This just makes me more confused. None of those "*enctype" settings should be required for any of these versions of Kerberos or gssd. And they will limit you to DES when the stronger encryption types become available. K.C. On Wed, Apr 21, 2010 at 9:32 AM, Di Pe <dipeit@xxxxxxxxx> wrote: > correction: I did not have this in my earlier testing: > permitted_enctypes = des-cbc-crc > > it worked without permitted_enctypes on suse with krb5 1.6.3 but it > needed that setting with krb 1.7, 1.8 and 1.8.1 > > I also tried ubuntu 10 with krb5 1.8.1 and the strange thing is that > is does not need any of the enctypes. It just works. > > The opentext NFS server does not seem to offer any logging capability. > > Thanks > > > On Tue, Apr 20, 2010 at 8:02 PM, Kevin Coffman <kwc@xxxxxxxxxxxxxx> wrote: >> On Tue, Apr 20, 2010 at 8:19 PM, Di Pe <dipeit@xxxxxxxxx> wrote: >>> On Tue, Apr 20, 2010 at 6:19 AM, Kevin Coffman <kwc@xxxxxxxxxxxxxx> wrote: >>>> Hi, >>>> >>>> If I read this right, you replaced krb5-1.8.1 with krb5-1.6.3 and it >>>> fixed the problem? >>>> >>>> As I noted in your original message, you had "allow_weak_crypto = >>>> true" in your krb5.conf. For NFS, this is required with krb5-1.8 >>>> where DES is disabled by default. Are you certain you have this >>>> specified in your krb5-1.8.1 /etc/krb5.conf? >>> >>> >>> Yes, I'm positive. 1.8.1 does not work 1.6.3 does! This is my current setting >>> >>> [libdefaults] >>> default_realm = FHCRC.ORG >>> clockskew = 300 >>> default_tkt_enctypes = des-cbc-crc >>> default_tgs_enctypes = des-cbc-crc >>> permitted_enctypes = des-cbc-crc >>> allow_weak_crypto = true >>> forwardable = true >>> >>> I should add one more thing: I was using 2 different NFS servers, a >>> NetApp 7.3.1.1 and Opentext NFS Maestro Server 2008 (formerly >>> Hummingbird) on Windows 2008 R2 (AD is still 2003 R2). I found out >>> today that the NetApp had a corrupted keytab and after repairing that >>> it works fine with 1.8.1. NFS Maestro still only works with 1.6.3. >>> Since I can use the 1.6.3 rpm package onto newer distros I can live >>> with it for the moment if i block the rpm from getting updated but >>> it's still kind of a hack. >> >> Do you have access to logs on the server that still doesn't work with >> 1.8.1? It seems odd that only this combination would fail. >> >> K.C. >> > > -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
