Bug#622146: nfs-common: compatibility between squeeze and sid broken

[Alberto Gonzalez Iniesta <agi@inittab.org>]

On Wed, Jun 08, 2011 at 02:10:32PM -0400, Sam Hartman wrote:
> Hi.
> I was missing some context here.
> 
> My suspicion is that things will work
> if you add
> permitted_enctypes = des-cbc-crc
> default_tgs_enctypes = des-cbc-crc
> to the configuration of the nfs server
> 
> And make sure that the nfs principal on the NFS server has nothing but a
> des-cbc-crc key in the KDC database.
> That is
> kadmin.local: getprinc nfs/machine_name
> should only list DES keys.
Hi Sam,

Thanks for looking into this.
I'd rather not touch anything in the server, since +100 clients are
using it.

> If you satisfy all of these conditions then I *think* that a sid client
> can connect to a squeeze server.

Humm, the server is (right now) lenny in my case.

> It may also work to make the following config changes on the client:
> 
> default_tgs_enctypes = des-cbc-crc
> 
> and no config changes on the server.

Did that, no luck :-(

I really wonder how I make it work last time...

Now I have (not working):

agi@lib:~$ grep cbc /etc/krb5.conf 
	permitted_enctypes = des-cbc-crc
	default_tgs_enctypes = des-cbc-crc
agi@lib:~$ grep weak /etc/krb5.conf
        allow_weak_crypto = yes

And only the des-cbc-crc:normal key on this hosts' keytab.

Regards,

Alberto

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3