On 25/08/11 22:11, Jiri Kanicky wrote:
On 25/08/11 02:23, Bastian Blank wrote:On Sun, Aug 14, 2011 at 12:43:14AM +1000, ganomi wrote: Please get a name.maverick:~# klist -ke /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal---- --------------------------------------------------------------------------4 nfs/maverick.firm.local@FIRM.LOCAL (des3-cbc-sha1) 4 nfs/maverick.firm.local@FIRM.LOCAL (des-cbc-crc)Please setup standard encryption types.root@knightrider:~# klist -ke /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal---- --------------------------------------------------------------------------6 nfs/knightrider.firm.local@FIRM.LOCAL (des-cbc-crc)DES is disabled in the meantime. Use other encryption types.ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type not permittedI hope this message is clear. BastianDear Bastian.I am not sure what do you mean by "setup standard encryption types". I believe that those are the standard encryption types. I haven't use any special configuration. I tried to use the most basic setting for Kerberos and LDAP.[kdcdefaults] kdc_ports = 750,88 [realms] FIRM.LOCAL = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3default_principal_flags = +preauth } Regards, Jiri
Hi.I found out that NFS (in RHEL 6) does not currently support des-hmac-sha1, des-cbc-md5 neither des-cbc-crc. However, it should support aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1 a arcfour-hmac. So, I am assuming that Debian Wheezy have the same issue.
I will try to generate keys for those which are supported and re-test it. I will come back with the results.
Thanks for giving me the idea. Jiri