On Tue, 11 Jun 2013, Steve Thompson wrote:
> * allow_weak_crypto=yes is REQUIRED in krb5.conf for this software version
> combo.
> * a separate user object is REQUIRED with the UPN nfs/fqdn. I add this
> using msktutil on the client when the client is joined to the domain.
> Using "net ads keytab add nfs" is NOT sufficient, since it adds an
> SPN and not a UPN.
Aw crap, I hate it when I do that. It turns out that allow_weak_crypto=yes
is NOT required at all, provided that the nfs/fqdn UPN that is created
supports the necessary enctypes. I original had --enctypes=0x3 when I
created the UPN with msktutil; by recreating the UPN without using
--enctypes at all, allow_weak_crypto=yes is no longer needed on either
client or server, and NFSv4 mounts work just fine with everything
essentially stock. It is still true that a UPN must be created, and "net
ads keytab add" is not sufficient. This is with a Samba4 domain, btw.
I still have an issue with user access to the NFSv4 mount, and a
workaround for it, but that's for another time.
Steve
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
