Bug#657802: nfs-kernel-server: NFSv4 kerberos mount stopped working after upgrade to 6.0.4 point release
[Andreas B. Mundt]
> For kerberized NFSv4 on squeeze 6.0.4 you need:
>
> [libdefaults]
> permitted_enctypes = des-cbc-crc
> allow_weak_crypto = true
This setting broke Kerberos authentication using pam_sss. I found
lines like this in the server kdc.log:
Jan 31 15:26:42 tjener.intern krb5kdc[16339](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.15.1: NEEDED_PREAUTH: pere@INTERN for
krbtgt/INTERN@INTERN, Additional pre-authentication required
I then looked up what the etypes meant, and found
<URL: http://pig.made-it.com/kerberos-etypes.html > mapping IDs to
names.
By adding the names for 16-18,23 to krb5.conf on the KDC I was able to
get pam_sss working again. The result looked like this:
[libdefaults]
permitted_enctypes = des-cbc-crc rc4-hmac des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
allow_weak_crypto = true
I'm not sure which of these etypes should be listed, nor the other
consequence of listing them like this, but thought it best to mention
it here.
Is this a good solution? Which of the etypes should one permit? Will
any of them cause problems with NFSv4 or other systems?
--
Happy hacking
Petter Reinholdtsen
Reply to: