[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: krb5 transition: upgrading to krb5 1.6.1

On Sun, Apr 29, 2007 at 02:02:41PM -0400, Sam Hartman wrote:
> I'm aware of one issue that impacts nfs-utils.  Bug #413838 describe a
> problem where if your server has a common misconfiguration the 1.6
> Kerberos libraries on the client will cause mounts to fail.  In
> particular, the kernel only supports DES encryption for NFS.  However,
> many servers are keyed as if they support more modern encryption such
> as AES.  The client tries to request that only DES be used, but this
> has been broken in 1.6.  So, Kerberos negotiates AES or some other
> strong encryption and then the server tries to feed this to the kernel
> and fails.  This is a bug and MIT will definitely fix it, but I don't
> think this should hold up an upload to unstable.  There is a work
> around: properly configure the server.

Reading the bug log, it looks like the "proper" configuration in this case is
deleting all the nfs/servername@REALM encryption types except des-cbc-crc. Is
this correct?

When playing with NFSv4 for the first time, I ran into rather obscure bugs
_if_ you only left des-cbc-crc. However, I guess that has fixed itself by
now...

/* Steinar */
-- 
Homepage: http://www.sesse.net/
Reply to: