Description of problem: nfs-utils 1.2.3 added support for non-DES kerberos keys, as implemented by kernel 2.6.35. However mounting nfs exports from a server running nfs-utils <1.2.3 or kernel <2.6.35 does not work (my Debian Lenny file server is running nfs-utils 1.2.2-4~bpo50+1 and kernel 2.6.32-26~bpo50+1. Version-Release number of selected component (if applicable): nfs-utils 1.2.3-1.fc14 How reproducible: Always Steps to Reproduce: 1. Create a kerberos realm 2. Create an NFS export on a server running legacy DES only kernel and/or nfs-utils 3. Attempt to mount from a Fedora 14 client Actual results: Mount fails with permission denied. mount -v gives: mount.nfs: timeout set for Thu Dec 9 14:51:33 2010 mount.nfs: trying text-based options 'sec=krb5,rsize=32768,wsize=32768,soft,intr,timeo=20,retrans=10,vers=4,addr=172.16.252.130,clientaddr=172.16.252.131' mount.nfs: mount(2): Permission denied mount.nfs: access denied by server while mounting nfs1.int.corefiling.com:/home/archive Expected results: nfs-utils to retry with DES key and mount to succeed Additional info: /etc/krb5.conf contains: [libdefaults] default_realm = INT.COREFILING.COM dns_lookup_kdc = true ticket_lifetime = 1d 1h renew_lifetime = 7d 1h forwardable = true proxiable = true allow_weak_crypto = true /var/log/messages on Fedora 14 with rpc.gssd -vvvv: ================================================================================ rpc.gssd[2376]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt13) rpc.gssd[2376]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' rpc.gssd[2376]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt13) rpc.gssd[2376]: process_krb5_upcall: service is '<null>' rpc.gssd[2376]: Full hostname for 'nfs1.int.corefiling.com' is 'nfs1.int.corefiling.com' rpc.gssd[2376]: Full hostname for 'fedora14.int.corefiling.com' is 'fedora14.int.corefiling.com' rpc.gssd[2376]: Key table entry not found while getting keytab entry for 'root/fedora14.int.corefiling.com@' rpc.gssd[2376]: Success getting keytab entry for 'nfs/fedora14.int.corefiling.com@' rpc.gssd[2376]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_INT.COREFILING.COM' are good until 1291995341 rpc.gssd[2376]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_INT.COREFILING.COM' are good until 1291995341 rpc.gssd[2376]: using FILE:/tmp/krb5cc_machine_INT.COREFILING.COM as credentials cache for machine creds rpc.gssd[2376]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_INT.COREFILING.COM rpc.gssd[2376]: creating context using fsuid 0 (save_uid 0) rpc.gssd[2376]: creating tcp client for server nfs1.int.corefiling.com rpc.gssd[2376]: DEBUG: port already set to 2049 rpc.gssd[2376]: creating context with server nfs.corefiling.com rpc.gssd[2376]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs1.int.corefiling.com rpc.gssd[2376]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_INT.COREFILING.COM for server nfs1.int.corefiling.com rpc.gssd[2376]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server nfs1.int.corefiling.com rpc.gssd[2376]: Full hostname for 'nfs1.int.corefiling.com' is 'nfs1.int.corefiling.com' rpc.gssd[2376]: Full hostname for 'fedora14.int.corefiling.com' is 'fedora14.int.corefiling.com' rpc.gssd[2376]: Key table entry not found while getting keytab entry for 'root/fedora14.int.corefiling.com@' rpc.gssd[2376]: Success getting keytab entry for 'nfs/fedora14.int.corefiling.com@' rpc.gssd[2376]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_INT.COREFILING.COM' are good until 1291995341 rpc.gssd[2376]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_INT.COREFILING.COM' are good until 1291995341 rpc.gssd[2376]: using FILE:/tmp/krb5cc_machine_INT.COREFILING.COM as credentials cache for machine creds rpc.gssd[2376]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_INT.COREFILING.COM rpc.gssd[2376]: creating context using fsuid 0 (save_uid 0) rpc.gssd[2376]: creating tcp client for server nfs1.int.corefiling.com rpc.gssd[2376]: DEBUG: port already set to 2049 rpc.gssd[2376]: creating context with server nfs.corefiling.com rpc.gssd[2376]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs1.int.corefiling.com rpc.gssd[2376]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_INT.COREFILING.COM for server nfs1.int.corefiling.com rpc.gssd[2376]: WARNING: Failed to create machine krb5 context with any credentials cache for server nfs1.int.corefiling.com rpc.gssd[2376]: doing error downcall rpc.gssd[2376]: dir_notify_handler: sig 37 si 0x7fff936a6170 data 0x7fff936a6040 rpc.gssd[2376]: dir_notify_handler: sig 37 si 0x7fff936a6170 data 0x7fff936a6040 rpc.gssd[2376]: dir_notify_handler: sig 37 si 0x7fff936a6170 data 0x7fff936a6040 rpc.gssd[2376]: dir_notify_handler: sig 37 si 0x7fff936a6170 data 0x7fff936a6040 rpc.gssd[2376]: dir_notify_handler: sig 37 si 0x7fff936a6170 data 0x7fff936a6040 rpc.gssd[2376]: dir_notify_handler: sig 37 si 0x7fff936a6170 data 0x7fff936a6040 rpc.gssd[2376]: dir_notify_handler: sig 37 si 0x7fff936a6170 data 0x7fff936a6040 rpc.gssd[2376]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt14 rpc.gssd[2376]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt13 ================================================================================ And from /var/log/syslog on the server, rpc.svcgssd -vvv: ================================================================================ rpc.svcgssd[2183]: leaving poll rpc.svcgssd[2183]: handling null request rpc.svcgssd[2183]: sname = nfs/fedora14.int.corefiling.com.COM rpc.svcgssd[2183]: DEBUG: serialize_krb5_ctx: lucid version! rpc.svcgssd[2183]: ERROR: prepare_krb5_rfc_cfx_buffer: not implemented rpc.svcgssd[2183]: serialize_krb5_ctx: prepare_krb5_*_buffer failed (retcode = -1) rpc.svcgssd[2183]: ERROR: failed serializing krb5 context for kernel rpc.svcgssd[2183]: WARNING: handle_nullreq: serialize_context_for_kernel failed rpc.svcgssd[2183]: sending null reply rpc.svcgssd[2183]: writing message: \x \x608202bb06092a864886f71201020201006e8202aa308202a6a003020105a10302010ea20703050020000000a382019c6182019830820194a003020105a1141b12494e542e434f524546494c494e472e434f4da2293027a003020101a120301e1b036e66731b176e6673312e696e742e636f726566696c696e672e636f6da382014a30820146a003020112a103020101a282013804820134379e96ec2187dd3511cf98c9bac0f5e24b97a89c872189cd0c07534793a44a6221aa69a1acbdb55aab8aa79ddd16f15cdd8f8700a28b93e74e335f733194025d068f3c8ff47f666d79dbefb3097a61903aaab65d66310d6a7f17cd6c941c89db220b9245062deb8c20be1b6fdc15184b12ff95183b49494447cd044a9f22a7171730bf7c2f75fcdfe977433da511d801b79cfbd17bf961fcc3c125a305984d7dcf7afce3b8cb9c365fc7172a0d02c2694620f2f33efe4b649b1311b01819a92a713287d60a43d97dd9157e8ca3514d3b223f2dc6f531edcd1086a265d0abfff7ed5a3427a4c8084112959fa37bd7a10720ab1372c08d53f241d735d8f1a77995de829223b222d7bbdc1835f0c3e77097f0eef8d3eb6f4e2521cd5846fbddcadf084f8721831273853e002cc6f0f3fcc2c487a395a481f03081eda003020112a281e50481e209d9c8f1802431f47ade76629dd31b2fc12cb5fe2aec5cffb87abf7fd20f74fa0d3eff585069ce20ce06490443d30f5fbea93f06d92e3881db635357489987bada6920cba646dab4d80ff825d4b55de8681f16aa1bb3631db52e36e8c8a854cbc60ebb8774f305a9aa375e050cf6076dcbe961b80f2f284467c1b82253efc388dcdcce5f282fa6f24ce6fae187bd5947140ec99fcaddc152832b6ddffb6b1f26102efeadcf3d6668ca9f386bb19858dc404ac08386799686e35c59d2790accfbe0b8cd45b7242f43ab5814db93fa29efb59f9e394e765941789b72e427deceb0597d 1291906234 851968 0 \x \x rpc.svcgssd[2183]: finished handling null request rpc.svcgssd[2183]: entering poll rpc.svcgssd[2183]: leaving poll rpc.svcgssd[2183]: handling null request rpc.svcgssd[2183]: sname = nfs/fedora14.int.corefiling.com.COM rpc.svcgssd[2183]: DEBUG: serialize_krb5_ctx: lucid version! rpc.svcgssd[2183]: ERROR: prepare_krb5_rfc_cfx_buffer: not implemented rpc.svcgssd[2183]: serialize_krb5_ctx: prepare_krb5_*_buffer failed (retcode = -1) rpc.svcgssd[2183]: ERROR: failed serializing krb5 context for kernel rpc.svcgssd[2183]: WARNING: handle_nullreq: serialize_context_for_kernel failed rpc.svcgssd[2183]: sending null reply rpc.svcgssd[2183]: writing message: \x \x608202bb06092a864886f71201020201006e8202aa308202a6a003020105a10302010ea20703050020000000a382019c6182019830820194a003020105a1141b12494e542e434f524546494c494e472e434f4da2293027a003020101a120301e1b036e66731b176e6673312e696e742e636f726566696c696e672e636f6da382014a30820146a003020112a103020101a282013804820134379e96ec2187dd3511cf98c9bac0f5e24b97a89c872189cd0c07534793a44a6221aa69a1acbdb55aab8aa79ddd16f15cdd8f8700a28b93e74e335f733194025d068f3c8ff47f666d79dbefb3097a61903aaab65d66310d6a7f17cd6c941c89db220b9245062deb8c20be1b6fdc15184b12ff95183b49494447cd044a9f22a7171730bf7c2f75fcdfe977433da511d801b79cfbd17bf961fcc3c125a305984d7dcf7afce3b8cb9c365fc7172a0d02c2694620f2f33efe4b649b1311b01819a92a713287d60a43d97dd9157e8ca3514d3b223f2dc6f531edcd1086a265d0abfff7ed5a3427a4c8084112959fa37bd7a10720ab1372c08d53f241d735d8f1a77995de829223b222d7bbdc1835f0c3e77097f0eef8d3eb6f4e2521cd5846fbddcadf084f8721831273853e002cc6f0f3fcc2c487a395a481f03081eda003020112a281e50481e2f01962fb5e44792a76666d600b24b76571165918677ec8e93c7c9b553d43303c4c95e542508f3f14909dad633ec204ec9d71c9ac6953f872ac22b7e9563251cc27160461cda3d1cfc5123cfb799b1565ce84791762abd1474ce2f48b9a08b4eac8bc371599d52b15adc332400bf9efff96b3311ed287f282fa0895ae22e67ea6a13e43c95bb41db832d2af3a7e2eea92a33012e74df5ba6cbec3a3eb66d1c24226fa326bafee3568a11594fc5c98582d84dfb7aee1fb0f65057c3751b1dac3cabc4a1895d0fce754ed9d85947aba592a2df1f81f4e695cf2ffdfceb5f71c6a7e8b41 1291906234 851968 0 \x \x rpc.svcgssd[2183]: finished handling null request rpc.svcgssd[2183]: entering poll ================================================================================ Client tries twice with the "AES-256 CTS mode with 96-bit SHA-1 HMAC" key and never any other. Removing the non-DES enctypes from /etc/krb5.keytab causes the client's rpc.gssd to fail to find a valid key, which smells like a huge bug: ================================================================================ rpc.gssd[2525]: dir_notify_handler: sig 37 si 0x7fff882a9870 data 0x7fff882a9740 rpc.gssd[2525]: dir_notify_handler: sig 37 si 0x7fff882a9870 data 0x7fff882a9740 rpc.gssd[2525]: dir_notify_handler: sig 37 si 0x7fff882a3cf0 data 0x7fff882a3bc0 rpc.gssd[2525]: dir_notify_handler: sig 37 si 0x7fff882a9870 data 0x7fff882a9740 rpc.gssd[2525]: dir_notify_handler: sig 37 si 0x7fff882a9870 data 0x7fff882a9740 rpc.gssd[2525]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt15) rpc.gssd[2525]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' rpc.gssd[2525]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt15) rpc.gssd[2525]: process_krb5_upcall: service is '<null>' rpc.gssd[2525]: Full hostname for 'nfs1.int.corefiling.com' is 'nfs1.int.corefiling.com' rpc.gssd[2525]: Full hostname for 'fedora14.int.corefiling.com' is 'fedora14.int.corefiling.com' rpc.gssd[2525]: Key table entry not found while getting keytab entry for 'root/fedora14.int.corefiling.com@' rpc.gssd[2525]: Success getting keytab entry for 'nfs/fedora14.int.corefiling.com@' rpc.gssd[2525]: WARNING: Key table entry not found while getting initial ticket for principal 'nfs/fedora14.int.corefiling.com.COM' using keytab 'WRFILE:/etc/krb5.keytab' rpc.gssd[2525]: ERROR: No credentials found for connection to server nfs1.int.corefiling.com rpc.gssd[2525]: doing error downcall rpc.gssd[2525]: dir_notify_handler: sig 37 si 0x7fff882a9370 data 0x7fff882a9240 rpc.gssd[2525]: dir_notify_handler: sig 37 si 0x7fff882a9370 data 0x7fff882a9240 rpc.gssd[2525]: dir_notify_handler: sig 37 si 0x7fff882a9370 data 0x7fff882a9240 rpc.gssd[2525]: dir_notify_handler: sig 37 si 0x7fff882a9370 data 0x7fff882a9240 rpc.gssd[2525]: dir_notify_handler: sig 37 si 0x7fff882a9370 data 0x7fff882a9240 rpc.gssd[2525]: dir_notify_handler: sig 37 si 0x7fff882a9370 data 0x7fff882a9240 rpc.gssd[2525]: dir_notify_handler: sig 37 si 0x7fff882a9370 data 0x7fff882a9240 rpc.gssd[2525]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt16 rpc.gssd[2525]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt15 ================================================================================ Adding "default_tkt_enctypes = des-cbc-md5 des-cbc-md4 des-cbc-crc" to krb5.conf allows the mount to succeed. Unfortunately this restricts all services and isn't a great solution: ================================================================================ rpc.gssd[2648]: dir_notify_handler: sig 37 si 0x7fff42fd72b0 data 0x7fff42fd7180 rpc.gssd[2648]: dir_notify_handler: sig 37 si 0x7fff42fd72b0 data 0x7fff42fd7180 rpc.gssd[2648]: dir_notify_handler: sig 37 si 0x7fff42fd1730 data 0x7fff42fd1600 rpc.gssd[2648]: dir_notify_handler: sig 37 si 0x7fff42fd72b0 data 0x7fff42fd7180 rpc.gssd[2648]: dir_notify_handler: sig 37 si 0x7fff42fd72b0 data 0x7fff42fd7180 rpc.gssd[2648]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt17) rpc.gssd[2648]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' rpc.gssd[2648]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt17) rpc.gssd[2648]: process_krb5_upcall: service is '<null>' rpc.gssd[2648]: Full hostname for 'nfs1.int.corefiling.com' is 'nfs1.int.corefiling.com' rpc.gssd[2648]: Full hostname for 'fedora14.int.corefiling.com' is 'fedora14.int.corefiling.com' rpc.gssd[2648]: Key table entry not found while getting keytab entry for 'root/fedora14.int.corefiling.com@' rpc.gssd[2648]: Success getting keytab entry for 'nfs/fedora14.int.corefiling.com@' rpc.gssd[2648]: Successfully obtained machine credentials for principal 'nfs/fedora14.int.corefiling.com.COM' stored in ccache 'FILE:/tmp/krb5cc_machine_INT.COREFILING.COM' rpc.gssd[2648]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_INT.COREFILING.COM' are good until 1291997767 rpc.gssd[2648]: using FILE:/tmp/krb5cc_machine_INT.COREFILING.COM as credentials cache for machine creds rpc.gssd[2648]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_INT.COREFILING.COM rpc.gssd[2648]: creating context using fsuid 0 (save_uid 0) rpc.gssd[2648]: creating tcp client for server nfs1.int.corefiling.com rpc.gssd[2648]: DEBUG: port already set to 2049 rpc.gssd[2648]: creating context with server nfs.corefiling.com rpc.gssd[2648]: DEBUG: serialize_krb5_ctx: lucid version! rpc.gssd[2648]: prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and length 8 rpc.gssd[2648]: doing downcall rpc.gssd[2648]: dir_notify_handler: sig 37 si 0x7fff42fd72b0 data 0x7fff42fd7180 rpc.gssd[2648]: dir_notify_handler: sig 37 si 0x7fff42fd72b0 data 0x7fff42fd7180 rpc.gssd[2648]: dir_notify_handler: sig 37 si 0x7fff42fd72b0 data 0x7fff42fd7180 rpc.gssd[2648]: dir_notify_handler: sig 37 si 0x7fff42fd72b0 data 0x7fff42fd7180 rpc.gssd[2648]: dir_notify_handler: sig 37 si 0x7fff42fd72b0 data 0x7fff42fd7180 rpc.gssd[2648]: dir_notify_handler: sig 37 si 0x7fff42fd72b0 data 0x7fff42fd7180 rpc.gssd[2648]: dir_notify_handler: sig 37 si 0x7fff42fd72b0 data 0x7fff42fd7180 rpc.gssd[2648]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt18 rpc.gssd[2648]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt17 rpc.gssd[2648]: dir_notify_handler: sig 37 si 0x7fff42fd72b0 data 0x7fff42fd7180 rpc.gssd[2648]: dir_notify_handler: sig 37 si 0x7fff42fd72b0 data 0x7fff42fd7180 rpc.gssd[2648]: dir_notify_handler: sig 37 si 0x7fff42fd72b0 data 0x7fff42fd7180 rpc.gssd[2648]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1a) rpc.gssd[2648]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' rpc.gssd[2648]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1a) rpc.gssd[2648]: process_krb5_upcall: service is '<null>' rpc.gssd[2648]: Full hostname for 'nfs1.int.corefiling.com' is 'nfs1.int.corefiling.com' rpc.gssd[2648]: Full hostname for 'fedora14.int.corefiling.com' is 'fedora14.int.corefiling.com' rpc.gssd[2648]: Key table entry not found while getting keytab entry for 'root/fedora14.int.corefiling.com@' rpc.gssd[2648]: Success getting keytab entry for 'nfs/fedora14.int.corefiling.com@' rpc.gssd[2648]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_INT.COREFILING.COM' are good until 1291997767 rpc.gssd[2648]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_INT.COREFILING.COM' are good until 1291997767 rpc.gssd[2648]: using FILE:/tmp/krb5cc_machine_INT.COREFILING.COM as credentials cache for machine creds rpc.gssd[2648]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_INT.COREFILING.COM rpc.gssd[2648]: creating context using fsuid 0 (save_uid 0) rpc.gssd[2648]: creating tcp client for server nfs1.int.corefiling.com rpc.gssd[2648]: DEBUG: port already set to 2049 rpc.gssd[2648]: creating context with server nfs.corefiling.com rpc.gssd[2648]: DEBUG: serialize_krb5_ctx: lucid version! rpc.gssd[2648]: prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and length 8 rpc.gssd[2648]: doing downcall ================================================================================ I realize this could be a duplicate of bug 652273 as they show the first same symptoms however that one wandered off after the submitter upgraded software on their server.
I've run into perhaps similar issues trying to mount from an EL 5.5 server. My solution was to make sure that only DES keys were in the server's keytab. Otherwise setting allow_weak_crypto = yes seems to be all I needed to do on the client. Be sure to restart rpcgssd on the client and rpcsvcgssd on the server after each change while testing.
Yes, RHEL5 server only support DES keys... With F14 and RHEL6 there are more keys supported.
This message is a notice that Fedora 14 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 14. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '14' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 14 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping