1. Please describe the problem: When trying to use 'sec=krb5i' (or other krb5x variants) with kernel 6.4+, mounting NFS shares fails: | # mount -t nfs -o nodev,noexec,nosuid,ro,sec=krb5i sciurus.intern.sigma-chemnitz.de:/mirror /mnt/ | mount.nfs: access denied by server while mounting sciurus.intern.sigma-chemnitz.de:/mirror When going back to 6.3.13-200.fc38.x86_64, things works as expected. In good case, tcpdump shows that client tries to start two sessions. First one contains a plaintext `EXCHANGE_ID` and this first session is aborted with "Access denied". Then, clients starts another session with GSS data in `EXCHANGE_ID` and this session is accepted. In bad case, only the plaintext `EXCHANGE_ID` seems to be sent. Server is RHEL8.8 (kernel-4.18.0-477.21.1.el8_8.x86_64) 2. What is the Version-Release number of the kernel: 3. Did it work previously in Fedora? If so, what kernel version did the issue *first* appear? 5. Does this problem occur with the latest Rawhide kernel? Bad: kernel-6.4.4-200.fc38.x86_64 kernel-6.4.8-200.fc38.x86_64 kernel-6.5.0-0.rc5.20230811git25aa0bebba72.40.fc40.x86_64 Ok: kernel-6.3.13-200.fc38.x86_64 4. Can you reproduce this issue? If so, please provide the steps to reproduce the issue below: To install the Rawhide kernel, run ``sudo dnf install fedora-repos-rawhide`` followed by ``sudo dnf update --enablerepo=rawhide kernel``: 6. Are you running any modules that not shipped with directly Fedora's kernel?: no Reproducible: Always
kernel 6.4 offers more enctypes; e.g. kernel 6.3 shows | handle_gssd_upcall(0x7f6d05a6d840): 'mech=krb5 uid=0 service=* enctypes=18,17' (nfs/clnt0) while 6.4 has | handle_gssd_upcall(0x7fd007647840): 'mech=krb5 uid=0 service=* enctypes=20,19,26,25,18,17' (nfs/clnt0) rpc-gssd seems to send only packets for the first enctype (20) which is not supported by the server. Removing the unsupported enctypes from the server keytab restores operation.