[Freeipa-users] Secure nfs4 and Fedora 14

[Thomas Sailer]

Since I upgraded about two days ago from a fully up-to-date and working
Fedora13 system to Fedora14, I am unable to mount the krb5p nfs4 shares
of the freeipa server (which is itself running a fully up-to-date
Fedora12).

rpc.gssd on the client reports the following:

beginning poll
dir_notify_handler: sig 37 si 0x7fff99e83030 data 0x7fff99e82f00
dir_notify_handler: sig 37 si 0x7fff99e7f930 data 0x7fff99e7f800
dir_notify_handler: sig 37 si 0x7fff99e82ef0 data 0x7fff99e82dc0
handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt38)
handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt38)
process_krb5_upcall: service is '<null>'
Full hostname for 'server.xxxx.xxx' is 'server.xxxx.xxx'
Full hostname for 'clnt.xxxx.xxx' is 'clnt.xxxx.xxx'
Key table entry not found while getting keytab entry for 'root/clnt.xxxx.xxx at XXXX.XXX'
Success getting keytab entry for 'nfs/clnt.xxxx.xxx at XXXX.XXX'
Successfully obtained machine credentials for principal 'nfs/clnt.xxxx.xxx at XXXX.XXX' stored in ccache 'FILE:/tmp/krb5cc_machine_XXXX.XXX'
INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_XXXX.XXX' are good until 1289651734
using FILE:/tmp/krb5cc_machine_XXXX.XXX as credentials cache for machine creds
using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_XXXX.XXX
creating context using fsuid 0 (save_uid 0)
creating tcp client for server server.xxxx.xxx
DEBUG: port already set to 2049
creating context with server nfs at server.xxxx.xxx
WARNING: Failed to create krb5 context for user with uid 0 for server server.xxxx.xxx
WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_XXXX.XXX for server server.xxxx.xxx
WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server server.xxxx.xxx
Full hostname for 'server.xxxx.xxx' is 'server.xxxx.xxx'
Full hostname for 'clnt.xxxx.xxx' is 'clnt.xxxx.xxx'
Key table entry not found while getting keytab entry for 'root/clnt.xxxx.xxx at XXXX.XXX'
Success getting keytab entry for 'nfs/clnt.xxxx.xxx at XXXX.XXX'
INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_XXXX.XXX' are good until 1289651734
INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_XXXX.XXX' are good until 1289651734
using FILE:/tmp/krb5cc_machine_XXXX.XXX as credentials cache for machine creds
using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_XXXX.XXX
creating context using fsuid 0 (save_uid 0)
creating tcp client for server server.xxxx.xxx
DEBUG: port already set to 2049
creating context with server nfs at server.xxxx.xxx
WARNING: Failed to create krb5 context for user with uid 0 for server server.xxxx.xxx
WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_XXXX.XXX for server server.xxxx.xxx
WARNING: Failed to create machine krb5 context with any credentials cache for server server.xxxx.xxx
doing error downcall
dir_notify_handler: sig 37 si 0x7fff99e83030 data 0x7fff99e82f00
dir_notify_handler: sig 37 si 0x7fff99e83030 data 0x7fff99e82f00
dir_notify_handler: sig 37 si 0x7fff99e82f30 data 0x7fff99e82e00
dir_notify_handler: sig 37 si 0x7fff99e7dfb0 data 0x7fff99e7de80
dir_notify_handler: sig 37 si 0x7fff99e7dfb0 data 0x7fff99e7de80
dir_notify_handler: sig 37 si 0x7fff99e7dfb0 data 0x7fff99e7de80
dir_notify_handler: sig 37 si 0x7fff99e7dfb0 data 0x7fff99e7de80
destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt39
destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt38

I need to downgrade the kernel and krb5* to the Fedora13 version to get
nfs4 working again.

Does anybody have an idea why it no longer works?

What is the current party line with respect to nfs4 encryption types?
The admin guide on the freeipa web page still requires des-cbc-crc. But
MIT Kerberos seems to become increasingly hostile against des. And yes,
I do have allow_weak_crypto = true in krb5.conf/libdefaults

Thanks,
Tom