Re: Trouble mounting from EL5.5 server on Fedora 14 - gss_kerberos_mech: unsupported algorithm 6

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



That note is only relevant for NFS clients.  The NFS client takes
advantage of a Kerberos function to limit the enctypes negotiated with
the server.

The only way the KDC knows how to limit the enctypes negotiated for a
server is to limit the enctypes when creating its keytab.

K.C.

On Tue, Jan 4, 2011 at 2:04 PM, Orion Poplawski <orion@xxxxxxxxxxxxx> wrote:
> On 01/04/2011 11:37 AM, Kevin Coffman wrote:
>>
>> On Tue, Jan 4, 2011 at 12:27 PM, Orion Poplawski<orion@xxxxxxxxxxxxx>
>>  wrote:
>>>
>>> I'm trying to get kerberized NFSv4 setup for the first time (have had
>>> non-secure v4 up for a while).  Client is Fedora 14, server is CentOS
>>> 5.5.
>>>
>>> [ ... ]
>>>
>>> keytabs on server and client are like:
>>>
>>>   3 nfs/orca.cora.nwra.com@xxxxxxxxxxxxx (Triple DES cbc mode with
>>> HMAC/sha1)
>>>   3 nfs/orca.cora.nwra.com@xxxxxxxxxxxxx (ArcFour with HMAC/md5)
>>>   3 nfs/orca.cora.nwra.com@xxxxxxxxxxxxx (DES with HMAC/sha1)
>>>   3 nfs/orca.cora.nwra.com@xxxxxxxxxxxxx (DES cbc mode with RSA-MD5)
>>>
>>> Any ideas?
>>
>> Only DES is supported for your server's kernel:
>>
>> http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html
>
> Indeed, it does work if I limit the keys to DES only
> (des-hmac-sha1:normal,des-cbc-md5:normal).  Although I had seen at least one
> report that using ktadd -e des-cbc-crc:normal was no longer necessary as of
> 5.2:
>
> http://sadiquepp.blogspot.com/2009/02/how-to-configure-nfsv4-with-kerberos-in.html
>
> --
> Orion Poplawski
> Technical Manager                     303-415-9701 x222
> NWRA/CoRA Division                    FAX: 303-415-9702
> 3380 Mitchell Lane                  orion@xxxxxxxxxxxxx
> Boulder, CO 80301              http://www.cora.nwra.com
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux