00:06:32 debian rpc.gssd[1730]: using  
FILE:/tmp/krb5cc_machine_SAG.LOCAL as credentials cache for machine creds
Nov 15 00:06:32 debian rpc.gssd[1730]: using environment variable to  
select krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 15 00:06:32 debian rpc.gssd[1730]: creating context using fsuid 0  
(save_uid 0)
Nov 15 00:06:32 debian rpc.gssd[1730]: creating tcp client for server  
archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: DEBUG: port already set to 2049
Nov 15 00:06:32 debian rpc.gssd[1730]: creating context with server  
nfs@archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: WARNING: Failed to create krb5  
context for user with uid 0 for server archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: WARNING: Failed to create machine  
krb5 context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for  
server archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: WARNING: Failed to create machine  
krb5 context with any credentials cache for server archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: doing error downcall
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si  
0xbfcd40bc data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si  
0xbfcd40bc data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si  
0xbfcd40bc data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si  
0xbfcd40bc data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si  
0xbfcd40bc data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si  
0xbfcd40bc data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si  
0xbfcd40bc data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: destroying client  
/var/lib/nfs/rpc_pipefs/nfs/clnt20
Nov 15 00:06:32 debian rpc.gssd[1730]: destroying client  
/var/lib/nfs/rpc_pipefs/nfs/clnt1f
===============
... and server:
===============
Nov 15 00:06:34 archiv rpc.svcgssd[1097]: ERROR: GSS-API: error in  
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS  
failure.  Minor code may provide more information) - No supported  
encryption types (config file error?)
Nov 15 00:06:34 archiv rpc.svcgssd[1097]: ERROR: GSS-API: error in  
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS  
failure.  Minor code may provide more information) - No supported  
encryption types (config file error?)


have any ideas?

-- 
Best Rgards

Message #308 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: "Kramarenko A. Maxim" <mc-sim85@ya.ru>

Cc: 622146@bugs.debian.org, "Luk Claes" <luk@debian.org>

Subject: Re: Bug#622146: nfs-kernel-server: error Encryption type not permitted

Date: Mon, 14 Nov 2011 12:27:01 -0800

"Kramarenko A. Maxim" <mc-sim85@ya.ru> writes:

> P.S. But kinit gets the same ticket from KDC? Or kinit does not use the
> kernel and uses the tools of userland-level?

The NFS server, client, and KDC all have to agree on a single encryption
type, and the encryption type of the service ticket issued by the KDC to
the client has to be in an encryption type that the NFS server supports.

> root@debian:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: nfs/debian.sag.local@SAG.LOCAL

> Valid starting     Expires            Service principal
> 11/14/11 22:51:28  11/15/11 08:51:36  krbtgt/SAG.LOCAL@SAG.LOCAL
>         renew until 11/15/11 22:51:28

It would be more interesting to run klist -e after attempting to contact
the server, so that you can see what the encryption type of the service
ticket for the NFS server was.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Message #313 received at 622146@bugs.debian.org (full text, mbox, reply):

From: "Kramarenko A. Maxim" <mc-sim85@ya.ru>

To: "Russ Allbery" <rra@debian.org>

Cc: 622146@bugs.debian.org, "Luk Claes" <luk@debian.org>, "mc-sim85@ya.ru" <mc-sim85@ya.ru>

Subject: Re: Bug#622146: nfs-kernel-server: error Encryption type not permitted

Date: Tue, 15 Nov 2011 09:35:18 +0400

Russ Allbery <rra@debian.org> писал(а) в своём письме Tue, 15 Nov 2011  
00:27:01 +0400:

> "Kramarenko A. Maxim" <mc-sim85@ya.ru> writes:
>
>
> The NFS server, client, and KDC all have to agree on a single encryption
> type, and the encryption type of the service ticket issued by the KDC to
> the client has to be in an encryption type that the NFS server supports.
KDC supports the types of encryption  
(http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx):
AES256-CTS-HMAC-SHA1-96
AES128-CTS-HMAC-SHA1-96
RC4-HMAC
The NFS server is the core:
ARCHIV ~ # uname -a
Linux ARCHIV 2.6.39-bpo.2-686-pae #1 SMP Thu Aug 4 11:02:22 UTC 2011 i686  
GNU/Linux
As you said above, it supports:
AES256-CTS-HMAC-SHA1-96
AES128-CTS-HMAC-SHA1-96
RC4-HMAC
The NFS client has a core:
root@debian:~# uname -a
Linux debian 3.0.0-1-486 #1 Sat Aug 27 15:56:48 UTC 2011 i686 GNU/Linux
It is older than the server, respectively, should also support the above  
types of encryption.
(If the server and client on the kernel Linux debian 3.0.0-1-486 # 1, then  
there is no error ...)

