Bug #512110 “gssd regression, “Program lacks support for encrypt...” : Bugs : krb5 package : Ubuntu

gssd regression, "Program lacks support for encryption type"

Bug #512110 reported by Jochen
108
This bug affects 18 people
Affects Status Importance Assigned to Milestone
krb5 (Ubuntu)
Confirmed
Medium
Unassigned
Declined for Lucid by Mathias Gug

Bug Description

After upgrading the krb5 libraries to 1.8 I could not mount my Kerberized NFS4 shares. The following error Message is in the syslog for every mount attempt:
rpc.gssd[1298]: rpcsec_gss: gss_init_sec_context: (major) Unspecified GSS failure. Minor code may provide more informati
on - (minor) Program lacks support for encryption type

Switching back to 1.7 fixes this Problem.

Jochen (jradmacher)
description: updated
Revision history for this message
Russ Allbery (rra-debian) wrote : Re: [Bug 512110] [NEW] gssd regression, "Program lacks support for encryption type"

Jochen <email address hidden> writes:

> After upgrading the krb5 libraries to 1.8 I could not mount my
> Kerberized NFS4 shares. The following error Message is in the syslog for
> every mount attempt:

> rpc.gssd[1298]: rpcsec_gss: gss_init_sec_context: (major) Unspecified
> GSS failure. Minor code may provide more information - (minor) Program
> lacks support for encryption type

> Switching back to 1.7 fixes this Problem.

Sounds like NFS v4 doesn't support stronger encryption types than DES.
You'll need to add:

    allow_weak_crypto = true

to the [libdefaults] section of your krb5.conf file.

[...]

Revision history for this message
Sam Hartman (hartmans) wrote : Re: [Bug 512110] [NEW] gssd regression, "Program lacks support for encryption type"

>>>>> "Russ" == Russ Allbery <email address hidden> writes:

    Russ> Jochen <email address hidden> writes:
    >> After upgrading the krb5 libraries to 1.8 I could not mount my
    >> Kerberized NFS4 shares. The following error Message is in the
    >> syslog for every mount attempt:

    >> rpc.gssd[1298]: rpcsec_gss: gss_init_sec_context: (major)
    >> Unspecified GSS failure. Minor code may provide more information
    >> - (minor) Program lacks support for encryption type

    >> Switching back to 1.7 fixes this Problem.

    Russ> Sounds like NFS v4 doesn't support stronger encryption types
    Russ> than DES. You'll need to add:

    Russ> allow_weak_crypto = true

    Russ> to the [libdefaults] section of your krb5.conf file.

Right. I really think this is a gssd bug: the NFS folks have have
multiple years to implement something stronger than DES. Unlike with
OpenAFS, the protocol has been quite clear; it's purely a matter of
writing code.

The work around Russ suggests is the right user-level fix. My comments
are more intended to address what the focus should be for the
distributions in terms of fixing this.

We're adding an API to krb5 to fix this for OpenAFS. Because of the way
the API is constructed, it's very difficult for GSSD to actually call
it.

Chuck Short (zulcss)
Changed in krb5 (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
tags: added: glucid
Revision history for this message
J. Bruce Fields (bfields-fieldses) wrote :

"the NFS folks have have multiple years to implement something stronger than DES. Unlike with
OpenAFS, the protocol has been quite clear; it's purely a matter of writing code."

Yeah, the code is finally merged for 2.6.35, but that took longer than it should. (If you know anyone interested in funding NFS security work....)

Revision history for this message
J. Bruce Fields (bfields-fieldses) wrote :

"We're adding an API to krb5 to fix this for OpenAFS. Because of the way
the API is constructed, it's very difficult for GSSD to actually call
it."

Do you have a pointer to the details?

Revision history for this message
Sam Hartman (hartmans) wrote : Re: [Bug 512110] Re: gssd regression, "Program lacks support for encryption type"

>>>>> "J" == J Bruce Fields <email address hidden> writes:

    J> "We're adding an API to krb5 to fix this for OpenAFS. Because of
    J> the way the API is constructed, it's very difficult for GSSD to
    J> actually call it."

    J> Do you have a pointer to the details?

/* Allows the appplication to override the profile's allow_weak_crypto setting.
 * Primarily for use by aklog. */
krb5_error_code KRB5_CALLCONV
krb5_allow_weak_crypto(krb5_context context, krb5_boolean enable);

The problem of course being the need for a krb5 context.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Loading subscribers...

Remote bug watches

Bug watches keep track of this bug in other bug trackers.