I don't know what's going on with the NFS portion of this, since I don't use NFS at all, but I can tell you a few things about the Kerberos end.For a Windows 2008r2 Active Directory domain controller, the only enctypesthere that are going to work are arcfour-hmac and aes128. (aes256 mightas well in some situations, but I think you have to go to some extra work,or maybe it's that a lot of Windows clients don't support them.) You generally don't want to set these parameters, although I realize that used to be the case for NFS. The NFS machinery is going to need to support either arcfour-hmac or aes128, since Windows never supported 3DES, and you don't want to use plain DES any more (and it has to be specifically enabled on the Windows side, if they haven't dropped it entirely now). I'm not sure what enctypes the kernel-level support currently implements.
Thank you all for your answers. Russ,I absolutely agree with you. Win 2k8 works correctly with the arcfour-hmac (RC4-HMAC) and AES 128 (not supported by WinXP and younger).
Therefore, the application settings allow_weak_crypto not helping me.But how can I check the support RC4-HMAC, and AES128, to make sure that reason the problem? And how do we know up to what I need to upgrade the kernel to have a stable system and running NFS?
P.S. But kinit gets the same ticket from KDC? Or kinit does not use the kernel and uses the tools of userland-level?
P.P.S.: I also tried to explicitly specify the type of encryption in krb5.conf: ============= root@debian:~# grep -e rc4 -e des /etc/krb5.conf # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac permitted_enctypes = rc4-hmac # default_tgs_enctypes = des-cbc-crc # default_tkt_enctypes = des-cbc-crc # permitted_enctypes = des-cbc-crc root@debian:~# kinit -k nfs/debian.sag.local root@debian:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: nfs/debian.sag.local@SAG.LOCAL Valid starting Expires Service principal 11/14/11 22:51:28 11/15/11 08:51:36 krbtgt/SAG.LOCAL@SAG.LOCAL renew until 11/15/11 22:51:28 ============= and on server ============= ARCHIV ~ # vim /etc/krb5.conf ARCHIV ~ # kinit -k nfs/archiv.sag.local ARCHIV ~ # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: nfs/archiv.sag.local@SAG.LOCAL Valid starting Expires Service principal 11/14/11 22:53:45 11/15/11 08:53:45 krbtgt/SAG.LOCAL@SAG.LOCAL renew until 11/15/11 22:53:45 ==================== And once again got an error on the server: ===================Nov 14 22:54:40 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No supported encryption types (config file error?) Nov 14 22:54:40 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No supported encryption types (config file error?)
-- Best Regards