Michael Weiser wrote: A direct workaround is to set the following options in /etc/krb5.conf of client and server: [libdefaults] default_tkt_enctypes = des-cbc-md5 permitted_enctypes = des-cbc-md5 , add des-cbc-md5 keys to the keytabs of both machines and allow Single DES for both machines' principals on the KDC (MS AD 2008r2 in particular wants it enabled explicitly). This however not only limits the encryption types of session keys but all tickets as well and applies to the whole machine not just the NFSv4 service. This has a needlessly high security impact on both machines. Could this go in an appdefaults clause instead? My guess is not. I remember having to add allow_weak_crypto to libdefaults instead of appdefaults. But I thought I'd ask. If not, a command line argument to gssd seems reasonable. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
