Hi all,
Linux kernel 5.10 removed support for RC4-HMAC [1] from Kerberos. I
suspect the reporter's client is using that encryption type. Samba used
to create keytabs only containing RC4-HMAC, DES-CBC-MD5 and DES-CBC-CRC.
Current versions of rpc.gssd use any of DES3-CBC-SHA1,
AES256-CTS-HMAC-SHA1-96 or AES128-CTS-HMAC-SHA1-96. That could be the
reason for the mount to fail. This can be checked using `klist -ke`. The
list should contain AES256-CTS-HMAC-SHA1-96 or AES128-CTS-HMAC-SHA1-96
and I guess they are missing.
Starting rpc.gssd with the `-l` to allow weak cyphers would seem like a
workaround at first but this does not work because the weak cyphers are
no longer available in the underlying libraries.
Current versions of Samba do include AES encryption types in keytab
exports. If not, it's probably because the the account's password has
not been changed since Sambe introduced support for AES. Rejoining the
client or resetting its AD account's password should help. Note,
hoewever, that AES encrption types are not exported if service
principals are used. In that case they need to be explicitly enabled
before the export [2]. For my clients I used `net ads enctypes set
<ACCOUNTNAME> 24`.
[1]
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e33d2a7b3041d7f8cd1f0a2a4ca42a5bc112b14e
[2] https://wiki.samba.org/index.php/Generating_Keytabs
Cheers
Birger
