[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#657802: nfs-kernel-server: NFSv4 kerberos mount stopped working after upgrade to 6.0.4 point release

[Andreas B. Mundt]
> For kerberized NFSv4 on squeeze 6.0.4 you need: 
> 
> [libdefaults]
>         permitted_enctypes = des-cbc-crc
>         allow_weak_crypto = true

This setting broke Kerberos authentication using pam_sss.  I found
lines like this in the server kdc.log:

  Jan 31 15:26:42 tjener.intern krb5kdc[16339](info): AS_REQ (4 etypes
    {18 17 16 23}) 10.0.15.1: NEEDED_PREAUTH: pere@INTERN for
    krbtgt/INTERN@INTERN, Additional pre-authentication required

I then looked up what the etypes meant, and found
<URL: http://pig.made-it.com/kerberos-etypes.html > mapping IDs to
names.

By adding the names for 16-18,23 to krb5.conf on the KDC I was able to
get pam_sss working again.  The result looked like this:

  [libdefaults]
         permitted_enctypes = des-cbc-crc rc4-hmac des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
         allow_weak_crypto = true

I'm not sure which of these etypes should be listed, nor the other
consequence of listing them like this, but thought it best to mention
it here.

Is this a good solution?  Which of the etypes should one permit?  Will
any of them cause problems with NFSv4 or other systems?
-- 
Happy hacking
Petter Reinholdtsen
Reply to: