Mount error with NFSv4 and Kerberos (Bad encryption type)

Laurent Bonnaud <bonnaud@xxxxxxxxxxxxxxxxxxxxx> · Wed, 30 Jun 2010 17:43:51 +0200

Hi,

I am trying to mount a NFSv4 share from a Debian squeeze NFS server on a
Debian squeeze NFS client using sec=krb5.  The same setup used to work
an Debian lenny and failed just after the upgrade to Debian squeeze.

Both systems use the latest versions in Debian squeeze, currently:
 - nfs-utils version 1.2.2 (package version 1.2.2-1)
 - kernel 2.6.32 (package version 2.6.32-15)
 - krb5 1.8.1 (package version 1.8.1+dfsg-5)

The mount operation fails with this error message:

root@svn-info:~# mount -v /users
mount.nfs4: timeout set for Wed Jun 30 17:29:47 2010
mount.nfs4: trying text-based options 'intr,sec=krb5,addr=192.168.141.5,clientaddr=195.221.57.54'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting erebus2-pdg:/users

Here is the /etc/fstab entry on the client:

  erebus2-pdg:/users /users nfs4 auto,user,exec,intr,sec=krb5

On the server /var/log/daemon.log contains the following error messages:

Jun 30 17:27:47 erebus2-pdg rpc.svcgssd[24332]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure.
Minor code may provide more information - Bad encryption type
Jun 30 17:27:47 erebus2-pdg rpc.svcgssd[24332]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure.
Minor code may provide more information - Bad encryption type

Kerberos keys were generated on a Windows 2003 AD server and the same
keys used to work in Debian lenny:

 - on the client:

root@svn-info:~# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 nfs/pc-client-nfs@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (DES cbc mode with RSA-MD5) 

 - on the server:

root@erebus2-pdg:~# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 nfs/erebus2-pdg.iut2.upmf-grenoble.fr@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (DES cbc mode with RSA-MD5) 

On the server /etc/krb5.conf does contain the following line (see the
attached file):

  allow_weak_crypto = true

Google does not know about this problem:

  http://www.google.com/search?q=rpc.svcgssd+%22Bad+encryption+type%22

Could anybody please help ?

-- 
Laurent Bonnaud.

[libdefaults]
	default_realm = NTIUT2GRE.IUT2.UPMF-GRENOBLE.FR

# The following krb5.conf variables are only for MIT Kerberos.
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true

     	allow_weak_crypto = true

[realms]
	NTIUT2GRE.IUT2.UPMF-GRENOBLE.FR = {
		kdc = xxx.iut2.upmf-grenoble.fr
		admin_server = xxx.iut2.upmf-grenoble.fr
	}

[domain_realm]
	.iut2.upmf-grenoble.fr = NTIUT2GRE.IUT2.UPMF-GRENOBLE.FR
	iut2.upmf-grenoble.fr = NTIUT2GRE.IUT2.UPMF-GRENOBLE.FR