0

I'm going nuts setting up a test installation for NFSv4 using Kerberos.

The machine gets its user information from LDAP and credentials from Kerberos. I can log in to the machine using the kerberized accounts, i.e. the basic Kerberos setup including PAM is running. I can set up NFSv4 using host based access and it also runs nicely.

So as the next step I changed my subnet mask to 'krb5'.

mount -t nfs4 -o sec=krb5 nfs4.mgr:/test mnt
mount.nfs4: access denied by server while mounting nfs4.mgr:/test

Giving gssd a couple of -v switches, I see the following in the logs:

Jan 15 22:00:11 nfs4 rpc.gssd[8116]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clntc)
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: handle_gssd_upcall: 'mech=krb5 uid=0 '
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clntc)
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: process_krb5_upcall: service is '<null>'
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: Full hostname for 'nfs4.mgr' is 'nfs4.mgr'
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: Full hostname for 'nfs4.mgr' is 'nfs4.mgr'
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: Key table entry not found while getting keytab entry for 'root/nfs4.mgr@MGR'
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: Success getting keytab entry for 'nfs/nfs4.mgr@MGR'
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MGR' are good until 1358369976
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MGR' are good until 1358369976
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: using FILE:/tmp/krb5cc_machine_MGR as credentials cache for machine creds
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_MGR
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: creating context using fsuid 0 (save_uid 0)
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: creating tcp client for server nfs4.mgr
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: DEBUG: port already set to 2049
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: creating context with server nfs@nfs4.mgr
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: in authgss_create_default()
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: in authgss_create()
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: authgss_create: name is 0x1bbee10
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: authgss_create: gd->name is 0x1bb46e0
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: in authgss_refresh()
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: struct rpc_gss_sec:
Jan 15 22:00:11 nfs4 rpc.gssd[8116]:      mechanism_OID: { 1 2 134 72 134 247 18 1 2 2 }
Jan 15 22:00:11 nfs4 rpc.gssd[8116]:      qop: 0
Jan 15 22:00:11 nfs4 rpc.gssd[8116]:      service: 1
Jan 15 22:00:11 nfs4 rpc.gssd[8116]:      cred: 0x1bb9ae0
Jan 15 22:00:11 nfs4 rpc.gssd[8116]:      req_flags: 00000002
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: rpcsec_gss: gss_init_sec_context: (major) Unspecified GSS failure.  Minor code may provide more information - (minor) No supported encryption types (config file error?)
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: in authgss_destroy()
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: in authgss_destroy_context()
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: authgss_destroy: freeing name 0x1bb46e0
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: authgss_create_default: freeing name 0x1bbee10
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs4.mgr
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_MGR for server nfs4.mgr
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server nfs4.mgr

This happens twice for each mount call. Any ideas what this means? Which config file might it refer to?

Thanks for your help.

Lars Hanke
  • 614
  • 5
  • 16

1 Answers1

0

I believe the NFSv4 implementation in Debian squeeze is still DES-only. (That was a problem with NFSv4 implementations for quite some time.) However, all modern Kerberos implementations no longer allow DES by default, since it's too weak for good security practices.

At the least, you probably need to add:

allow_weak_crypto     = true

to the [libdefaults] section of /etc/krb5.conf on the client. Your KDC will also need to support DES service ticket requests. And you will need to be sure that the Kerberos principal used by your NFSv4 server only has DES enctypes; if it has any other enctype, the clients will prefer them (because they're stronger), but then the server won't be able to understand the authentication.

rra
  • 3,807
  • 18
  • 29
  • Argl, looks like a quite cumbersome venture. Is there a simple method to verify your belief? – Lars Hanke Mar 18 '13 at 18:21
  • See [this thread](http://us.generation-nt.com/answer/aes-encryption-nfs4-debian-squeeze-help-200186031.html). It looks like the change just missed squeeze. Given that, I suspect the kernel and the nfs-utils from backports may work the way that you expect. – rra Mar 18 '13 at 18:36