0

I am trying to get NFS4 + Kerberos to work on Debian Squeeze.

I have 3 test machines: nfsserver, nfsclient, nfskerberos

What I've got is:

root@nfsclient:~# mount -v -t nfs4  -o sec=krb5 nfsserver.mydomain.com:/export /import 
mount.nfs4: timeout set for Fri Apr  5 10:15:33 2013
mount.nfs4: trying text-based options 'sec=krb5,addr=10.10.16.207,clientaddr=10.10.16.208'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting nfsserver.mydomain.com:/export

I think the problem is at nfsclient<->nfskerberos communication. After sniffing network traffic between these systems I see messages like:

error_code: KRB5KDC_ERR_ETYPE_NOSUPP (14)
[...]
e-text: BAD_ENCRYPTION_TYPE

[Only nfsclient communicates with nfskerberos. There is no traffic from nfsserver at nfskerberos.]

kinit -k on nfsclient works OK, though:

root@nfsclient:~# kinit -k nfs/nfsclient.mydomain.com
root@nfsclient:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/nfsclient.mydomain.com@MYDOMAIN.COM

Valid starting     Expires            Service principal
04/05/13 11:44:55  04/05/13 21:44:55  krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 04/06/13 11:44:55

But kinit does AS-REQ and mount request does TGS-REQ.

I tried many kinds of encryption types like:

  • des-cbc-crc:normal
  • aes256-cts-hmac-sha1-96:normal (this one works with kinit)
  • des3-hmac-sha1:normal
  • ...

On nfskerberos, in kdc configuration I have:

[kdcdefaults]
    kdc_ports = 750,88

[realms]
    MYDOMAIN.COM = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth
    }

Conversation between nfsclient and nfskerberos:

No.     Time        Source                Destination           Protocol Length Info
      7 11.128679   10.10.16.208          10.10.16.209          KRB5     808    TGS-REQ

[ cut lower level protocols data ]

Kerberos TGS-REQ
    Pvno: 5
    MSG Type: TGS-REQ (12)
    padata: PA-TGS-REQ
        Type: PA-TGS-REQ (1)
            Value: 6e82025630820252a003020105a10302010ea20703050000... AP-REQ
                Pvno: 5
                MSG Type: AP-REQ (14)
                Padding: 0
                APOptions: 00000000
                    0... .... .... .... .... .... .... .... = reserved: RESERVED bit off
                    .0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the session key to encrypt the ticket
                    ..0. .... .... .... .... .... .... .... = Mutual required: Mutual authentication is NOT required
                Ticket
                    Tkt-vno: 5
                    Realm: MYDOMAIN.COM
                    Server Name (Service and Instance): krbtgt/MYDOMAIN.COM
                        Name-type: Service and Instance (2)
                        Name: krbtgt
                        Name: MYDOMAIN.COM
                    enc-part aes256-cts-hmac-sha1-96
                        Encryption type: aes256-cts-hmac-sha1-96 (18)
                        Kvno: 1
                        enc-part: c03dbd56915263874441e07531f689fa16ed7593a8118741...
                Authenticator aes256-cts-hmac-sha1-96
                    Encryption type: aes256-cts-hmac-sha1-96 (18)
                    Authenticator data: bae42b08eb935796e3dd31d9d34f5a4cc419b6594be7a8ed...
    KDC_REQ_BODY
        Padding: 0
        KDCOptions: 50810000 (Forwardable, Proxiable, Renewable, Canonicalize)
            .1.. .... .... .... .... .... .... .... = Forwardable: FORWARDABLE tickets are allowed/requested
            ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
            ...1 .... .... .... .... .... .... .... = Proxiable: PROXIABLE tickets are allowed/requested
            .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
            .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
            .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
            .... .... 1... .... .... .... .... .... = Renewable: This ticket is RENEWABLE
            .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
            .... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
            .... .... .... ...1 .... .... .... .... = Canonicalize: This is a request for a CANONICALIZED ticket
            .... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
            .... .... .... .... .... .... ...0 .... = Renewable OK: We do NOT accept renewed tickets
            .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey
            .... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
            .... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
        Realm: MYDOMAIN.COM
        Server Name (Service and Host): nfs/nfsserver.mydomain.com
            Name-type: Service and Host (3)
            Name: nfs
            Name: nfsserver.mydomain.com
        till: 2013-04-05 17:58:28 (UTC)
        Nonce: 1365155889
        Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5 des-cbc-md4
            Encryption type: aes256-cts-hmac-sha1-96 (18)
            Encryption type: aes128-cts-hmac-sha1-96 (17)
            Encryption type: des3-cbc-sha1 (16)
            Encryption type: rc4-hmac (23)
            Encryption type: des-cbc-crc (1)
            Encryption type: des-cbc-md5 (3)
            Encryption type: des-cbc-md4 (2)

No.     Time        Source                Destination           Protocol Length Info
      8 11.130891   10.10.16.209          10.10.16.208          KRB5     244    KRB Error: KRB5KDC_ERR_ETYPE_NOSUPP

[ cut lower level protocols data ]

Kerberos KRB-ERROR
    Pvno: 5
    MSG Type: KRB-ERROR (30)
    ctime: 2013-04-05 09:58:09 (UTC)
    stime: 2013-04-05 09:58:09 (UTC)
    susec: 588499
    error_code: KRB5KDC_ERR_ETYPE_NOSUPP (14)
    Client Realm: MYDOMAIN.COM
    Client Name (Principal): nfs/nfsclient.mydomain.com
        Name-type: Principal (1)
        Name: nfs
        Name: nfsclient.mydomain.com
    Realm: MYDOMAIN.COM
    Server Name (Service and Host): nfs/nfsserver.mydomain.com
        Name-type: Service and Host (3)
        Name: nfs
        Name: nfsserver.mydomain.com
    e-text: BAD_ENCRYPTION_TYPE
Mike
  • 598
  • 7
  • 16
  • 14 EType is rsaES-OAEP-ENV-OID. https://www.ietf.org/assignments/kerberos-parameters/kerberos-parameters.txt – Greg Askew Apr 05 '13 at 11:08
  • Hmm... Are you sure the number in brackets (14) is EType and not just an error code? – Mike Apr 05 '13 at 11:50
  • Encryption types proposed by nfsclient (from sniffed packets) are: Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5 des-cbc-md4 – Mike Apr 05 '13 at 12:00
  • Actually I think you are correct. That probably is not the etype. However, if you run WireShark, you should be able to drill-down into the TGT/AS requests, and the supported etypes should be listed. – Greg Askew Apr 05 '13 at 12:03
  • I finally managed to get this part to work (turned out default values was just enough :) ). Unfortunately another thing arose which was: Apr 5 16:31:46 nfsserver rpc.svcgssd[2047]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure. Minor code may provide more information - Encryption type not permitted (on the nfsserver side). After few more hours I installed Debian 7 as nfsserver. Seems it went a little bit further but still without success... :-Q – Mike Apr 05 '13 at 17:47

1 Answers1

2

In case someone goes the same way:

The original problem was solved by adding allow_weak_crypto = true to /etc/krb5.conf.

Next I was facing another issue, which was:

Apr 5 16:31:46 nfsserver rpc.svcgssd[2047]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure. Minor code may provide more information - Encryption type not permitted

Somebody had already described it before: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=637660 but nevertheless I did not find any solution, so I decided to try Debian Wheezy as nfsserver.

Wheeze seemed to go a bit further with GSS authentication but stuck on mount requests with something like this on the nfsserver side:

Apr  8 14:10:31 nfsserver7 rpc.svcgssd[3924]: leaving poll
Apr  8 14:10:31 nfsserver7 rpc.svcgssd[3924]: handling null request
Apr  8 14:10:31 nfsserver7 rpc.svcgssd[3924]: svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from the kernel
Apr  8 14:10:31 nfsserver7 rpc.svcgssd[3924]: sname = nfs/nfsclient.mydomain.com@MYDOMAIN.COM
Apr  8 14:10:31 nfsserver7 rpc.svcgssd[3924]: DEBUG: serialize_krb5_ctx: lucid version!
Apr  8 14:10:31 nfsserver7 rpc.svcgssd[3924]: prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and length 8
Apr  8 14:10:31 nfsserver7 rpc.svcgssd[3924]: doing downcall
Apr  8 14:10:31 nfsserver7 rpc.svcgssd[3924]: mech: krb5, hndl len: 4, ctx len 85, timeout: 1365455915 (32884 from now), clnt: nfs@nfsclient.mydomain.com, uid: -1, gid: -1, num aux grps: 0:
Apr  8 14:10:31 nfsserver7 rpc.svcgssd[3924]: sending null reply
Apr  8 14:10:31 nfsserver7 rpc.svcgssd[3924]: writing message: \x \x6082024606092a864886f71201020201006e82023530820231a003020105a10302010ea20703050020000000a38201596182015530820151a003020105a10d1b0b504152502e474f562e504ca2283026a003020103a11f301d1b036e66731b166e6673736572766572372e706172702e676f762e706ca382010f3082010ba003020112a103020102a281fe0481fbe088a06336ffcc607f9efbafa64f0504ea442ac6a5eb234a0e3c1a332b2648702e8eb0827c0b921fffaa232f093eca19df57ac14fb2f4cf1d7f86ae10c021c86aebd0f1a66916224445b872f05ff741b7978d5aeec8d446527f7aeca27858ce588914c046e321ff37a6db5d1c1b20871657bfafd180f0d1c591efef73ed31a09a04966e869888718da74ac226642c46b78a05f1621f4b1c4fe0dc59f6fa75a6a7feee6e81ee0eb9e4c6d01223b2725fecd7699efc4dc362df32383af681da948431fd3b39c8907a938a3729cff7c89407033341ba3c1f77d96accfe7c66446e1f76a936faa3c44a021a14a96658f89071ed66d4d9a6c6953698000a481be3081bba003020101a281b30481b057d186fa3e7ec53c26efe3535d3d447732da00abd0683e66fb93f457ec19a86fdd5050e2bb054dc721c1235d3156f41465e5a66c23ba5bb9201c4d38edbe92b7265b60c8f49329ffc398af58c0af2228aa1cfc2cc4968b2913abd18f0189996ebe9c57d649925bebc3efe1c53b2c86a5d51a86f7f58bd9d2d80271973190f2e258418581d5f5e1687ea0997ef7350e90061335be1e15b978b03fea21ba697d90f3c88397375cff94a9342306d642dc2a 1365423091 0 0 \x01000000 \x607006092a864886f71201020202006f61305fa003020105a10302010fa2533051a003020101a24a044882577e0441254f6c05add73796908deb02b7f61d90d7ed5bd54f67bb72e7ea2f8898ae1a6eb6e8fe631753b01bc9340dc4cdabf1b1985c449d28b4e9568aa85259f2cc591628a696 
Apr  8 14:10:31 nfsserver7 rpc.svcgssd[3924]: finished handling null request
Apr  8 14:10:31 nfsserver7 rpc.svcgssd[3924]: entering poll

Again there was some people who already dealt with this issue: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=682709 but the only working solution suggested by them was installing older version of nfs-(common|kernel-server).

This worked for me too.

What I learned is: setting up NFS + Kerberos is no joy. ;-)

Mike
  • 598
  • 7
  • 16