That note is only relevant for NFS clients. The NFS client takes advantage of a Kerberos function to limit the enctypes negotiated with the server. The only way the KDC knows how to limit the enctypes negotiated for a server is to limit the enctypes when creating its keytab. K.C. On Tue, Jan 4, 2011 at 2:04 PM, Orion Poplawski <orion@xxxxxxxxxxxxx> wrote: > On 01/04/2011 11:37 AM, Kevin Coffman wrote: >> >> On Tue, Jan 4, 2011 at 12:27 PM, Orion Poplawski<orion@xxxxxxxxxxxxx> >> wrote: >>> >>> I'm trying to get kerberized NFSv4 setup for the first time (have had >>> non-secure v4 up for a while). Client is Fedora 14, server is CentOS >>> 5.5. >>> >>> [ ... ] >>> >>> keytabs on server and client are like: >>> >>> 3 nfs/orca.cora.nwra.com@xxxxxxxxxxxxx (Triple DES cbc mode with >>> HMAC/sha1) >>> 3 nfs/orca.cora.nwra.com@xxxxxxxxxxxxx (ArcFour with HMAC/md5) >>> 3 nfs/orca.cora.nwra.com@xxxxxxxxxxxxx (DES with HMAC/sha1) >>> 3 nfs/orca.cora.nwra.com@xxxxxxxxxxxxx (DES cbc mode with RSA-MD5) >>> >>> Any ideas? >> >> Only DES is supported for your server's kernel: >> >> http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html > > Indeed, it does work if I limit the keys to DES only > (des-hmac-sha1:normal,des-cbc-md5:normal). Although I had seen at least one > report that using ktadd -e des-cbc-crc:normal was no longer necessary as of > 5.2: > > http://sadiquepp.blogspot.com/2009/02/how-to-configure-nfsv4-with-kerberos-in.html > > -- > Orion Poplawski > Technical Manager 303-415-9701 x222 > NWRA/CoRA Division FAX: 303-415-9702 > 3380 Mitchell Lane orion@xxxxxxxxxxxxx > Boulder, CO 80301 http://www.cora.nwra.com > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > > -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html