Re: krb5 transition: upgrading to krb5 1.6.1
On Sun, Apr 29, 2007 at 02:02:41PM -0400, Sam Hartman wrote:
> I'm aware of one issue that impacts nfs-utils. Bug #413838 describe a
> problem where if your server has a common misconfiguration the 1.6
> Kerberos libraries on the client will cause mounts to fail. In
> particular, the kernel only supports DES encryption for NFS. However,
> many servers are keyed as if they support more modern encryption such
> as AES. The client tries to request that only DES be used, but this
> has been broken in 1.6. So, Kerberos negotiates AES or some other
> strong encryption and then the server tries to feed this to the kernel
> and fails. This is a bug and MIT will definitely fix it, but I don't
> think this should hold up an upload to unstable. There is a work
> around: properly configure the server.
Reading the bug log, it looks like the "proper" configuration in this case is
deleting all the nfs/servername@REALM encryption types except des-cbc-crc. Is
this correct?
When playing with NFSv4 for the first time, I ran into rather obscure bugs
_if_ you only left des-cbc-crc. However, I guess that has fixed itself by
now...
/* Steinar */
--
Homepage: http://www.sesse.net/
Reply to: