https://bugzilla.novell.com/show_bug.cgi?id=614293 https://bugzilla.novell.com/show_bug.cgi?id=614293#c46 Neil Brown <nfbrown@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #443572|0 |1 is obsolete| | --- Comment #46 from Neil Brown <nfbrown@novell.com> 2011-08-09 01:33:31 UTC --- Created an attachment (id=444812) --> (http://bugzilla.novell.com/attachment.cgi?id=444812) New rpc.gssd which attempts to auto-correct Thanks for the tcpdump traces. They largely show what I would expect. I've modified rpc.gssd to handle failure by retrying with a reduced set of allowed encryption types. Hopefully this will work correctly on all servers... Please: 1/ Remove the "allow_weak_crypto = true" from the server - it seems to be a problem. I realise you will need to wait for a quite time to do that. 2/ try to mount a file system with the attached rpc.gssd running. If you could collect a tcpdump trace while that happens and mail it to me that would be great. I don't expect to find any surprised in it, but it would be nice to be certain of that. If you confirm that it works and there are no surprises, I will submit this patch to Factor and try to get an update for 11.4 scheduled in due course. Just for completeness, the change I made is below. Thanks. Index: nfs-utils-1.2.3/utils/gssd/gssd_proc.c =================================================================== --- nfs-utils-1.2.3.orig/utils/gssd/gssd_proc.c 2010-09-28 22:24:16.000000000 +1000 +++ nfs-utils-1.2.3/utils/gssd/gssd_proc.c 2011-08-09 11:23:49.316191138 +1000 @@ -917,6 +917,23 @@ int create_auth_rpc_client(struct clnt_i printerr(2, "creating context with server %s\n", clp->servicename); auth = authgss_create_default(rpc_clnt, clp->servicename, &sec); +#ifdef HAVE_SET_ALLOWABLE_ENCTYPES + if (!auth && authtype == AUTHTYPE_KRB5 && krb5_enctypes) { + u_int min_stat; + /* The extended list of enctypes can confuse old servers */ + gss_release_cred(&min_stat, &sec.cred); + free(krb5_enctypes); + krb5_enctypes = NULL; + num_krb5_enctypes = 0; + printerr(2, "retry auth using default encryption types\n"); + if (limit_krb5_enctypes(&sec) == 0) + auth = authgss_create_default(rpc_clnt, + clp->servicename, &sec); + else + printerr(1, "WARNING: Failed while limiting krb5 " + "encryption types to default list\n"); + } +#endif if (!auth) { /* Our caller should print appropriate message */ printerr(2, "WARNING: Failed to create %s context for " -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.