Hi
openSUSE 12.1
I'm trying to explain to our windows admin that modern nfs isn't
restricted to DES.
Here is a Samba4 authenticated test setup.
I've removed he DES keys from the keytab on the nfs server:
klist -ke /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- ---------
1 nfs/hh3.hh3.site@xxxxxxxx (arcfour-hmac)
1 HH3$@hh3.site (arcfour-hmac)
In /etc/krb5.conf, I comment out:
[libdefaults]
#allow_weak_crypto = true
It was never actually there. I've added it help my argument;)
hh3 is the server, hh6 is the client.
On hh6, root issues:
mount -t nfs4 hh3:/foo /bar -o sec=krb5
rpc.gssd -fvvv throws a fit, the KDC responds with,
Kerberos: ENC-TS Pre-authentication succeeded -- HH6$@HH3.SITE using
arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2012-02-06T19:44:47 starttime: unset endtime:
2012-02-07T05:44:47 renew till: 2012-02-07T19:44:47
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc,
des-cbc-md5, des-cbc-md4, using arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok
Kerberos: TGS-REQ HH6$@HH3.SITE from ipv4:192.168.1.10:45421 for
nfs/hh3.hh3.site@xxxxxxxx [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-02-06T19:44:47 starttime:
2012-02-06T19:44:47 endtime: 2012-02-07T05:44:47 renew till: 20
we can logon and request files via the mount.
Questions
Does this procedure prove that nfs can use other than DES crypto?
Is arcfour what an AD admin would consider strong encryption?
Thanks,
Steve
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
