On Thu, 2021-02-25 11:07:13 +0100, J. Pfennig wrote: > Package: nfs-common > Version: 1:1.3.4-2.5+deb10u1 > Severity: important > Tags: upstream > > Dear Maintainers > > There is a long standing bug (or wrong documentation) in rpc.gssd > Probably debian uses an outdated version (new upstream version). > > I consider this bug as severe because it breaks backward compa- > tibility since debian bullseye. It might affect most SAMBA AD/DC > setups that were working with buster and fail with bulseye.
Thank you for filing this bug#983508. You tagged it upstream. Do you have a web page address or upstream bug report reference of this bug when in was reported upstream? Could you please test the current version of nfs-common in experimental? > PROBLEM > > The point is the nfs/... SPN (service principle name) that was > historically used to fill the kerberos machine credential cache. > > The documentation explicitly states that rpc.gssd first tries > the (windows) machine account <HOSTNAME>$/... then a SPN (or UPN?) > root/... then some others and FINALLY the nfs/... SPN. But this > is wrong, only nfs/... is recognized. > > This creates a problem with SAMBA AD/DCs setups. Samba uses heimdal > kerberos. A difference between heimdal and MIT are the SPNs. So in > SAMBA you have to add a UPN (like the before mentioned root/...) > and to attach the nfs/... SPN to the UPN. This is how it looks: > > samba-tool user create --random-password --gid-number=100 \ > --gecos="nfs user" --unix-home=/tmp --login-shell=/usr/sbin/nologin \ > root/myhost.centauri.home > samba-tool user setexpiry --noexpiry root/myhost.centauri.home > samba-tool spn add nfs/myhost.centauri.home root/myhost.centauri.home > > The exported keytab works fine (until kernel 5.9) and allows NFS4 with > kerberos security: > > samba-tool domain exportkeytab xxx.keytab --principal MYHOST$ > samba-tool domain exportkeytab xxx.keytab --principal > root/myhost.centauri.home > samba-tool domain exportkeytab xxx.keytab --principal nfs/myhost.centauri.home > > But as nfs/... SPN seems to be historic SAMBA only exports weak > encryption keys for nfs/... whereas the machine account and the root/... > UPN have strong encryption: > > klist -e -k /etc/krb5.keytab.old > Keytab name: FILE:/etc/krb5.keytab.old > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 alpha1$@CENTAURI.HOME (aes256-cts-hmac-sha1-96) > 1 alpha1$@CENTAURI.HOME (aes128-cts-hmac-sha1-96) > 1 alpha1$@CENTAURI.HOME (arcfour-hmac) > 1 alpha1$@CENTAURI.HOME (des-cbc-md5) > 1 alpha1$@CENTAURI.HOME (des-cbc-crc) > 2 root/alpha1.centauri.h...@centauri.home (aes256-cts-hmac-sha1-96) > 2 root/alpha1.centauri.h...@centauri.home (aes128-cts-hmac-sha1-96) > 2 root/alpha1.centauri.h...@centauri.home (arcfour-hmac) > 2 root/alpha1.centauri.h...@centauri.home (des-cbc-md5) > 2 root/alpha1.centauri.h...@centauri.home (des-cbc-crc) > 2 nfs/alpha1.centauri.h...@centauri.home (arcfour-hmac) > 2 nfs/alpha1.centauri.h...@centauri.home (des-cbc-md5) > 2 nfs/alpha1.centauri.h...@centauri.home (des-cbc-crc) > > > SOLUTION > > This was OK until kernel 5.9 only. Since 5.10 somebody disabled weak > encrytion in the kernel part of GSSAPI. Now debian's old rpc.gssd > fails. Probably creating a security problem as NFS mount now tries > NFS 3 (without kerberos). > > The SAMBA documentation explains the SAMBA behaviour here: > > https://wiki.samba.org/index.php/Generating_Keytabs > > The solution is to explicitly set the supported encryption for > the root/... UPN: > > net ads enctypes set root/myhost.centauri.home 31 > > A newly created keytab now contains the required encryptions > for the nfs/... SPN. And now NFS4 works with 5.10 / bullseye. > > > CONCLUSION > > The NFS4 / SAMBA / KERBEROS setup is extremly complacated, debian's > rpc.gssd is outdated or buggy and someone tried to improve security > by removing something from the kernel. NFS mounts on bullseye > systems may fall back to NFS3 without kerberos. Not good. > > > PLEASE > > Give users a hint, a usefull error message, or fix rpc.gssd > It took me a long time to indentify the reported problem and I am > thankfull for a hint that I found in the univention bug tracker. > > Yours Jürgen > > > -- Package-specific info: > -- rpcinfo -- > program vers proto port service > 100000 4 tcp 111 portmapper > 100000 3 tcp 111 portmapper > 100000 2 tcp 111 portmapper > 100000 4 udp 111 portmapper > 100000 3 udp 111 portmapper > 100000 2 udp 111 portmapper > -- /etc/default/nfs-common -- > NEED_STATD=no > STATDOPTS= > NEED_IDMAPD=yes > NEED_GSSD=yes > -- /etc/idmapd.conf -- > [General] > Verbosity = 0 > Pipefs-Directory = /run/rpc_pipefs > Domain = centauri.home > [Mapping] > Nobody-User = nobody > Nobody-Group = nogroup > -- /etc/fstab -- > > -- System Information: > Debian Release: 10.8 > APT prefers stable-updates > APT policy: (500, 'stable-updates'), (500, 'stable') > Architecture: amd64 (x86_64) > > Kernel: Linux 5.4.0-0.bpo.4-amd64 (SMP w/8 CPU cores) > Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= > (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages nfs-common depends on: > ii adduser 3.118 > ii keyutils 1.6-6 > ii libc6 2.28-10 > ii libcap2 1:2.25-2 > ii libcom-err2 1.44.5-1+deb10u3 > ii libdevmapper1.02.1 2:1.02.155-3 > ii libevent-2.1-6 2.1.8-stable-4 > ii libgssapi-krb5-2 1.17-3+deb10u1 > ii libk5crypto3 1.17-3+deb10u1 > ii libkeyutils1 1.6-6 > ii libkrb5-3 1.17-3+deb10u1 > ii libmount1 2.33.1-0.1 > ii libnfsidmap2 0.25-5.1 > ii libtirpc3 1.1.4-0.4 > ii libwrap0 7.6.q-28 > ii lsb-base 10.2019051400 > ii rpcbind 1.2.5-0.3+deb10u1 > ii ucf 3.0038+nmu1 > > Versions of packages nfs-common recommends: > ii python 2.7.16-1 > > Versions of packages nfs-common suggests: > pn open-iscsi <none> > pn watchdog <none> > > Versions of packages nfs-kernel-server depends on: > ii keyutils 1.6-6 > ii libblkid1 2.33.1-0.1 > ii libc6 2.28-10 > ii libcap2 1:2.25-2 > ii libsqlite3-0 3.27.2-3+deb10u1 > ii libtirpc3 1.1.4-0.4 > ii libwrap0 7.6.q-28 > ii lsb-base 10.2019051400 > ii netbase 5.6 > ii ucf 3.0038+nmu1 > > -- Configuration Files: > /etc/default/nfs-common changed [not included] > > -- no debconf information > > -- debsums errors found: > debsums: changed file /usr/lib/systemd/scripts/nfs-utils_env.sh (from > nfs-common package)
