On Wed, Aug 3, 2011 at 7:21 PM, NeilBrown <neilb@xxxxxxx> wrote: > > Hi, > I have some reports of problems with kerberos auth in openSUSE 11.4 (using > 1.2.3) which can be fixed by using the openSUSE 11.3 version of rpc.gssd > (from 1.2.1). > > https://bugzilla.novell.com/show_bug.cgi?id=614293 > > The important difference seems to be the list of enc_types used in > limit_krb5_enctypes. > > In 1.2.1 this list is hard coded in the rpc.gssd to 1,3,2 (I think). > In 1.2.3 this list is taken from the kernel where is it hard coded > to 18,17,16,23,3,1,2. > When I patch the 11.4 code to use the old enctype list, it works perfectly. > > So presumably it ends up negotiating one of those other enc_types and > gets confused by it. > > I'll try to get a comparative tcp dump to see if that helps, but > if anyone has any idea what the problem might be I'd love to hear > suggestions. > > The systems are running a 2.6.37 kernel in case that might make a difference. > > Thanks, > NeilBrown Hi Niel, Seeing the traffic might help. It wasn't clear to me after reading (most of) the bugzilla info what kernel version the NFS servers involved are running. If the servers don't have kernels with the newer enctype support, this might be the "subkey assertion" issue. K.C. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
