PDA

View Full Version : NFS + Kerberos: rpc.gssd -l



stroemi
01-Oct-2013, 12:31
Hi everyone,

we currently have a setup with an NFS file server combined with Kerberos authentication. Unfortunately, the file server is not in our full control and only supports single DES session keys.
For this to work, the NFS client machine has to tell its rpc.gssd it should run in legacy mode (-l), otherwise it uses 3DES or AES or something (not quite sure about that, but does not really matter either).
Now, theres the problem: on SLES11 SP3 rpc.gssd does not know about the parameter "-l" and refuses to use DES session keys.
In consequence all of our SLES11 servers are not able to connect to the file server making working on the services running on those machines rather dull.
Any suggestions or ideas on how to get legacy support into the gssd?

Thanks,
Chris

jmozdzen
01-Oct-2013, 13:21
Hi Chris,

> on SLES11 SP3 rpc.gssd does not know about the parameter "-l" and refuses to use DES session keys.

have you tried setting allow_weak_crypto = yes in the client's Kerberos configuration?

Regards,
Jens

stroemi
02-Oct-2013, 15:49
Yes, this entry is in the krb5.conf already. But I do not see how that would help anyway, the problem is specific to rpc.gssd. Have a look at http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff;h=16f151834e63d8df9f852b7e2 65f17c689553c35;hp=880e2efecb4469573a5c2e89aee4963 f29288f88 , this patch would fix the problem and the explanation what it exactly does is more specific than what I have told you.

jmozdzen
02-Oct-2013, 21:58
Hi Chris,

> But I do not see how that would help anyway, the problem is specific to rpc.gssd

I took that advice from another user that had reported a similar problem i a different list.

I'll relay you comments to my SUSE contacts, but cannot promise it will get included. Once I receive feedback from there, I'll let you know. If you have a support contract and can open a ticket, please do so and forward me the SR number so I can follow-up on that.

Regards,
Jens

jmozdzen
14-Oct-2013, 18:01
Hi stroemi,

please get in touch with me via personal message - there's someone who'd like you to test & verify an update to the code :)

Regards,
Jens

jmozdzen
24-Oct-2013, 15:36
Hi Chris,

do I see it right that the issue has been resolved?

Regards,
Jens