On 02/10/2012 06:41 PM, whats_up@xxxxxxx wrote:
Some older kernels do not support strong keys. Try adding:
allow_weak_crypto = true
to the
[libdefaults]
in /etc/krb5.conf
yes. I painfully (mount only says access denied) found out this already
and I use allow_weak_crypto to limit to DES. More encryption
types have been introduced with kernel 2.6.39...
I tried to use kernel 3.2 from squeeze-backports but this introduced new
errors, thus I decided to try with 2.6 first.
Also it's not recommended to use the pseudo-root fsid=0 method for
nfs exports under Linux:
http://wiki.linux-nfs.org/wiki/index.php/Nfsv4_configuration
hmm, as far as I have understood I have to:
- export the root folder /exports explicitly beside the "real"
exports p.ex. /exports/opt
- use fsid=0 for the root folder to force version 4 of NFS
What's your suggestion to improve/secure my configuration?
regards
knut
Officially, you should not export from a pseudo root. Please see the
last few lines in the link I sent.
man rpc.gssd(8) adds:
<quote>
Previous versions of
rpc.gssd used only "nfs/*" keys found within the keytab. To be more
consistent with other implementations, we now look for specific keytab
entries. The search order for keytabs to be used for "machine
credentials" is now:
<HOSTNAME>$@<REALM>
root/<hostname>@<REALM>
nfs/<hostname>@<REALM>
host/<hostname>@<REALM>
root/<anyname>@<REALM>
nfs/<anyname>@<REALM>
host/<anyname>@<REALM>
</quote>
I see your setup uses the root principal. If you still get access
denied, create another keytab with just the machine$ and host/fqdn keys.
I can remember having to fiddle with nfs-utils and keytabs on openSUSE
at some stage last year.
If none of this works you can either stick with the old kernel and
accept he security, get an up to date nfs-utils and see if hat fixes it
with the DES keys or grab an up to date distro where all this stuff will
work out of the box.
Cheers,
Steve
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html