Mailinglist Archive: opensuse-bugs (4069 mails)

< Previous Next >
[Bug 614293] NFS with kerberos identification isn't working

Neil Brown <nfbrown@xxxxxxxxxx> changed:

What |Removed |Added
Attachment #443572|0 |1
is obsolete| |

--- Comment #46 from Neil Brown <nfbrown@xxxxxxxxxx> 2011-08-09 01:33:31 UTC ---
Created an attachment (id=444812)
--> (
New rpc.gssd which attempts to auto-correct

Thanks for the tcpdump traces. They largely show what I would expect.

I've modified rpc.gssd to handle failure by retrying with a reduced set of
allowed encryption types. Hopefully this will work correctly on all servers...

1/ Remove the "allow_weak_crypto = true" from the server - it seems to be
a problem. I realise you will need to wait for a quite time to do that.

2/ try to mount a file system with the attached rpc.gssd running. If you
collect a tcpdump trace while that happens and mail it to me that would be
great. I don't expect to find any surprised in it, but it would be nice to
be certain of that.

If you confirm that it works and there are no surprises, I will submit this
patch to Factor and try to get an update for 11.4 scheduled in due course.

Just for completeness, the change I made is below.

Index: nfs-utils-1.2.3/utils/gssd/gssd_proc.c
--- nfs-utils-1.2.3.orig/utils/gssd/gssd_proc.c 2010-09-28
22:24:16.000000000 +1000
+++ nfs-utils-1.2.3/utils/gssd/gssd_proc.c 2011-08-09 11:23:49.316191138
@@ -917,6 +917,23 @@ int create_auth_rpc_client(struct clnt_i

printerr(2, "creating context with server %s\n", clp->servicename);
auth = authgss_create_default(rpc_clnt, clp->servicename, &sec);
+ if (!auth && authtype == AUTHTYPE_KRB5 && krb5_enctypes) {
+ u_int min_stat;
+ /* The extended list of enctypes can confuse old servers */
+ gss_release_cred(&min_stat, &sec.cred);
+ free(krb5_enctypes);
+ krb5_enctypes = NULL;
+ num_krb5_enctypes = 0;
+ printerr(2, "retry auth using default encryption types\n");
+ if (limit_krb5_enctypes(&sec) == 0)
+ auth = authgss_create_default(rpc_clnt,
+ clp->servicename, &sec);
+ else
+ printerr(1, "WARNING: Failed while limiting krb5 "
+ "encryption types to default list\n");
+ }
if (!auth) {
/* Our caller should print appropriate message */
printerr(2, "WARNING: Failed to create %s context for "

Configure bugmail:
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >