Brian J. Murrell
2010-03-16 12:23:49 UTC
Hello everyone.
I've just recently upgraded my distro which included an upgrade of MIT
kerberos to (debian version) "1.8+dfsg~alpha1-7" which I'm assuming is
some kind of 1.8 (pre-)release.
Since that upgrade, my NFS4 mounts no longer work. On the KDC I am
getting:
00:20:43 krb5kdc TGS_REQ (1 etypes {16}) 2001:xxxx:xxx:0:xxx:xxxx:xxxx:65cc: BAD_ENCRYPTION_TYPE: authtime 0, nfs/pc.xxx.com at ILINX for nfs/linux.xxx.com at ILINX, KDC has no support for encryption type
00:20:43 krb5kdc TGS_REQ (3 etypes {1 3 2}) 2001:xxxx:xxx:0:xxx:xxxx:xxxx:65cc: BAD_ENCRYPTION_TYPE: authtime 0, nfs/pc.xxx.com at ILINX for nfs/linux.xxx.com at ILINX, KDC has no support for encryption type
00:22:02 krb5kdc TGS_REQ (1 etypes {16}) 2001:xxxx:xxx:0:xxx:xxxx:xxxx:65cc: BAD_ENCRYPTION_TYPE: authtime 0, nfs/pc.xxx.com at ILINX for nfs/linux.xxx.com at ILINX, KDC has no support for encryption type
00:22:02 krb5kdc TGS_REQ (3 etypes {1 3 2}) 2001:xxxx:xxx:0:xxx:xxxx:xxxx:65cc: BAD_ENCRYPTION_TYPE: authtime 0, nfs/pc.xxxx.com at ILINX for nfs/linux.xxx.com at ILINX, KDC has no support for encryption type
Other keys seem to be working fine still:
$ rsh -x linux uname
This rsh session is encrypting input/output data transmissions.
Linux
Where the KDC reports for the above:
krb5kdc: AS_REQ (1 etypes {16}) 2001:xxxx:xxx:0:xxx:xxxx:xxxx:65cc: ISSUE: authtime 1268740114, etypes {rep=16 tkt=16 ses=16}, brian at ILINX for krbtgt/ILINX at ILINX
krb5kdc: TGS_REQ (1 etypes {16}) 2001:xxxx:xxx:0:xxx:xxxx:xxxx:65cc: ISSUE: authtime 1268740114, etypes {rep=16 tkt=16 ses=16}, brian at ILINX for host/pc.xxx.com at ILINX
My keytab has the following credentials:
$ sudo klist -e -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
2 nfs/pc.xxx.com at ILINX (Triple DES cbc mode with HMAC/sha1)
2 nfs/pc.xxx.com at ILINX (DES cbc mode with CRC-32)
4 host/pc.xxx.com at ILINX (Triple DES cbc mode with HMAC/sha1)
4 host/pc.xxx.com at ILINX (DES cbc mode with CRC-32)
It seems to me that there is some mismatch between key types and what's
supported but I can't for the life of me figure out where.
krb5.conf on pc.xxx.com has:
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
# default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
# default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
# permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
ILINX = {
kdc = kerberos.xxx.com
admin_server = kerberos.xxx.com
}
...
[domain_realm]
...
.ilinx = ILINX
.xxx.com = ILINX
[login]
krb4_convert = true
krb4_get_tickets = false
kdc.conf on the KDC has:
[kdcdefaults]
kdc_ports = 750,88
[realms]
ILINX = {
database_name = /etc/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
#dict_file = /usr/share/dict/words
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
Any ideas at all would be much appreciated.
Thanx,
b.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20100316/dfd749e6/attachment.bin
I've just recently upgraded my distro which included an upgrade of MIT
kerberos to (debian version) "1.8+dfsg~alpha1-7" which I'm assuming is
some kind of 1.8 (pre-)release.
Since that upgrade, my NFS4 mounts no longer work. On the KDC I am
getting:
00:20:43 krb5kdc TGS_REQ (1 etypes {16}) 2001:xxxx:xxx:0:xxx:xxxx:xxxx:65cc: BAD_ENCRYPTION_TYPE: authtime 0, nfs/pc.xxx.com at ILINX for nfs/linux.xxx.com at ILINX, KDC has no support for encryption type
00:20:43 krb5kdc TGS_REQ (3 etypes {1 3 2}) 2001:xxxx:xxx:0:xxx:xxxx:xxxx:65cc: BAD_ENCRYPTION_TYPE: authtime 0, nfs/pc.xxx.com at ILINX for nfs/linux.xxx.com at ILINX, KDC has no support for encryption type
00:22:02 krb5kdc TGS_REQ (1 etypes {16}) 2001:xxxx:xxx:0:xxx:xxxx:xxxx:65cc: BAD_ENCRYPTION_TYPE: authtime 0, nfs/pc.xxx.com at ILINX for nfs/linux.xxx.com at ILINX, KDC has no support for encryption type
00:22:02 krb5kdc TGS_REQ (3 etypes {1 3 2}) 2001:xxxx:xxx:0:xxx:xxxx:xxxx:65cc: BAD_ENCRYPTION_TYPE: authtime 0, nfs/pc.xxxx.com at ILINX for nfs/linux.xxx.com at ILINX, KDC has no support for encryption type
Other keys seem to be working fine still:
$ rsh -x linux uname
This rsh session is encrypting input/output data transmissions.
Linux
Where the KDC reports for the above:
krb5kdc: AS_REQ (1 etypes {16}) 2001:xxxx:xxx:0:xxx:xxxx:xxxx:65cc: ISSUE: authtime 1268740114, etypes {rep=16 tkt=16 ses=16}, brian at ILINX for krbtgt/ILINX at ILINX
krb5kdc: TGS_REQ (1 etypes {16}) 2001:xxxx:xxx:0:xxx:xxxx:xxxx:65cc: ISSUE: authtime 1268740114, etypes {rep=16 tkt=16 ses=16}, brian at ILINX for host/pc.xxx.com at ILINX
My keytab has the following credentials:
$ sudo klist -e -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
2 nfs/pc.xxx.com at ILINX (Triple DES cbc mode with HMAC/sha1)
2 nfs/pc.xxx.com at ILINX (DES cbc mode with CRC-32)
4 host/pc.xxx.com at ILINX (Triple DES cbc mode with HMAC/sha1)
4 host/pc.xxx.com at ILINX (DES cbc mode with CRC-32)
It seems to me that there is some mismatch between key types and what's
supported but I can't for the life of me figure out where.
krb5.conf on pc.xxx.com has:
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
# default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
# default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
# permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
ILINX = {
kdc = kerberos.xxx.com
admin_server = kerberos.xxx.com
}
...
[domain_realm]
...
.ilinx = ILINX
.xxx.com = ILINX
[login]
krb4_convert = true
krb4_get_tickets = false
kdc.conf on the KDC has:
[kdcdefaults]
kdc_ports = 750,88
[realms]
ILINX = {
database_name = /etc/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
#dict_file = /usr/share/dict/words
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
Any ideas at all would be much appreciated.
Thanx,
b.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20100316/dfd749e6/attachment.bin