LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-03-2014, 02:51 AM   #1
bucovaina78
Member
 
Registered: Oct 2004
Location: Belgium / Antwerp
Distribution: Debian
Posts: 287

Rep: Reputation: 33
Debugging Kerberos authentication errors for NFSv4 with shark


H,

I'm having a problem with certain NFSv4 clients that are not able to mount a certain export on an NFSv4 server. I'm suspecting there is an enctype (DES/DES3) incompatibility between server and client.

Someone having more less the same problem posted this output on another website. Unfortunately I don't know for sure how he got to this output.
Code:
No.     Time        Source                Destination           Protocol Length Info
      7 11.128679   10.10.16.208          10.10.16.209          KRB5     808    TGS-REQ

[ cut lower level protocols data ]

Kerberos TGS-REQ
    Pvno: 5
    MSG Type: TGS-REQ (12)
    padata: PA-TGS-REQ
        Type: PA-TGS-REQ (1)
            Value: 6e82025630820252a003020105a10302010ea20703050000... AP-REQ
                Pvno: 5
                MSG Type: AP-REQ (14)
                Padding: 0
                APOptions: 00000000
                    0... .... .... .... .... .... .... .... = reserved: RESERVED bit off
                    .0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the session key to encrypt the ticket
                    ..0. .... .... .... .... .... .... .... = Mutual required: Mutual authentication is NOT required
                Ticket
                    Tkt-vno: 5
                    Realm: MYDOMAIN.COM
                    Server Name (Service and Instance): krbtgt/MYDOMAIN.COM
                        Name-type: Service and Instance (2)
                        Name: krbtgt
                        Name: MYDOMAIN.COM
                    enc-part aes256-cts-hmac-sha1-96
                        Encryption type: aes256-cts-hmac-sha1-96 (18)
                        Kvno: 1
                        enc-part: c03dbd56915263874441e07531f689fa16ed7593a8118741...
                Authenticator aes256-cts-hmac-sha1-96
                    Encryption type: aes256-cts-hmac-sha1-96 (18)
                    Authenticator data: bae42b08eb935796e3dd31d9d34f5a4cc419b6594be7a8ed...
    KDC_REQ_BODY
        Padding: 0
        KDCOptions: 50810000 (Forwardable, Proxiable, Renewable, Canonicalize)
            .1.. .... .... .... .... .... .... .... = Forwardable: FORWARDABLE tickets are allowed/requested
            ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
            ...1 .... .... .... .... .... .... .... = Proxiable: PROXIABLE tickets are allowed/requested
            .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
            .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
            .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
            .... .... 1... .... .... .... .... .... = Renewable: This ticket is RENEWABLE
            .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
            .... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
            .... .... .... ...1 .... .... .... .... = Canonicalize: This is a request for a CANONICALIZED ticket
            .... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
            .... .... .... .... .... .... ...0 .... = Renewable OK: We do NOT accept renewed tickets
            .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey
            .... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
            .... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
        Realm: MYDOMAIN.COM
        Server Name (Service and Host): nfs/nfsserver.mydomain.com
            Name-type: Service and Host (3)
            Name: nfs
            Name: nfsserver.mydomain.com
        till: 2013-04-05 17:58:28 (UTC)
        Nonce: 1365155889
        Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5 des-cbc-md4
            Encryption type: aes256-cts-hmac-sha1-96 (18)
            Encryption type: aes128-cts-hmac-sha1-96 (17)
            Encryption type: des3-cbc-sha1 (16)
            Encryption type: rc4-hmac (23)
            Encryption type: des-cbc-crc (1)
            Encryption type: des-cbc-md5 (3)
            Encryption type: des-cbc-md4 (2)

No.     Time        Source                Destination           Protocol Length Info
      8 11.130891   10.10.16.209          10.10.16.208          KRB5     244    KRB Error: KRB5KDC_ERR_ETYPE_NOSUPP

[ cut lower level protocols data ]

Kerberos KRB-ERROR
    Pvno: 5
    MSG Type: KRB-ERROR (30)
    ctime: 2013-04-05 09:58:09 (UTC)
    stime: 2013-04-05 09:58:09 (UTC)
    susec: 588499
    error_code: KRB5KDC_ERR_ETYPE_NOSUPP (14)
    Client Realm: MYDOMAIN.COM
    Client Name (Principal): nfs/nfsclient.mydomain.com
        Name-type: Principal (1)
        Name: nfs
        Name: nfsclient.mydomain.com
    Realm: MYDOMAIN.COM
    Server Name (Service and Host): nfs/nfsserver.mydomain.com
        Name-type: Service and Host (3)
        Name: nfs
        Name: nfsserver.mydomain.com
    e-text: BAD_ENCRYPTION_TYPE
I think this was done by using shark, something more like this?
Code:
tshark -o kerberos.decrypt:TRUE -o kerberos.file:/etc/krb5.keytab host nfs4client
But how do I extract all the bits and fields he got and how do I get to the layout?

Last edited by bucovaina78; 12-03-2014 at 02:52 AM.
 
Old 12-05-2014, 06:46 AM   #2
bucovaina78
Member
 
Registered: Oct 2004
Location: Belgium / Antwerp
Distribution: Debian
Posts: 287

Original Poster
Rep: Reputation: 33
Well not exactly an answer to my question but this helped me solve my initial problem:
Code:
klist -e

Last edited by bucovaina78; 12-05-2014 at 06:46 AM. Reason: } instead of ]
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
NFSv4 and Kerberos with user's ticket. arizonagroovejet Linux - General 1 11-11-2013 05:01 AM
Mounting a Linux NFSv4 Share with Windows 2008 R2 Kerberos Server gmjs Linux - Enterprise 0 03-08-2012 04:05 PM
General questions about Debian + LDAP + NFSv4 + Kerberos besson3c Linux - Server 0 01-02-2012 02:56 AM
NFSv4 with Kerberos 5 Authentication Troubleshooting rdibley Linux - Networking 2 10-29-2009 09:40 AM
nfsv4 not working with mit kerberos v5 linux 2 coglioni Linux - Newbie 7 06-22-2009 12:06 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration