Hi Jostein On Tue, Mar 18, 2025 at 09:48:36AM +0100, Jostein Fossheim wrote: > > But that said the situation in Bookworm might not be optimal for > > kerberized NFS setups. > > > > Regards, > > Salvatore > > We tried to do a upgrade to Trixie just to see how the situation was looking > there, and at least for now the problem persist: > > root@basic-nas:~# uname -a Linux basic-nas.lab.skyfritt.net 6.12.17-amd64 #1 > SMP PREEMPT_DYNAMIC Debian 6.12.17-1 (2025-03-01) x86_64 GNU/Linux > root@basic-nas:~# cat /boot/config-6.12.17-amd64 | grep AES_SHA2 # > CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2 is not set root@basic-nas:~# > > Log file from Trixie when we enforce the encryption schemas in question from > the clients: > > Mar 18 09:43:42 basic-nas.lab.skyfritt.net rpc.svcgssd[1833]: ERROR: > GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE > (Unspecified GSS failure. Minor code may provide more information) - > Encryption type aes256-cts-hmac-sha384-192 not permitted > > Mar 18 09:44:53 basic-nas.lab.skyfritt.net rpc.svcgssd[1833]: ERROR: > GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE > (Unspecified GSS failure. Minor code may provide more information) - > Encryption type aes128-cts-hmac-sha256-128 not permitted > > I hope you will consider include RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2 in future > main kernel releases, or if possible include it as a module.
I did already: https://salsa.debian.org/kernel-team/linux/-/merge_requests/1420 But I need to reply yet to the other mails in the thread for this bug. But I'm considering reassinging this bug to src:linux instead for just adding the support for the respective stronger enctypes, the AES_SHA1 ones are already enabled (by default in trixie). On nfs-utils side there is not much we can do as for bookworm the respective support for specifying the enctypes is not possible (and an official backport likely we won't provide as between the bookworm and trixie version there is the usrmove-part involved, but I can discuss that with the other team members). Regards, Salvatore
