Hi Sam,
I've also run into this bug, in the context of preparing to update nfs-utils
in Ubuntu for IPv6 support. My NFS server is running squeeze, and updating
causes the client and server to fail to negotiate as described.
It seems that it's possible to work around it by adding this single line to
the server:
permitted_enctypes = des-cbc-crc
in addition to the 'allow_weak_crypto = true' that was already there.
But what's confusing is that before this change, I had a DES3 *only* key for
this server, and everything was working! How could that be if the server
didn't support the DES3?
To work around this problem locally without having to set permitted_enctypes
for all other services on the NFS server, I've added a new separate
krb5.conf file under /etc, and am setting KRB5_CONFIG in
/etc/init.d/nfs-kernel-server to point to that path.
You mention that fixing this properly requires backporting patches to both
nfs-utils and krb5. Could you provide a reference for the krb5 patch? (I
assume the nfs-utils one is the one Luk already linked to) I'm potentially
willing to help with getting this int a stable update.
Thanks,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
Attachment:
signature.asc
Description: Digital signature