On 11-03-22 10:41 PM, Kevin Coffman wrote: > Hi Brian, Hi Kevin, > Can you tell me how you removed the 3des keys from the keytab? (If > you simply used ktutil, this isn't good enough. The KDC will still > issue a ticket with 3DES because, as far as it knows, the service > still has a 3des key in the KDC and supports 3des.) Ahh. Well, I did use ktutil. I opened the keytabs (/etc/krb5.keytab on both the client and server) then while they were open in ktutil, removed the files from the respective filesystems, deleted the keys in ktutil then wrote it back out from ktutil to the filesystem. But you say this is not good enough, yes? Should I be removing keys from the KDC also? kadmin.local: getprinc nfs/pc.example.com@ILINX Principal: nfs/pc.example.com@ILINX Expiration date: [never] Last password change: Sun Mar 14 20:51:08 EDT 2010 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Sun Mar 14 20:51:08 EDT 2010 (brian/admin@ILINX) Last successful authentication: Sat Mar 19 11:39:41 EDT 2011 Last failed authentication: [never] Failed password attempts: 0 Number of keys: 2 Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 2, DES cbc mode with CRC-32, no salt MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: [none] and/or kadmin.local: getprinc nfs/linux.example.com@ILINX Principal: nfs/linux.example.com@ILINX Expiration date: [never] Last password change: Sat Nov 01 00:37:11 EDT 2008 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Sat Nov 01 00:37:11 EDT 2008 (root/admin@ILINX) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 1 Key: vno 4, DES cbc mode with CRC-32, no salt MKey: vno 1 Attributes: Policy: [none] Ahhhh. But it seems that the server doesn't have a 3des key in the KDC, only the client does. > (Sorry if this was already provided and I missed it.) No, I don't think we have been here yet. > Do you have > output from gssd and svcgssd in the original failure/hang case? Here they are: pc# rpc.gssd with the -f -vvv beginning poll handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt4b90) handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt4b90) process_krb5_upcall: service is '<null>' Full hostname for 'linux.example.com' is 'linux.example.com' Full hostname for 'pc' is 'pc' Key table entry not found while getting keytab entry for 'root/pc@ILINX' Key table entry not found while getting keytab entry for 'nfs/pc@ILINX' Key table entry not found while getting keytab entry for 'host/pc@ILINX' Success getting keytab entry for nfs/*@ILINX Successfully obtained machine credentials for principal 'nfs/pc.example.com@ILINX' stored in ccache 'FILE:/tmp/krb5cc_machine_ILINX' INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_ILINX' are good until 1300913838 using FILE:/tmp/krb5cc_machine_ILINX as credentials cache for machine creds using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_ILINX creating context using fsuid 0 (save_uid 0) creating tcp client for server linux.example.com DEBUG: port already set to 2049 creating context with server nfs@xxxxxxxxxxxxxxxxx DEBUG: serialize_krb5_ctx: lucid version! prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and length 8 doing downcall linux# /usr/sbin/rpc.svcgssd -f -vvv entering poll leaving poll handling null request sname = nfs/pc.example.com@ILINX DEBUG: serialize_krb5_ctx: lucid version! prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and length 8 doing downcall mech: krb5, hndl len: 4, ctx len 85, timeout: 1300913838 (35999 from now), uid: -1, gid: -1, num aux grps: 0: sending null reply writing message: \x \x60...99 0 0 \x01000000 \x60......b2 finished handling null request entering poll pc# mount -t nfs4 -o sec=krb5 linux.example.com:/tmp /mnt/tmp [hung/blocked] I don't know if the contents of the "writing message: " were important but I also don't know if there is sensitive information in it or not, so being cautious, I did some redacting. Please let me know if that's a problem. All of the above is with my original keytabs, before 3des key removal. Cheers, b.
Attachment:
signature.asc
Description: OpenPGP digital signature