Bug#622146: nfs-kernel-server: error Encryption type not permitted
I don't know what's going on with the NFS portion of this, since I don't
use NFS at all, but I can tell you a few things about the Kerberos end.
"Kramarenko A. Maxim" <mc-sim85@ya.ru> writes:
> But in the keytab there are other types of encryption:
> root@debian:~# klist -ke
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 3 nfs/debian.sag.local@SAG.LOCAL (des-cbc-crc)
> 3 nfs/debian.sag.local@SAG.LOCAL (des-cbc-md5)
> 3 nfs/debian.sag.local@SAG.LOCAL (arcfour-hmac)
> 3 nfs/debian.sag.local@SAG.LOCAL (aes256-cts-hmac-sha1-96)
> 3 nfs/debian.sag.local@SAG.LOCAL (aes128-cts-hmac-sha1-96)
For a Windows 2008r2 Active Directory domain controller, the only enctypes
there that are going to work are arcfour-hmac and aes128. (aes256 might
as well in some situations, but I think you have to go to some extra work,
or maybe it's that a lot of Windows clients don't support them.)
> root@debian:~# grep des /etc/krb5.conf
> # default_tgs_enctypes = des3-hmac-sha1
> # default_tkt_enctypes = des3-hmac-sha1
> # permitted_enctypes = des3-hmac-sha1
> default_tgs_enctypes = des-cbc-crc
> default_tkt_enctypes = des-cbc-crc
> permitted_enctypes = des-cbc-crc
You generally don't want to set these parameters, although I realize that
used to be the case for NFS.
The NFS machinery is going to need to support either arcfour-hmac or
aes128, since Windows never supported 3DES, and you don't want to use
plain DES any more (and it has to be specifically enabled on the Windows
side, if they haven't dropped it entirely now). I'm not sure what
enctypes the kernel-level support currently implements.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: