Kerberos incompatibilities

Kevin Coffman kwc at citi.umich.edu
Tue Sep 4 14:51:58 EDT 2007 

On 9/4/07, Lukas Hejtmanek <xhejtman at ics.muni.cz> wrote:
> Kevin,
>
> On Tue, Sep 04, 2007 at 01:50:57PM -0400, Kevin Coffman wrote:
> > The ultimate problem is that the server's principal
> > (nfs/cache04.video.muni.cz at ICS.MUNI.CZ) has been created with a
> > Triple-DES key which is not currently supported on Linux.   See
> > http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html
>
> This principal has been created by the mount command. krb5.keytab does not
> contain any such principal:
>  klist -e -k -t
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp         Principal
> ---- ----------------- --------------------------------------------------------
>    1 09/04/07 15:13:47 host/didas.cesnet.cz at ICS.MUNI.CZ (DES cbc mode with CRC-32)
>    1 09/04/07 15:13:47 host/didas.cesnet.cz at ICS.MUNI.CZ (DES cbc mode with RSA-MD4)
>    1 09/04/07 15:13:47 host/didas.cesnet.cz at ICS.MUNI.CZ (DES cbc mode with RSA-MD5)
>    1 09/04/07 15:13:47 host/didas.cesnet.cz at ICS.MUNI.CZ (Triple DES cbc mode with HMAC/sha1)

This is the client principal.  I am talking about the NFS server
principal on cache04.video.muni.cz.

> Namely, it contains both DES and Triple DES keys. For some reason, Triple DES
> is prefered over DES when those options are not present in /etc/krb5.conf.
>
> > However, before changing that, It is not entirely clear to me why you
> > are not seeing this problem in both the stable and unstable cases.
> > I'd like to figure that out.
>
> I guess, that stable client prefers DES over Triple DES for some reason.
>
> > Both versions should have the client-side code that attempts to limit
> > the encryption types negotiated with the server.  That is why I was
> > interested in a packet trace -- "tcpdump -s0 -w /tmp/trace.pcap" -- to
> > see what the Kerberos request/response packets look like.  If you
> > could send me this output from the (working) stable and the (failing)
> > unstable client, that might help.
>
> It's attached.

Thanks.  Unfortunately, these do not show the Kerberos packets to/from
the KDC.  Can you remove the credentials cache file
(/tmp/krb5cc_machine_ICS.MUNI.CZ) and capture during a restart of
rpc.gssd and a subsequent mount request?  That will allow the capture
of the TGT request and the service ticket request.

K.C.

More information about the NFSv4 mailing list