I tried to tune in krb5.conf on the client and server NFS (last letter):
        default_tkt_enctypes = rc4-hmac
        default_tgs_enctypes = rc4-hmac
        permitted_enctypes = rc4-hmac

But still there was an error on NFS server:
Nov 14 22:54:40 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in   
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS   
failure.  Minor code may provide more information) - No supported   
encryption types (config file error?)
Nov 14 22:54:40 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in  
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS   
failure.  Minor code may provide more information) - No supported   
encryption types (config file error?)


>
> It would be more interesting to run klist -e after attempting to contact
> the server, so that you can see what the encryption type of the service
> ticket for the NFS server was.
>
on client:

root@debian:~# kinit -k  nfs/debian.sag.local
root@debian:~# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/debian.sag.local@SAG.LOCAL

Valid starting     Expires            Service principal
11/15/11 09:27:22  11/15/11 19:27:30  krbtgt/SAG.LOCAL@SAG.LOCAL
        renew until 11/16/11 09:27:22, Etype (skey, tkt): arcfour-hmac,  
arcfour-hmac

...and on server:

ARCHIV ~ # kinit -k nfs/archiv.sag.local
ARCHIV ~ # klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/archiv.sag.local@SAG.LOCAL

Valid starting     Expires            Service principal
11/15/11 09:26:37  11/15/11 19:26:42  krbtgt/SAG.LOCAL@SAG.LOCAL
        renew until 11/16/11 09:26:37, Etype (skey, tkt): ArcFour with  
HMAC/md5, ArcFour with HMAC/md5

-- 
Best Regards

Message #318 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: "Kramarenko A. Maxim" <mc-sim85@ya.ru>

Cc: 622146@bugs.debian.org, "Luk Claes" <luk@debian.org>

Subject: Re: Bug#622146: nfs-kernel-server: error Encryption type not permitted

Date: Mon, 14 Nov 2011 21:54:29 -0800

"Kramarenko A. Maxim" <mc-sim85@ya.ru> writes:

>> It would be more interesting to run klist -e after attempting to contact
>> the server, so that you can see what the encryption type of the service
>> ticket for the NFS server was.

> on client:

> root@debian:~# kinit -k  nfs/debian.sag.local
> root@debian:~# klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: nfs/debian.sag.local@SAG.LOCAL

> Valid starting     Expires            Service principal
> 11/15/11 09:27:22  11/15/11 19:27:30  krbtgt/SAG.LOCAL@SAG.LOCAL
>         renew until 11/16/11 09:27:22, Etype (skey, tkt): arcfour-hmac,
> arcfour-hmac

No, this is the TGT for the client's principal.  Rather than running klist
-e immediately after obtaining credentials, run kinit and then try to
access NFS (so that rpc.gssd will obtain a service ticket for the server)
and *then* run klist -e and look at what encryption type the service
ticket for nfs/archiv.sag.local@SAG.LOCAL has.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Message #323 received at 622146@bugs.debian.org (full text, mbox, reply):

From: "Kramarenko A. Maxim" <mc-sim85@ya.ru>

To: "Russ Allbery" <rra@debian.org>

Cc: 622146@bugs.debian.org, "Luk Claes" <luk@debian.org>, "mc-sim85@ya.ru" <mc-sim85@ya.ru>

Subject: Re: Bug#622146: nfs-kernel-server: error Encryption type not permitted

Date: Tue, 15 Nov 2011 11:14:03 +0400

Russ Allbery <rra@debian.org> писал(а) в своём письме Tue, 15 Nov 2011  
09:54:29 +0400:

> "Kramarenko A. Maxim" <mc-sim85@ya.ru> writes:
>
>>> It would be more interesting to run klist -e after attempting to  
>>> contact
>>> the server, so that you can see what the encryption type of the service
>>> ticket for the NFS server was.
>
>> on client:
>
>> root@debian:~# kinit -k  nfs/debian.sag.local
>> root@debian:~# klist -e
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: nfs/debian.sag.local@SAG.LOCAL
>
>> Valid starting     Expires            Service principal
>> 11/15/11 09:27:22  11/15/11 19:27:30  krbtgt/SAG.LOCAL@SAG.LOCAL
>>         renew until 11/16/11 09:27:22, Etype (skey, tkt): arcfour-hmac,
>> arcfour-hmac
>
> No, this is the TGT for the client's principal.  Rather than running  
> klist
> -e immediately after obtaining credentials, run kinit and then try to
> access NFS (so that rpc.gssd will obtain a service ticket for the server)
> and *then* run klist -e and look at what encryption type the service
> ticket for nfs/archiv.sag.local@SAG.LOCAL has.
>

It's done.
On client mount and klist:

root@debian:~# mount -vvv -t nfs4 -o sec=krb5 archiv:/nfs /mnt2
mount: fstab path: "/etc/fstab"
mount: mtab path:  "/etc/mtab"
mount: lock path:  "/etc/mtab~"
mount: temp path:  "/etc/mtab.tmp"
mount: UID:        0
mount: eUID:       0
mount: spec:  "archiv:/nfs"
mount: node:  "/mnt2"
mount: types: "nfs4"
mount: opts:  "sec=krb5"
mount: external mount: argv[0] = "/sbin/mount.nfs4"
mount: external mount: argv[1] = "archiv:/nfs"
mount: external mount: argv[2] = "/mnt2"
mount: external mount: argv[3] = "-v"
mount: external mount: argv[4] = "-o"
mount: external mount: argv[5] = "rw,sec=krb5"
mount.nfs4: timeout set for Tue Nov 15 11:09:25 2011
mount.nfs4: trying text-based options  
'sec=krb5,addr=10.0.0.6,clientaddr=10.0.0.50'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting archiv:/nfs
root@debian:~# ls -la /tmp/
итого 8
drwxrwxrwt  4 root root  100 Ноя 15 11:07 .
drwxr-xr-x 24 root root 4096 Ноя 14 16:55 ..
drwxrwxrwt  2 root root   40 Ноя 14 12:28 .ICE-unix
-rw-------  1 root root 2444 Ноя 15 11:07 krb5cc_machine_SAG.LOCAL
drwxrwxrwt  2 root root   40 Ноя 14 12:28 .X11-unix
root@debian:~# klist -e /tmp/krb5cc_machine_SAG.LOCAL
Ticket cache: FILE:/tmp/krb5cc_machine_SAG.LOCAL
Default principal: nfs/debian.sag.local@SAG.LOCAL

Valid starting     Expires            Service principal
11/15/11 11:07:25  11/15/11 21:07:28  krbtgt/SAG.LOCAL@SAG.LOCAL
        renew until 11/16/11 11:07:25, Etype (skey, tkt): arcfour-hmac,  
arcfour-hmac
11/15/11 11:07:28  11/15/11 21:07:28  nfs/archiv.sag.local@SAG.LOCAL
        renew until 11/16/11 11:07:25, Etype (skey, tkt): arcfour-hmac,  
arcfour-hmac


On NFS server:
ARCHIV ~ # ls -la /tmp/
итого 8
drwxrwxrwt  2 root root 4096 Ноя 15 10:41 .
drwxr-xr-x 24 root root 4096 Ноя 14 23:56 ..
ARCHIV ~ # ps aux | grep rpc
root       805  0.0  0.0   2308   920 ?        Ss   00:03   0:00  
/sbin/rpcbind -w
root       827  0.0  0.0      0     0 ?        S<   00:03   0:00 [rpciod]
root      2089  0.0  0.0   3676  1556 ?        Ss   11:04   0:00  
/usr/sbin/rpc.svcgssd yes
root      2091  0.0  0.0   2668   636 ?        Ss   11:04   0:00  
/usr/sbin/rpc.mountd --manage-gids
statd     2132  0.0  0.0   2376  1056 ?        Ss   11:05   0:00  
/sbin/rpc.statd
root      2144  0.0  0.0   2612   392 ?        Ss   11:05   0:00  
/usr/sbin/rpc.idmapd
root      2148  0.0  0.0   3440   616 ?        Ss   11:05   0:00  
/usr/sbin/rpc.gssd -vvv
root      2158  0.0  0.0   3464   752 pts/0    S+   11:09   0:00 grep  
--colour=auto rpc
ARCHIV ~ # tail /var/log/daemon.log
Nov 15 11:04:51 archiv rpc.mountd[1962]: Caught signal 15, un-registering  
and exiting.
Nov 15 11:04:52 archiv rpc.mountd[2091]: Version 1.2.4 starting
Nov 15 11:04:59 archiv rpc.gssd[2010]: exiting on signal 15
Nov 15 11:04:59 archiv rpc.statd[1994]: Caught signal 15, un-registering  
and exiting
Nov 15 11:05:00 archiv rpc.statd[2132]: Version 1.2.4 starting
Nov 15 11:05:00 archiv sm-notify[2133]: Version 1.2.4 starting
Nov 15 11:05:00 archiv sm-notify[2133]: Already notifying clients; Exiting!
Nov 15 11:05:00 archiv rpc.gssd[2148]: beginning poll
Nov 15 11:07:28 archiv rpc.svcgssd[2089]: ERROR: GSS-API: error in  
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS  
failure.  Minor code may provide more information) - No supported  
encryption types (config file error?)
Nov 15 11:07:28 archiv rpc.svcgssd[2089]: ERROR: GSS-API: error in  
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS  
failure.  Minor code may provide more information) - No supported  
encryption types (config file error?)

On the server /tmp/krb5cc_machine_REALM not been established.
When I tried to "locally" on the NFS server to mount the exported  
directory, the file has been created:

ARCHIV ~ #  mount -v -t nfs4 -o sec=krb5 archiv:/nfs /mnt
mount.nfs4: timeout set for Tue Nov 15 11:14:04 2011
mount.nfs4: trying text-based options  
'sec=krb5,addr=10.0.0.6,clientaddr=10.0.0.6'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting archiv:/nfs
ARCHIV ~ # ls -la /tmp/
итого 12
drwxrwxrwt  2 root root 4096 Ноя 15 11:12 .
drwxr-xr-x 24 root root 4096 Ноя 14 23:56 ..
-rw-------  1 root root 2444 Ноя 15 11:12 krb5cc_machine_SAG.LOCAL
ARCHIV ~ # klist -e /tmp/krb5cc_machine_SAG.LOCAL
Ticket cache: FILE:/tmp/krb5cc_machine_SAG.LOCAL
Default principal: nfs/archiv.sag.local@SAG.LOCAL

Valid starting     Expires            Service principal
11/15/11 11:12:04  11/15/11 21:12:09  krbtgt/SAG.LOCAL@SAG.LOCAL
        renew until 11/16/11 11:12:04, Etype (skey, tkt): ArcFour with  
HMAC/md5, ArcFour with HMAC/md5
11/15/11 11:12:09  11/15/11 21:12:09  nfs/archiv.sag.local@SAG.LOCAL
        renew until 11/16/11 11:12:04, Etype (skey, tkt): ArcFour with  
HMAC/md5, ArcFour with HMAC/md5


-- 
Best Regards

Message #328 received at 622146@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: "Kramarenko A. Maxim" <mc-sim85@ya.ru>

Cc: 622146@bugs.debian.org, "Luk Claes" <luk@debian.org>

Subject: Re: Bug#622146: nfs-kernel-server: error Encryption type not permitted

Date: Mon, 14 Nov 2011 23:21:05 -0800

"Kramarenko A. Maxim" <mc-sim85@ya.ru> writes:

> root@debian:~# klist -e /tmp/krb5cc_machine_SAG.LOCAL
> Ticket cache: FILE:/tmp/krb5cc_machine_SAG.LOCAL
> Default principal: nfs/debian.sag.local@SAG.LOCAL

> Valid starting     Expires            Service principal
> 11/15/11 11:07:25  11/15/11 21:07:28  krbtgt/SAG.LOCAL@SAG.LOCAL
>         renew until 11/16/11 11:07:25, Etype (skey, tkt): arcfour-hmac,
> arcfour-hmac
> 11/15/11 11:07:28  11/15/11 21:07:28  nfs/archiv.sag.local@SAG.LOCAL
>         renew until 11/16/11 11:07:25, Etype (skey, tkt): arcfour-hmac,
> arcfour-hmac

Okay, well, so much for that theory.  I was hoping that for some reason
you were getting service tickets that weren't arcfour-hmac for some
reason, but you are, so I don't get why they wouldn't match.

> Nov 15 11:07:28 archiv rpc.svcgssd[2089]: ERROR: GSS-API: error in
> handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
> failure.  Minor code may provide more information) - No supported
> encryption types (config file error?)

The only thing that I can think of at this point is that the underlying
GSS-API implementation behind rpc.svcgssd isn't supporting arcfour-hmac
for some reason.  Maybe you don't have the backported version of
everything and your daemon still only supports DES somehow?

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Message #333 received at 622146@bugs.debian.org (full text, mbox, reply):

From: "Kramarenko A. Maxim" <mc-sim85@ya.ru>

To: "Russ Allbery" <rra@debian.org>

Cc: 622146@bugs.debian.org, "Luk Claes" <luk@debian.org>, "mc-sim85@ya.ru" <mc-sim85@ya.ru>

Subject: Re: Bug#622146: nfs-kernel-server: error Encryption type not permitted

Date: Tue, 15 Nov 2011 11:37:08 +0400

Russ Allbery <rra@debian.org> писал(а) в своём письме Tue, 15 Nov 2011 11:21:05 +0400:

> "Kramarenko A. Maxim" <mc-sim85@ya.ru> writes:
>
> The only thing that I can think of at this point is that the underlying
> GSS-API implementation behind rpc.svcgssd isn't supporting arcfour-hmac
> for some reason.  Maybe you don't have the backported version of
> everything and your daemon still only supports DES somehow?
>
These are versions of the software on the NFS server:

ARCHIV ~ # dpkg -l | grep krb
ii  krb5-config                               2.2                          Configuration files for Kerberos Version 5
ii  krb5-user                                 1.8.3+dfsg-4squeeze2         Basic programs to authenticate using MIT Kerberos
ii  libgssapi-krb5-2                          1.8.3+dfsg-4squeeze2         MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3                                 1.8.3+dfsg-4squeeze2         MIT Kerberos runtime libraries
ii  libkrb5support0                           1.8.3+dfsg-4squeeze2         MIT Kerberos runtime libraries - Support library
ARCHIV ~ # dpkg -l | grep gss
ii  libgssapi-krb5-2                          1.8.3+dfsg-4squeeze2         MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libgssglue1                               0.1-4                        mechanism-switch gssapi library
ii  libgssrpc4                                1.8.3+dfsg-4squeeze2         MIT Kerberos runtime libraries - GSS enabled ONCRPC
ii  librpcsecgss3                             0.19-2                       allows secure rpc communication using the rpcsec_gss protocol
ARCHIV ~ # dpkg -l | grep -i mit
ii  krb5-user                                 1.8.3+dfsg-4squeeze2         Basic programs to authenticate using MIT Kerberos
ii  libgssapi-krb5-2                          1.8.3+dfsg-4squeeze2         MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libgssrpc4                                1.8.3+dfsg-4squeeze2         MIT Kerberos runtime libraries - GSS enabled ONCRPC
ii  libk5crypto3                              1.8.3+dfsg-4squeeze2         MIT Kerberos runtime libraries - Crypto Library
ii  libkadm5clnt-mit7                         1.8.3+dfsg-4squeeze2         MIT Kerberos runtime libraries - Administration Clients
rc  libkadm5srv-mit7                          1.8.3+dfsg-4squeeze2         MIT Kerberos runtime libraries - KDC and Admin Server
rc  libkdb5-4                                 1.8.3+dfsg-4squeeze2         MIT Kerberos runtime libraries - Kerberos database
ii  libkrb5-3                                 1.8.3+dfsg-4squeeze2         MIT Kerberos runtime libraries
ii  libkrb5support0                           1.8.3+dfsg-4squeeze2         MIT Kerberos runtime libraries - Support library
ARCHIV ~ # dpkg -l | grep -i nfs
ii  liblockfile1                              1.08-4                       NFS-safe locking library, includes dotlockfile program
ii  libnfsidmap2                              0.23-2                       An nfs idmapping library
ii  nfs-common                                1:1.2.4-1~bpo60+1            NFS support files common to client and server
ii  nfs-kernel-server                         1:1.2.4-1~bpo60+1            support for NFS kernel server

Can cost from backporting upgrade krb5-user?

-- 
Best Regards,
Mc.Sim.
http://www.k-max.name/

Message #338 received at 622146@bugs.debian.org (full text, mbox, reply):

From: "Kramarenko A. Maxim" <mc-sim85@ya.ru>

To: "Russ Allbery" <rra@debian.org>

Cc: 622146@bugs.debian.org, "Luk Claes" <luk@debian.org>, "mc-sim85@ya.ru" <mc-sim85@ya.ru>

Subject: Re: Bug#622146: nfs-kernel-server: error Encryption type not permitted

Date: Thu, 17 Nov 2011 11:22:35 +0400

I upgraded krb5-user from the repository, backports, but the error remained the same:

ARCHIV ~ # dpkg -l | grep -i mit
ii  krb5-user                                 1.9.1+dfsg-3                 Basic programs to authenticate using MIT Ke
ii  libgssapi-krb5-2                          1.9.1+dfsg-3                 MIT Kerberos runtime libraries - krb5 GSS-A
ii  libgssrpc4                                1.8.3+dfsg-4squeeze2         MIT Kerberos runtime libraries - GSS enable
ii  libk5crypto3                              1.9.1+dfsg-3                 MIT Kerberos runtime libraries - Crypto Lib
ii  libkadm5clnt-mit7                         1.8.3+dfsg-4squeeze2         MIT Kerberos runtime libraries - Administra
ii  libkadm5clnt-mit8                         1.9.1+dfsg-3                 MIT Kerberos runtime libraries - Administra
rc  libkadm5srv-mit7                          1.8.3+dfsg-4squeeze2         MIT Kerberos runtime libraries - KDC and Ad
ii  libkadm5srv-mit8                          1.9.1+dfsg-3                 MIT Kerberos runtime libraries - KDC and Ad
rc  libkdb5-4                                 1.8.3+dfsg-4squeeze2         MIT Kerberos runtime libraries - Kerberos d
ii  libkdb5-5                                 1.9.1+dfsg-3                 MIT Kerberos runtime libraries - Kerberos d
ii  libkrb5-3                                 1.9.1+dfsg-3                 MIT Kerberos runtime libraries
ii  libkrb5support0                           1.9.1+dfsg-3                 MIT Kerberos runtime libraries - Support li
ARCHIV ~ # echo startingmount >> /var/log/daemon.log
ARCHIV ~ # mount -v -t nfs4 -o sec=krb5 archiv:/nfs /mnt
mount.nfs4: timeout set for Thu Nov 17 11:22:49 2011
mount.nfs4: trying text-based options 'sec=krb5,addr=10.0.0.6,clientaddr=10.0.0.6'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting archiv:/nfs
ARCHIV ~ # grep -A500 startingmount /var/log/daemon.log
startingmount
Nov 17 11:20:49 archiv rpc.gssd[846]: dir_notify_handler: sig 37 si 0xbfd397ec data 0xbfd3986c
Nov 17 11:20:49 archiv rpc.gssd[846]: dir_notify_handler: sig 37 si 0xbfd3618c data 0xbfd3620c
Nov 17 11:20:49 archiv rpc.gssd[846]: dir_notify_handler: sig 37 si 0xbfd3809c data 0xbfd3811c
Nov 17 11:20:49 archiv rpc.gssd[846]: dir_notify_handler: sig 37 si 0xbfd397ec data 0xbfd3986c
Nov 17 11:20:49 archiv rpc.gssd[846]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt6)
Nov 17 11:20:49 archiv rpc.gssd[846]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Nov 17 11:20:49 archiv rpc.gssd[846]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt6)
Nov 17 11:20:49 archiv rpc.gssd[846]: process_krb5_upcall: service is '<null>'
Nov 17 11:20:49 archiv rpc.gssd[846]: Full hostname for 'archiv.SAG.local' is 'archiv.sag.local'
Nov 17 11:20:49 archiv rpc.gssd[846]: Full hostname for 'archiv.sag.local' is 'archiv.sag.local'
Nov 17 11:20:49 archiv rpc.gssd[846]: Key table entry not found while getting keytab entry for 'ARCHIV$@SAG.LOCAL'
Nov 17 11:20:49 archiv rpc.gssd[846]: Key table entry not found while getting keytab entry for 'root/archiv.sag.local@SAG.LOCAL'
Nov 17 11:20:49 archiv rpc.gssd[846]: Success getting keytab entry for 'nfs/archiv.sag.local@SAG.LOCAL'
Nov 17 11:20:49 archiv rpc.gssd[846]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321546655
Nov 17 11:20:49 archiv rpc.gssd[846]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321546655
Nov 17 11:20:49 archiv rpc.gssd[846]: using FILE:/tmp/krb5cc_machine_SAG.LOCAL as credentials cache for machine creds
Nov 17 11:20:49 archiv rpc.gssd[846]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 17 11:20:49 archiv rpc.gssd[846]: creating context using fsuid 0 (save_uid 0)
Nov 17 11:20:49 archiv rpc.gssd[846]: creating tcp client for server archiv.SAG.local
Nov 17 11:20:49 archiv rpc.gssd[846]: DEBUG: port already set to 2049
Nov 17 11:20:49 archiv rpc.gssd[846]: creating context with server nfs@archiv.SAG.local
Nov 17 11:20:49 archiv rpc.svcgssd[13849]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - No supported encryption types (config file error?)
Nov 17 11:20:49 archiv rpc.gssd[846]: WARNING: Failed to create krb5 context for user with uid 0 for server archiv.SAG.local
Nov 17 11:20:49 archiv rpc.gssd[846]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for server archiv.SAG.local
Nov 17 11:20:49 archiv rpc.gssd[846]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server archiv.SAG.local
Nov 17 11:20:49 archiv rpc.gssd[846]: Full hostname for 'archiv.SAG.local' is 'archiv.sag.local'
Nov 17 11:20:49 archiv rpc.gssd[846]: Full hostname for 'archiv.sag.local' is 'archiv.sag.local'
Nov 17 11:20:49 archiv rpc.gssd[846]: Key table entry not found while getting keytab entry for 'ARCHIV$@SAG.LOCAL'
Nov 17 11:20:49 archiv rpc.gssd[846]: Key table entry not found while getting keytab entry for 'root/archiv.sag.local@SAG.LOCAL'
Nov 17 11:20:49 archiv rpc.gssd[846]: Success getting keytab entry for 'nfs/archiv.sag.local@SAG.LOCAL'
Nov 17 11:20:49 archiv rpc.gssd[846]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321546655
Nov 17 11:20:49 archiv rpc.gssd[846]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321546655
Nov 17 11:20:49 archiv rpc.gssd[846]: using FILE:/tmp/krb5cc_machine_SAG.LOCAL as credentials cache for machine creds
Nov 17 11:20:49 archiv rpc.gssd[846]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 17 11:20:49 archiv rpc.gssd[846]: creating context using fsuid 0 (save_uid 0)
Nov 17 11:20:49 archiv rpc.gssd[846]: creating tcp client for server archiv.SAG.local
Nov 17 11:20:49 archiv rpc.gssd[846]: DEBUG: port already set to 2049
Nov 17 11:20:49 archiv rpc.gssd[846]: creating context with server nfs@archiv.SAG.local
Nov 17 11:20:49 archiv rpc.svcgssd[13849]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - No supported encryption types (config file error?)
Nov 17 11:20:49 archiv rpc.gssd[846]: WARNING: Failed to create krb5 context for user with uid 0 for server archiv.SAG.local
Nov 17 11:20:49 archiv rpc.gssd[846]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for server archiv.SAG.local
Nov 17 11:20:49 archiv rpc.gssd[846]: WARNING: Failed to create machine krb5 context with any credentials cache for server archiv.SAG.local
Nov 17 11:20:49 archiv rpc.gssd[846]: doing error downcall
Nov 17 11:20:49 archiv rpc.gssd[846]: dir_notify_handler: sig 37 si 0xbfd397ec data 0xbfd3986c
Nov 17 11:20:49 archiv rpc.gssd[846]: dir_notify_handler: sig 37 si 0xbfd397ec data 0xbfd3986c
Nov 17 11:20:49 archiv rpc.gssd[846]: dir_notify_handler: sig 37 si 0xbfd397ec data 0xbfd3986c
Nov 17 11:20:49 archiv rpc.gssd[846]: dir_notify_handler: sig 37 si 0xbfd397ec data 0xbfd3986c
Nov 17 11:20:49 archiv rpc.gssd[846]: dir_notify_handler: sig 37 si 0xbfd397ec data 0xbfd3986c
Nov 17 11:20:49 archiv rpc.gssd[846]: dir_notify_handler: sig 37 si 0xbfd397ec data 0xbfd3986c
Nov 17 11:20:49 archiv rpc.gssd[846]: dir_notify_handler: sig 37 si 0xbfd397ec data 0xbfd3986c
Nov 17 11:20:49 archiv rpc.gssd[846]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt7
Nov 17 11:20:49 archiv rpc.gssd[846]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt6
ARCHIV ~ #

May have someone else any advice?


-- 
Best Regards,
Mc.Sim.
http://www.k-max.name/

Send a report that this bug log contains spam.