On 10/24/2011 03:09 PM, Rob Naccarato wrote: > Fair enough, I now have this on the client: > root@khan:/etc# klist -e -k /etc/krb5.keytab > Keytab name: WRFILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 4 nfs/khan.some.domain.ca@NACCY.ORG (AES-128 CTS mode with 96-bit SHA-1 > HMAC) > 4 host/khan.some.domain.ca@NACCY.ORG (AES-128 CTS mode with 96-bit SHA-1 > HMAC) this looks reasonable to me (funnily, i also have a machine named khan!) > I also have this on the server: > > blackdog:/etc# klist -e -k /etc/krb5.keytab > Keytab name: WRFILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 8 host/blackdog.some.domain.ca@NACCY.ORG (AES-128 CTS mode with 96-bit > SHA-1 HMAC) > 7 nfs/blackdog.some.domain.ca@NACCY.ORG (AES-128 CTS mode with 96-bit SHA-1 > HMAC) this also looks reasonable to me (there's no need for the kvno to match between the credentials for the two different principals) >> you shouldn't need nfs-kernel-server on the client -- what version of >> nfs-common do you have on the client? > > nfs-common 1:1.2.4-1~bpo60+1 ok, that matches my setup. >> A useful test might be to *reduce* the number of supported_enctypes to a >> select one or two, then change the keys for the client and the server >> (and for any user account using krb5 authentication) and re-try. > > So, reduce the list to, say, just aes128-cts:normal? Should I also remove the > allow_weak_crypto option? yes, that's what i would try -- it appears to be currently working for me. Perhaps someone more experienced with krb5 and nfs than i am can also weigh in with suggestions. Regards, --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature