Bug 1223688

Summary: NFS mounting with sec=krb5 fails with access denied (krb5_crypt_nfs_client test)
Product: [openSUSE] PUBLIC SUSE Linux Enterprise Server 15 SP5 Reporter: Andrea Manzini <andrea.manzini>
Component: KernelAssignee: Neil Brown <nfbrown>
Status: RESOLVED FIXED QA Contact:
Severity: Normal    
Priority: P5 - None CC: meissner, tjyrinki
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://openqa.suse.de/tests/14184233/modules/krb5_crypt_nfs_client/steps/27
Whiteboard:
Found By: openQA Services Priority:
Business Priority: Blocker: Yes
Marketing QA Status: --- IT Deployment: ---
Attachments: screenshot of the client's access denied

Description Andrea Manzini 2024-05-02 10:26:22 UTC 
Created attachment 874619 [details]
screenshot of the client's access denied

## Observation

openQA test in scenario sle-15-SP5-Server-DVD-Updates-x86_64-fips_tests_crypt_krb5_client@64bit fails in
[krb5_crypt_nfs_client](https://openqa.suse.de/tests/14184233/modules/krb5_crypt_nfs_client/steps/27)

## Test suite description
Testsuite maintained at https://gitlab.suse.de/qe-security/osd-sle15-security.


## Reproducible

Fails since (at least) Build [20240430-1](https://openqa.suse.de/tests/14179718)


## Expected result

Last good: [20240429-1](https://openqa.suse.de/tests/14173907) (or more recent)


## Further details

Always latest result in this scenario: [latest](https://openqa.suse.de/tests/latest?arch=x86_64&distri=sle&flavor=Server-DVD-Updates&machine=64bit&test=fips_tests_crypt_krb5_client&version=15-SP5)


did some experiments and reported more info in the ticket:
https://progress.opensuse.org/issues/159531


- NFS mount with sec=sys is fine, with sec=krb5 gives access denied
- clock syncing seems not an issue, tried also force syncing 
- forcing crypto algorithm="aes256-cts-hmac-sha384-192" fails as well
- same test on 15SP4 passes 
- the test fails also in non-FIPS mode

package versions:

PASS
kernel-5.14.21-150400.24.116-default
krb5-1.19.2-150400.3.9.1
krb5-server-1.19.2-150400.3.9.1
krb5-client-1.19.2-150400.3.9.1
nfs-client-2.1.1-150100.10.37.1

FAIL
kernel-5.14.21-150500-55.59-default
krb5-1.20.1-150500.3.6.1
krb5-server-1.20.1-150500.3.6.1
krb5-client-1.20.1-150500.3.6.1
nfs-client-2.1.1-150500.22.3.1
Comment 2 Marcus Meissner 2024-06-06 07:42:29 UTC 
ok, seems fixed already with last 15 sp5 kernel update
Comment 3 Neil Brown 2024-07-10 02:24:20 UTC 
I think this is the same a bug 1223858 which is now fixed.